Digg this story   Add to del.icio.us   (page 2 of 2 ) previous 
Microsoft's most successful failure
Mark Burnett, 2005-06-06

Story continued from Page 1
The sadmind/IIS worm was amusing and it generated a bit of work for the security industry, but it was nothing compared to what happened that July.

I still remember that day quite well -- the Internet was slow, my IDS was going crazy, and I saw a lot of e-mails from Marc Maiffret appear on the various security mailing lists. Code Red he called it. And it seemed like everyone had it.

I remember later that night thinking that my job would never be the same -- for many of us, it was the 9/11 of Internet security. However, it still wasn't over and it only got worse from there. By the end of that year you could plug a Windows system into the Internet and be infected with a dozen worms before you even had a chance to download the latest updates. Nowadays, it takes less than five minutes.

There was a lot of blaming going on around, that time. Some people blamed security researchers for making the vulnerabilities public. You could trace nearly every major worm back to a flaw found by some security researcher. If they would just keep things quiet, some argued, then we wouldn't have all those problems. But that argument was weak, as some hackers already knew about these flaws and quietly exploited them, publicity or not.

People blamed Microsoft, but let's try a reality check: did administrators really need more than six months to install an update? Yeah, it was Microsoft programmers who wrote the buggy code, but were they any different than most programmers at that time? Were they not just a reflection of society's attitude about security? Besides, a large part of this code was written half a decade before, when security was an enhancement, not a user requirement. Administrators at the time were just lazy. Or lame.

The problem was that back then you couldn't just go to WindowsUpdate and see what hotfixes you needed to install. You had to go through the entire list of fixes one-by-one and make sense of it all. To make things worse, Microsoft had distributed enough buggy hotfixes by then to make administrators wary of installing anything too quickly. We have to admit that Microsoft's patching strategy was truly a mess at that time. Nothing was consistent and there seemed to be little communication anywhere.

Then something strange happened, something you rarely see in the corporate world. Microsoft stepped up to not only take responsibility, but to embrace their failure as their highest priority bug fix. They stopped trying so hard to look good and just admitted they had security problems that needed fixing. As Bill Gates put it in his famous trustworthy computing memo, "The challenge here is one that Microsoft is uniquely suited to solve."

Most people scoffed at this announcement. It sounded great on the memo, but you can't turn a big ship around that quickly. We really doubted they suddenly got it and that now they would change.

But Gates was right, Microsoft was uniquely suited to solve that problem. They threw a lot of resources at it and things started to slowly change. Microsoft developers started talking about security issues like they knew what they were saying. They had a much bigger presence at security conferences. IIS servers weren't so easy to break in to anymore. Most amazing was that when Windows XP SP2 came out last year, we saw that security had become a priority over all other features.

Still, they had a lot of work ahead of them. It took a couple more major worms, Blaster and Slammer to work out their emergency response plans. By the time Sasser came out, they'd brought their recovery time down to five days, compared to 38 days with Blaster. The battle-hardened MSRC was showing signs of triumph. It was by no means a victory, but they weren't getting their butts kicked anymore either.

Microsoft's problems didn't only benefit Microsoft; we're all a bit smarter nowadays. My mother-in-law talks about firewalls. My neighbor can now use the word phishing in a sentence. And the other day I overheard my son explaining to his younger brother the evils of spyware.

It may take another decade and a few more product versions before Microsoft can finally claim victory over security issues, but they now have the infrastructure, the experience, and the momentum to make those changes.

Mark Burnett is an independent researcher, consultant, and writer specializing in Windows security. He is the author of Hacking the Code: ASP.NET Web Application Security (Syngress), co-author of the best-selling book Stealing The Network: How to Own the Box (Syngress), and co-author of Maximum Windows 2000 Security (SAMS Publishing). He is a contributor and technical editor for Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle. Mark speaks at various security conferences and has published articles in Windows IT Pro Magazine (formerly Windows & .NET Magazine), Redmond Magazine, Information Security, Windows Web Solutions, Security Administrator and various other print and online publications. Mark is a Microsoft Windows Server Most Valued Professional for Internet Information Services.
    Digg this story   Add to del.icio.us   (page 2 of 2 ) previous 
Comments Mode:
Microsoft's Most Successful Failure 2005-06-07
Anonymous (1 replies)
Microsoft's Most Successful Failure 2005-06-07
Wybnormal (1 replies)
Microsoft Apologist 2005-06-07
Anonymous (1 replies)
Re: Microsoft Apologist 2005-06-12
Anonymous
Microsoft's Most Successful Failure 2005-06-08
Eagle Creek
Microsoft's most successful failure 2005-06-20
Chris Grove
The line that launched save2000.ca 2008-03-09
Gordon Fecyk


 

Privacy Statement
Copyright 2010, SecurityFocus