An In-Depth Look Into Windows Security in 2003

When it comes to security predictions for next year, basically everyone says it’s going to be worst than this year despite the increased spending on security and some progress made when it comes to security awareness. Let’s take a look at some interesting happenings that made the news during 2003 when it comes to Microsoft security and perhaps you’ll be able to judge for yourself what 2004 will bring.

The experts that voice their opinion for this article are Russ Cooper (Surgeon General of TruSecure Corporation/NTBugtraq Editor), Ed Skoudis (a security geek who is focused on computer attacks and defenses, author of “Counter Hack” and “Malware: Fighting Malicious Code”) and Arne Vidstrom (a security researcher and author of many security tools for Windows).

It’s January and things don’t look good

Just as we were getting used to writing 2003 instead of 2002 in our letters, here comes the Slammer worm and all hell breaks loose as thousands of computers are infected worldwide.

This, however, was not Microsoft’s fault since a patch was available several months ago before the worm was unleashed. This has put the issue of irresponsible users into the spotlight while others said the reason why some servers weren’t patched is because administrators are worried about the side-effects that come with a patch.

Russ Cooper said: “Firstly, SQL patches have been notoriously difficult to install, so I would argue that despite the availability of a patch, its lack of installation was not entirely the user’s fault. Further, MSDE (Microsoft SQL Desktop Engine) inclusion in 3rd party software had never been tracked by Microsoft. This resulted in many people being vulnerable to Slammer who never knew they needed a patch. The method the SQL group has used to handle the SQL vs. MSDE issue have been very poor, with KB articles typically only being found by searching for SQL rather than MSDE. Finally the SQL Server Resolution Service, the service targeted by Slammer, isn’t even mentioned in the SQL 7.0 documentation either as being present, installed, or enabled by default.”

Lessons learned according to Cooper: “What Slammer showed us more than anything was the need to embrace more basic controls, such as “Default Deny”. There’s little reason to expose the SSRS to the Internet without any restrictions. Some hosting providers have argued that their customers required access to the service and, therefore, they exposed it directly to the Internet. While this might seem reasonable, the additional cost of locking down such connection points to, at least, an identifiable IP address range surely couldn’t put them out of business compared to the risks they put the entire Internet at. Of course the same holds true for businesses, but there the problem was more of a problem with the “Default Installation”. We have long known that default installations are inherently insecure. Knowing what you’re installing, and installing only what you know, are crucial to achieving baseline security. The habit of simply accepting the defaults and no additional steps is yet another reason problems like this occur.”

“Another aspect of “Default Deny” is the enforcement of *Outbound* rules as well as inbound. Habit says that inbound is what we fear, yet outbound is left entirely untouched. Slammer demonstrated just how harshly such a policy can affect the Internet. There was no reason for those systems to initiate connections outbound on UDP 1434, even if we accept there was a need to allow the inbound connections from other infected hosts. Ergo, had such rules been in place, machines would have gotten infected but would not have propagated the worm.” Cooper added.

Why don’t we patch?

Earlier this year, Craig Fiebig, general manager of Microsoft’s security business unit told vnunet that “Providing reliable, easy-to-install patches is expensive and troublesome”. I asked Cooper what he thought on the subject and he said: “Of course patching remains a very complex, time-consuming, and difficult task. The tasks required to ensure continued operation through any upgrade or patch application are not likely to be employed by most. Testing, preferably in an environment not directly connected to your production network, with sufficient replicated servers to accurately gauge the results, is expensive and resource intensive. Couple that with frequent releases of newer patches replacing ones you just tested, and it gets a bit much for the average business. Consumers may be better able to blindly accept new updates, but companies certainly can not, and should not, rely entirely upon the presence of a patch as the determining factor as to whether to install it.”

Patching is an enormous issue according to Ed Skoudis. He notes that: “Unless we all deploy patches, our systems will continue to be massively vulnerable. I wholeheartedly expect to see several major new vulnerabilities discovered in 2004, with the subsequent (or even prior!) release of worms to exploit them. Therefore, we’ve got to press the vendors to release _good_ patches quickly, and we must deploy them.”

“Happily, applying patches to end user desktop/laptop systems now is easier than ever, with new patch distribution sites available from Microsoft, Debian, and a variety of other vendors. Once a user realizes how painless it is to patch their desktop/laptop system once, I am hopeful that they will return frequently and keep their systems up to date. I do expect end-user awareness of this issue to increase in 2004.” he added.

Despite the large number of security patches aimed at Windows XP users that mainly istall them without too much thinking, administrators are something completely different as they have much more to account for. Skoudis said: “Sysadmins continue to be skeptical and worried about the implications of the latest patches. A wholesome, useful patch may have unintended consequences, disabling important applications. Such concerns have and will continue to slow down patch deployment on the server. I was actually happy to see Microsoft’s announcement regarding regular monthly patch release days. This will help us all schedule patch testing and deployment into our work processes, smoothing the process. In short, 2004 is going to be rough, but I expect to see some level of improvement on the patching issue.”

