“When it comes to security predictions for next year, basically everyone says it’s going to be worst than this year despite the increased spending on security and some progress made when it comes to security awareness. Let’s take a look at some interesting happenings that made the news during 2003 when it comes to Microsoft security and perhaps you’ll be able to judge for yourself what 2004 will bring.” Read the article at Net-Security.
An In-Depth look Into Windows Security in 2003
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
nimda, code red, msblast, etc.
Here’s a quote from that article to chew on: “Looking back, it’s amazing we could even run systems on NT. It was total junk, even for its day.”
I just hope Microsoft keeps pouring their money into Marketting and eye candy instead of R&D for security. Nothing would please me more than an insecure Longhorn with 3D graphics and voice recognition. A toy like that would make a wonderful christmas present for people you love to hate.
None of those exploits affected Windows Server 2003.
WS2003 has had a much better security record this year than any Linux distro.
“I just hope Microsoft keeps pouring their money into Marketting and eye candy instead of R&D for security. Nothing would please me more than an insecure Longhorn with 3D graphics and voice recognition. A toy like that would make a wonderful christmas present for people you love to hate.”
Troll.
Well it is hard to say wich one contains the most exploits
Do you count like with suse all of the packages or just the ones witch also are included in Windows 2003.
And steve Ballmer who compares win 2003 with RedHat 6 that is really absurd.
So lets hope 2004 is a bug free year for both Operating systems. and use best of two worlds
nimda didn’t, but sobig.f and msblaster both attacked win 2k3.
now as per better seucitry than any linux distro? it would be tough to believe, as execpt for 2-3 ssh holes, and one local only exploit no linux box was cracked without having a system username and password.(no OS is secure if those aren’t anyways)Also no linux box was abl to shut down the ENTIRE Internet do to deafult security features, found in all there products, including Win2k3. Now is win2k3 better than any previous microsoft OS. Yes. Better than linux that is a matter of opionin. There hasn’t been a world wide disurptive worm for and POSIX OS (unix, AIX, Tru64, Solaris, BSD(Linux not POSIX approved, but still works with it)) since 1988. yep that’s right 15 years. Microsoft can’t go one year.
from the article, in reference to hobby/small time programmers:
‘All these groups of people live under the illusion that they are capable of writing almost bug free code of any size.’
I’ve worked on some pretty big projects and I agree that being bug free is hard. On the other hand, what gets me is that some of the security holes that have been found gave the attacker root access. I don’t understand why a OS would be designed to give root access when something goes wrong. I haven’t coded a kernel before, but I realize that root access is probably useful for debugging a kernel. Still, wouldn’t that feature be turned off when the kernel is released? This is a serious question, not sarcasm, thanks for your insights.
I just read an article on the upcomming SP2 (I think on PCWorld.com). It really struck me how MS tries to fix things by piling on more and more patches. Instead, they need to clean up their code and fix things at the root.
And then there’s the “eye candy” problem too. In an interview once, Bill Gates himself said something like “…a major Windows release will never be made to fix problems, only to add features. Fixes will always be handled through patches and updates.”
ok the kernel just dosent give root acess when something goes wrong. many programms have to run as root/administrator
to use some hardware or doing other things.
if you have functions in your code and run the programm.
the functions return adress is put on the stac for the programms memory. if you the can write outside a buffer then you migth be abel to launch a shell or start some other software and since the programm you did this on is running as another user you can do all sorts of crasy stuff
.
w2k3 does have some protection aginst buffer overflow
they write a kind of cehcksum betwen the stack and the variable memmory and check if someone breaking it.
the thing is you can write thing to that cecksum so this will only make it a bit harder since you can writeback the correct values
what OS can fall by the millions in a very short period of time from a One line script virus?
what OS has LOTs of software and third party shareware & freeware that requires Internet Explorer be installed too in order to run? (including Windows Update)
let me guess, …
Linux? = NO!
Windows? = YES!
there is something fishy about Microsoft Windows and I just do not trust the product or the company anymore…
I agree w/ this post, especially hearing something from Gates such as “…a major Windows release will never be made to fix problems, only to add features. Fixes will always be handled through patches and updates.” Be that a proper quote or not, it acurately demonstrates Microsoft’s and their head honchos completely flawed views on security.
I read an alticle linked on /. where Bill Gates demonstrates this again saying something like The User is to blame for MS security problems, for not running proper firewalls and such. If this bottom layer of software was secure all the remaining upper layers could be badly written insecure software, and that would be fine. Bill Gates’ dream of pumping out as many ‘features’, as quickly as possible, consequences are for people without monopolies to worry about.
The dangers of this ,um, developement model, well it just blows my mind.
Microsoft looks like the Dilbert Comic, with bureaucratic hilarity (stupidity?) overcomming common sense at every turn. I don’t just mean that Ballmer looks and acts and monkey-dances like the boss from Dilbert, I’m talking about fundamental organizational problems.
Why bother even posting Microsoft articles on OSNEWS anymore. I used to read this site daily. Now it is seems to be nothing more than a Linux promoting, Microsoft bashing site.
Oh well the rest of the web is a click away.
Eugenia should just overlook MS stories altogether. The following of this site has left the realms of reality and has reached the height of absurdity.
Go ‘head and bash MS. With 95% + of the desktops and NO unified distribution to challenge it the future is VERY SECURE.
Oh, and Bruce Perens – love ‘ya. Divide so that MS can conquer. Very nice.
Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2003-12-20 07:43 PST
Interesting ports on ——-
(The 1652 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
Device type: general purpose
Running: Microsoft Windows 2003/.NET
OS details: Microsoft Windows .NET Enterprise Server (build 3604-3790)
Nmap run completed — 1 IP address (1 host up) scanned in 1.435 seconds
This might be usefult to some
http://mrcorp.infosecwriters.com/os_scan/os2003/w2k3/default.html
Whether the critiquing becomes bashing doesn’t really matter when the fact is that Microsoft has problems dealing with security.
This passed weekend I had to do a clean install of Windows 2000 Pro. Before installing, I used my Windows XP PC to download some software from grc.com to plug up certain security holes, went to sarc.com to get files to remove msblaster, nachia, welchia and other worms, retrieved a copy of Black Vipers Windows Services so I could disable services that were not needed, and then download the current Zone Alarm and the current AVG antivirus.
I made sure the Windows 2000 Pro computer wasn’t online, installed Windows 2000, installed the security and antivirus programs, and shut off un-needed services. I then connected to the internet so I could download security patches and service packs for the operating system.
Ok, Windows 2000 may be old but you will have to do a similar thing for Windows XP.
So why are people bashing Microsoft? It is perfectly normal for the computer user to do this every time they have to do a clean install.
The computer user should and will have to know to gather all the software needed to keep their computer secure.
It is the user’s responsibility to secure Microsoft’s software. This fact is lost on those people who say that Microsoft has insecure software.
agree with scorched earth.
although windows systems are fundamentally insecure in the past, things are getting better since win2k3.
i run windows linux mac and other unixes as well, i have to say the more i delve into the more i realize unixes are no more secure than windows.
the most secure system is the one you know how to secure.
Windows Security
I’ve worked on some pretty big projects and I agree that being bug free is hard. On the other hand, what gets me is that some of the security holes that have been found gave the attacker root access. I don’t understand why a OS would be designed to give root access when something goes wrong. I haven’t coded a kernel before, but I realize that root access is probably useful for debugging a kernel. Still, wouldn’t that feature be turned off when the kernel is released? This is a serious question, not sarcasm, thanks for your insights.
Because the architecture of (most) unixes requires processes have root privileges to do many useful things. Thus, if one of these apps can be exploited, chances are high doing so allow an attacker access at the privilege level of the application – usually root.
There have been numerous kludges hacked onto unix over the years to minimise the potential impact of these attacks – chroot, jail, ssh’s PrivSep, but they’re all hacking around the basic flaw that under unix, a process running as UID 0 can do anything.
I just read an article on the upcomming SP2 (I think on PCWorld.com). It really struck me how MS tries to fix things by piling on more and more patches. Instead, they need to clean up their code and fix things at the root.
Patches fix problems. How do you know whether or not they’re doing it by “piling on” more code or “cleaning it up and fixing things at their root” ?
How is Microsoft’s patching methodology any difference to anyone elses ?
And then there’s the “eye candy” problem too. In an interview once, Bill Gates himself said something like “…a major Windows release will never be made to fix problems, only to add features. Fixes will always be handled through patches and updates.”
Huh ? Where’s the problem in that ? O_o
This is exactly what *should* happen. New versions of software should be used to roll out new features. Patches/updates/maintenance packs/service packs should be used to fix bugs (and *NOT* to roll out new features).
Crikey, Microsoft get enough grief now for supposedly “forcing upgrades” – and you want them to require a new product release to fix problems, not do it with free service packs ?
although windows systems are fundamentally insecure in the past, things are getting better since win2k3.
Please explain why you think versions of Windows before 2003 are “fundamentally insecure”.
I am a daily admin of MS boxes and boy this OS is just a pain in the ass and have become jaded about the OS I onced loved.
MS is focusing on security!? What about and an OS that after an installation of DNS or IIS or Exchange or a default SBS 2003 installation you do not recv erroneous errors in the event log and when you investiagate you learn that MS is aware of this issue you MUST let it ride since this is EXPECTED! Come ON – what a POS!
If my check engine light was on I would ask to have the car checked out. If the mechanic fed my the same line as MS I would never consider buying another from same manufacturer.
I have FC1 installed but still have 2 XP PCs which my wife loves Frontpage for our webpage. Linux has WAYS to go for average user and can say on OSX is the best viable alternative to most users today making a switch.
My .02 cents.
BTW Happy Holidays!
Most linux system operators are high skilled…
Windows? …..
It is not about OS.
It is about people who use that OS.
If your uncle and grnadmother install linux..
What the hell are you talking about?
“nimda, code red, msblast, etc.” I was unaffected by these worms when they hit this past year, and I run Windows XP on various systems. Now, I am not a security genius or something like that, I simply use an internet router w/ NAT and a built in firewall. From what I have learned from my own experience, it is very easy for a home Windows user to keep their systems secure. I think that the ICF being turned on by defualt in XP will go a long way for security. I think what you really have to consider when looking at security is what type of user runs the computer. With Windows you get everything from hardened security experts to your 80 year old grandmom running it. Obviously these two people are going to know different amounts about how computers work and how to secure them. Now, with Unix and Linux it is a different story. You don’t see 80 year old grandmothers using it. Mostly computer geeks and scientists can be found using these systems. I think what Microsoft needs to do is think about the type of users that run their software and how to best protect them against the internet. The power users will be able to configure their systems the way they like it, while most normal users will just leave the defaults as they are.