Re: [Full-Disclosure] Microsoft Outlines Security Plan (Balmer Blows Hard)

[Bruno Wolff III]

On Fri, Oct 10, 2003 at 13:48:01 -0700,
  Jeremiah Cornelius [EMAIL PROTECTED] wrote:
 
 Computer security is without question the number one priority for the 
 company, Mike Nash, vice president of Microsoft's security business unit, 
 said in a phone interview after Ballmer's speech. He added that employees 
 from across the company had been pulled to work on security efforts. 

Making money is their number one priority. Security is only important in
how it helps them make money.

I asked one of their security people at a security conference if they
had any plans to make software like Outlook, Word and Excel safer for
end users to use by removing dangerous features (in particular ones that
made the difference between code and data hard for end users to determine)
and was told that they won't be doing that because end users like features
and features sell new copies of the software.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Microsoft Outlines Security Plan (Balmer Blows Hard)

[Jeremiah Cornelius]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Microsoft Outlines Security Plan
Fri Oct 10, 1:00 AM ET

washingtonpost.com
By Mike Musgrove 

^^
 I wish those people just would be quiet, he said of computer
  researchers who publish vulnerabilities in Microsoft's products.
^^

Microsoft chief executive Steven A. Ballmer said yesterday that there is 
much, much, much left to do to protect computer users from viruses, worms 
and other malicious software. 

He outlined new steps the company plans to take to address this problem -- 
while acknowledging that these changes can't solve it. 

There is no silver bullet, Ballmer said in a speech at the company's 
Worldwide Partner Conference in New Orleans. Even if all the vulnerabilities 
were fixed tomorrow morning in all of the products, there's still 600 million 
computers . . . that wouldn't have all of these vulnerabilities patched.

Recent devastating software worms and viruses have earned Microsoft intense 
criticism, as well as a class-action lawsuit filed in Los Angeles Superior 
Court last week that accuses the company of not doing enough to guard the 
personal information of Windows users.

Ballmer described several changes to Microsoft's security strategy. He said 
the Redmond, Wash., company will issue security updates on a monthly 
schedule, except in emergency situations, to make it easier for users to 
keep their personal computers up to date. It will ship Windows with security 
precautions activated that are now left off -- for instance, a firewall 
program that stops Internet worms such as Blaster. He also said the company 
will release security-focused updates to Microsoft Windows XP (news - web 
sites) and Windows Server 2003 in the first half of next year. 

Computer security is without question the number one priority for the 
company, Mike Nash, vice president of Microsoft's security business unit, 
said in a phone interview after Ballmer's speech. He added that employees 
from across the company had been pulled to work on security efforts. 

Ballmer said that, since most virus and worm attacks come only after 
vulnerabilities have been disclosed by the company or by security 
researchers, Microsoft is working with computer-security firms to make sure 
that they do not announce vulnerabilities before Microsoft has designed a 
fix.

I wish those people just would be quiet, he said of computer researchers who 
publish vulnerabilities in Microsoft's products. It would be best for the 
world. That's not going to happen, so we have to work in the right fashion 
with these security researchers.

But no matter how fast Microsoft pushes out patches, users still have to 
install them -- something Microsoft is trying to address with a new 
educational campaign that Ballmer also announced yesterday. 

I think people are taking computer security a bit more seriously; some of our 
clients are still cleaning up from the Blaster virus, said Josh Pennell, 
chief executive and founder of computer security firm IOActive Inc. Computer 
security is almost like car insurance. Nobody wants it until their car gets 
totaled.

Jeff Jones, senior director of trustworthy computing at Microsoft, said 
earlier this week that his company had seen an increase in the numbers of 
users downloading security patches after an outbreak of viruses that began in 
August. 

I hesitate to speculate on whether there is long-term learning going on 
there, he added.

Ken Dunham, director of malicious code at iDefense Inc., a computer security 
firm based in Reston, said Microsoft's plan to release only monthly updates 
may give hackers extended time to exploit a vulnerability before a patch is 
released.

Other security professionals noted the lack of specifics in Ballmer's speech.

There wasn't any detail to what kind of tools they will provide, said 
Richard Ku, product manager at Trend Micro Inc., a developer of anti-virus 
software. 

Announcements never secured anything, said Bruce Schneier, founder and chief 
technology office of Counterpane Internet Security Inc. The fact that some 
guy gets on stage and says a bunch of words does not make your computer 
secure.

Michael Frodyma, president of BooNet Inc., an Internet service provider based 
in Bethesda, said he worries about the unintended consequence of Microsoft's 
security patches. Some have disabled the computers of his customers -- who 
have then blamed his firm for the problem. 

One is frightened of what's around the next corner with Microsoft, he said. 
You wake up the next day and suddenly something isn't working.

- -- 
Jeremiah Cornelius, CISSP, CCNA, MCSE+I
farm9 Information Security
email: [EMAIL PROTECTED]
Phone: 510.835.3276
mobile: 415.235.7689

Be cheerful while you are alive
- --Phathotep, 24th Century B.C.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)