It’s all about trust

One of the widest security discussions this year was certainly focused around the Microsoft Trustworthy Computing initiative. Some were praising it while others like Russ Cooper weren’t that happy about it and back in February he said that, in his opinion, the initiative was failing.

Ten months later I was curious to hear what Cooper thought on the subject. He said: “At this point I will give Microsoft a “D” for 2003’s efforts. The “Protect Your PC” effort is a very good start at outreach to the consumer community. I feel there are more and better things they should do, such as free upgrades for everyone with a licensed copy of a Windows OS to Windows XP, availability of a Windows Update CD at convenient locations such as Wal-Mart, and modifications to how the OS is configured by default.”

Does anyone notice Microsoft’s efforts?

Despite constant negative reports on Microsoft security, in March the SANS Institute awarded Microsoft for their security efforts. Many people truly believe that Microsoft is trying to improve while others say it’s all just marketing. Microsoft seems to be trying as they setup courses that teach secure coding in several universities worldwide. The questions is – are things getting better?

Skoudis said: “Steering the giant ship that is Microsoft toward more security is an arduous task. I did a back-of-the-envelope calculation a while back, and determined that Microsoft is currently supporting more than a billion lines of code across its entire product line. That’s an ocean of potential problems, and it’s understandable and unfortunate that it’s going to take some time to secure it all. Now, don’t get me wrong. I’m not a Microsoft apologist. I slam them when they deserve it. That said, we have to admit and understand the magnitude of their challenge.”

“Based on my reckoning, only over the last two years has Microsoft taken security seriously. But they are trying hard now, and have considerable resources to make Good Things happen (Of course, as I typed that line, Microsoft Outlook totally flaked out, freezing inexplicably. What a piece of crap Outlook is… but I digress). By throwing some money around, they can seriously help improve security. In 2004, I expect to see patching get somewhat better (see my previous answer). I also expect to see a high-profile payment of Microsoft cash to someone who turns in a worm writer. That might put a bit of a chill on the current “write-a-worm-and-suffer-no-ill-effects” environment we face now.” he added.

Arne Vidstrom said: “There are many vulnerabilities in Microsoft software, and some people think that the only reason is that Microsoft completely sucks. Most, but not all, persons I have met who have held this black or white view are not programmers themselves. Some have never written a single line of code in their whole life. Some have written some code but only very small quantities for example in school or as a hobby. Others are professional programmers but not used to writing large pieces of software. Still others are programmers who have never had their software exposed to thorough testing. All these groups of people live under the illusion that they are capable of writing almost bug free code of any size. Of course there might be some very bright people out there who really are capable of writing large amounts of almost bug free code, but they are only a very small fraction of all programmers. In fact, my personal experience is that the code produced by the average programmer is a lot buggier than the code that comes out from Redmond.”

“After writing all this in the defense of Microsoft I have to admit that they could do much better than they have done so far. But even if they do their very best we will probably still see many vulnerabilities in software as complex as much modern software is. If I was to give advice to Microsoft, it would be to consider which attack vectors are the most important to protect against and strengthen the corresponding parts of the code most hard. Also I would advice them to do away with as much of the complexity as they possibly can in these parts, and to make default configurations as strict as possible. I think that the security experts at Microsoft are already completely aware of these things since a long time ago. But as many persons who have worked at a large corporation and with complex systems know, it’s not as easy to fix things in a complex environment as it is in a smaller environment where one person understands and has complete influence over all parts.” Vidstrom added.

A brand new OS

In April, Microsoft Windows Server 2003 was released and it’s natural bug reports from the security community were expected and they came soon after the launch. As there was much talk regarding enhancing security, no wonder a security guide was released right after the new operating system. What I wanted to find out was how secure Windows Server 2003 really is and did Microsoft learn some valuable lessons from the past. They claim to have learned a lot from the community.

Skoudis said: “Windows 2003 is yet another baby step in the right direction. They advertise it as the most secure version of Windows ever, which really isn’t all that heartening given how sloppy NT and 2000 were. Looking back, it’s amazing we could even run systems on NT. It was total junk, even for its day. 2000 was a bit better, once we got to SP2. XP was another step forward. That’s what Microsoft is famous for…. slap some junk together, get to market quickly, and then refine refine refine. Eventually, you’ll get a decent product, and make some seriously good money in the process. With Windows 2003, we seem to be entering that phase of the life cycle where the product is actually decent. Security looks better, but it’s still too early to tell.”

