Microsoft's vulnerable, hackers say (no kiddin')
Company adding new security precautions to combat worms
By Bob Keefe
WEST COAST BUREAU
Thursday, August 28, 2003
By many measures, the core of the problem behind computer security flaws and big Internet attacks such as the ones in recent weeks comes down to one company: Microsoft Corp.
Microsoft's Windows operating systems runs about 95 percent of computers in the world. Along with Microsoft's ubiquity, its software is a favorite target of hackers who say it is riddled with security holes and therefore easier to exploit than other operating systems.
And hackers do exploit it -- with vigor.
Almost every major Internet attack -- including last week's Blaster and SoBig worms and a nasty mix of derivatives that shut down rail lines, delayed airline flights and caused headaches for almost everybody on the Internet -- has been designed specifically to exploit flaws in Microsoft software.
The hackers behind Blaster even took a personal poke at Microsoft Chairman Bill Gates.
"Billy gates why do you make this possible?" hackers wrote deep in the code of the worm that snarled the Internet and is still clogging e-mail in-boxes worldwide. "Stop making money and fix your software!!"
So why doesn't Microsoft make its software more secure?
They're trying, company officials say. But they also argue that like any other company, there's only so much Microsoft can do to prevent a crime if a criminal truly wants to commit it.
"We're trying to do everything we can to protect consumers," said Steve Lipner, Microsoft's director of security assurance. "But these attacks are a criminal act, and I can't identify with the sort of person who does something like that."
Nonetheless, Microsoft is now contemplating significant changes, including making patches and Internet firewalls more automatic and adding anti-virus software directly to its next major operating system release.
"Clearly there's room for improvement . . . or we wouldn't be looking at changing," Lipner acknowledged.
System not working
Like nothing else, Blaster showed that Microsoft's current software patch system does not work very well.
Microsoft and even the Department of Homeland Security warned computer users for weeks to download a patch to prevent the Blaster worm. Yet at least several hundred thousand computer users did not -- opening up not only their systems but everyone connected to them through the Internet to Blaster.
Microsoft tried to make its "auto-update" patch downloads program and its Internet firewall setting more automatic in Windows XP.
But since that apparently didn't work as well as had been thought, Lipner said Microsoft is considering making them "default" settings in its next Windows version, now scheduled for release in 2005. The company also is considering embedding virus-protection software in its operating systems. Microsoft recently bought an anti-virus company to explore the idea.
Outside security experts say those steps won't eliminate Internet attacks, but they will help dramatically reduce them by doing some of the work for complacent consumers.
"Microsoft has already tried to make things easier for the end-user . . . but over time, it's really apparent that some steps are still a little too much to put on the end-user," said Craig Seamugar, virus research engineer with Network Associates Technology Inc., which owns the McAfee line of anti-virus software.
Lots of patches
Part of the reason consumers and corporate network administrators have become complacent about installing patches is that they have become so frequent.
Last year, the company issued about 70 patches. So far this year, it has issued more than 30.
Installing a patch can cost a large company or government agency hundreds of thousands of dollars.
At the Texas Parks and Wildlife Department, for example, four employees were tied up for several days chasing the Welchia worm out of some infected servers, said David Archer, director of technology for the agency.
Patching also is costly for Microsoft. An internal estimate last year pegged the cost of each patch at about $100,000 for technicians' time and other expenses.
"Patches aren't working because the strategy is a poor one," said Fred Cohen, a computer security consultant and teacher widely known as the inventor of the first computer virus. "The alternative is to engineer systems well."
Cohen suggested that Microsoft could eliminate many potential openings for hackers by reducing some features, such as certain "macros" in its Word program or some of the automation in its Outlook e-mail program.
But in addition to being features that users rely on, they're also key to Microsoft's overall software strategy and future programs.
Scouring for bugs
Last year, under Gates' directive, the company launched a "Trustworthy Computing" initiative designed to put security at the forefront of everything the company does. Among other things, 9,000 developers were taken off ongoing projects and directed to scour existing software for bugs, vulnerabilities and other problems and come up with new ways to beat hackers.
Lipner said some of the successes are starting to show. The number of patches Microsoft has issued for its Windows 2003 server software is about half the number it issued for its Windows 2000 server software.
That said, Microsoft officials and computer security experts worldwide know that hackers always find a new way to break into software.
"It's essentially an arms race," said Dorion Carroll, director of engineering at Postini Inc., an e-mail virus scanning company.
And at least for now, it seems the hackers are winning.
