I guess mr. Schneier and the likes represent the old school of security. I just think he is going just a tad overkill on a lot of things here. Okay:

Neither the loveletter or melissa exploited bugs in Outlook. They were attachment-viruses, which could have been made as .exes or .bat-files. The only way these viruses relate to Outlook is the fact that Outlook's address book is available through MAPI-calls from VBScript. Isn't it also available through the platform API, ie. from a C-coded program that was compiled to an .exe? The viruses could have read the address book from the hard drive any way. Nothing wrong here by Microsoft.

On the comments about Java: Java applets are not a security risk. I believe the Symantec virus lab guys found a Java virus, and no matter how hard they tried, they couldn't get it to work. Can someone brief me on Javascript holes then? Anything else except annoying pop-ups or the like? And no, mobile code isn't that dangerous.

And yes, with XML, SOAP and all the .NET/ONE-environment protocols, stuff is going to run over HTTP and be coded as XML. We are going to need application level proxies anyway, so I see no harm in SOAP running over port 80. You cannot secure XML transactions without an XML proxy/parser in between. Well yes, I guess you could just forget about XML, SOAP, IIOP, Corba, etc., but I see that's more up to the software developers. Don't buy XML-software if you don't want to.

"In unix, for example, a web server and an FTP server are separate". Ah yes, THE unix operating system. Wait - which one? Oh, and which ftp and web server? And no, IIS installs only the components you want to, and IIS doesn't install by default on any Windows 2000/2002 installations (including Server or Advanced Server). If you only select the IIS software group, you get the web server, ftp server, mail server and everything else, but that's just the admin being stupid. In the install phase, you can very well install only certain parts of IIS.

On automatic installs: I believe Microsoft's automatic install schemes all use digitally signed XML-pages and update packages. Besides, they all come from fricking microsoft.com, DNS poisoning and redirecting happens pretty rarely in the real world. Yes, it sometimes happens, but marginally. That's being a security control freak.

On centralized databases: heh, Microsoft is only an authentication provider. If service providers wish to open their services to these "insecure user databases", it's their call isn't it?

On services running as admin: eh, which services run as the Administrator account that could run as normal users? IIS and pretty much all network components that can run as normal users do so, and have done for a long time. I'd like some specificy here.

"All other Microsoft features should be evaluated for resilience. Those that are too risky should be removed until they can be rewritten and secured." Again, get specific. This is getting so overkill, fascistic security which no one cares about.

"Microsoft needs to publish specifications for protocols in advance and encourage public comment" Lately, Microsoft has been embracing open technologies such as TLS, EAP, IPSec, SOAP, XML, Kerberos, LDAP. Agreed, there are modifications to make them non-interoperable with competitors' products, but no modifications which would hamper security.

"We also recommend that Microsoft publish any new protocols or interfaces at least one year before implementing them in products" This is too overkill. People start hating security when it gets in their face. Companies start hating securities when it hampers their business. I myself am a CISSP, and the one rule from the code of ethics I hold so close to my heart in these days of hype and alarm is the one that tells to discourage "Raising unnecessary alarm, fear, uncertainty, or doubt".

"Making security Microsoft's first priority will require a basic redesign of the way the company produces and markets software" No, it won't. Microsoft is talking about usable, feature-rich products, which are dominating the desktops because they give the people what people want. They are talking about security alongside that frame. They aren't talking about fascist security.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/315/10173#10173