“One element that really cheeses me off about Windows 2003 is that it still lacks some crucial elements needed to soundly administer the operating system, like detailed information about all running processes. Why doesn’t Microsoft build in the components of the Windows NT and Windows 2000 Resource Kit into the operating system? These tools are immensely useful in administering a system, and Microsoft has written them and gives them away for free at their website. Yet, they don’t bundle these tools in by default, nor do they support these crucial system administration tools. What’s the deal with that? I need these tools, and am happy to install them at no additional charge from Microsoft. But, for goodness sakes, they should really be built in. And why not include them in a future SP for Windows 2000?” he added.

Is Microsoft really that bad?

In 2003 Microsoft experienced a lot of criticism for its lack of security, some launched Denial of Service attacks against, some even said that security problems could destroy Microsoft. Many refer to Microsoft as Big Brother, no wonder since it has its eyes everywhere. It all comes down to deciding if everything you read in the news is true.

Vidstrom had a lot to say on the subject: “I often hear criticism against Microsoft, some well founded and other not so well founded. There is no doubt that the number of vulnerabilities in their software is too large to be satisfactory. Then again, there are many things in the world that are not satisfactory. For example it’s not satisfactory that my clothes get wet in the rain, but I don’t try to stop the rain from falling – instead I use an umbrella. It’s not that I think it’s completely impossible to stop the rain from falling, there may be some expensive sophisticated way – it’s just that I know that in practice I won’t be able to do it. In my opinion some security phenomena are best considered like rain, like a natural phenomena. Examples of this might be script kiddies and the relatively large number of vulnerabilities in software in general. Accepting that some bad things exist is not the same thing as being happy with their existence and not doing everything practically possible to get rid of them though. But accepting and taking a new approach is sometimes much better than stubbornly fighting a battle one can never win. The problem with vulnerabilities in software is not their pure existence, but when they can be exploited practically to do damage. So a better general approach for solving the problem might be to 1) learn how to minimize the exploitability of vulnerabilities and 2) learn not to let assets depend on architectures that are not sufficiently resistant to attack compared to the value of the assets.”

The person that suffered the most severe consequences for criticizing the Redmond giant was definitely Daniel E. Geer Jr. that was fired from his position as CTO of @Stake Inc. of Cambridge, Mass. He apparently lost his job after he helped write a study critical of the insecurity of Microsoft software.

Regarding this situation Vidstrom said: “Concerning Daniel E. Geer Jr. who was allegedly fired because he helped writing a Microsoft critical study, I think that the study report is extremely biased against Microsoft and full of very unprofessional conclusions. Actually I’m surprised that some of the authors, who are so well known in the field of security, want their names associated with such an unprofessional report. It’s not a matter of different opinions, but a matter of making logically false and unsubstantiated conclusions that are disguised as good ones. Considering this and the fact that he appeared in the author listing as CTO of @stake, I understand if he was fired because of it. I think someone in the position of CTO should be especially careful when expressing opinions that diverge from the official company opinions and make sure that everybody understands that the opinions are not official company ones.”

“Finally I would like to voluntarily and spontaneously say that I have never received any negative feedback from Microsoft at all for any of the things I have published. In fact, I have received lots of encouragement from Microsoft people. Perhaps it’s because I try my very best to have a balanced objective view of things, or I’ve just been lucky. I don’t know for sure but my personal bet is on the first reason. I have however received some very negative feedback about my research from a few other companies, which I don’t want to name here for various reasons. Some of this feedback has not been very nice things, so I don’t doubt for a second that it can happen that security researchers get repercussions for their publications.” he added.

What does the future hold?

We all want to hear that next year things are going to be better and that’s what Microsoft promises. They recently released a beta of Service Pack 2 for Windows XP and the product should be ready in the first half of 2004.

When discussing the future, Cooper said: “I am aware that in 2004 we can expect a Windows Update CD, although I don’t know how it will be distributed. Also, Windows XP SP2 looks very promising at delivering many of the desired enhancements to security, such as stricter security control over content, ICF enabled by default, and many other features. With these delivered I can expect to upgrade my grading of their performance again for 2004.”

“However, there is still, IMO, a lack of emphasis on Public Service Announcements. MSN continues to tout its enhanced security features in commercials, but Microsoft still targets business productivity rather than security in its own commercials. Trustworthiness only improves if you reach the people who don’t trust you with a message of increased trust. “Protect your PC” just doesn’t do that sufficiently alone.” Cooper added.

I believe that the people at Microsoft should concentrate on making their software more secure and not doing everything they can to make people believe that closed source is more secure than open source. If they really invested the money into making some concrete security changes then the open source community could be in trouble. Nobody is apparently thinking about this because they don’t have much faith in Microsoft getting serious about security. I just hope that in the next few weeks we won’t see a disaster like the Slammer worm.

Microsoft Windows and all related registered trademarks are copyright by Microsoft Corp. No claim of ownership of these and related trademarks and copyrights whatsoever is made by Help Net Security.