Security Flaws May Be Pitfall for Microsoft
Competitors and federal regulators have failed to stop Microsoft Corp.’s march toward dominance of new areas of the computing world, but there is an increasing chance that one of the software giant’s own strategies could hinder its advance.
Microsoft’s decade-long focus on cramming new features into its products has come at the expense of protecting computers against viruses and hacking attacks, which are costing customers billions of dollars a year and becoming a top concern of companies and government officials.
In just the last month, a gaping hole was found in Microsoft’s newest operating system, Windows XP, that could allow hackers to take control of a PC through the Internet. The discovery brought a rare FBI warning to the general public. And a flaw in its Internet browser, if left unpatched, was found to expose data on a PC if the user clicked on a Web link in the wrong e-mail.
The latest disclosures follow a record year for security problems, according to statistics released Friday by the federally funded CERT Coordination Center at Carnegie Mellon University. The research clearinghouse said the total number of vulnerability reports it received more than doubled in 2001 to 2,437, after more than doubling in 2000.
Taken as a whole, the problems do more than fly in the face of Microsoft’s declaration that Windows XP is the safest operating system ever.
They are beginning to threaten the stability of a major piece of the world economy and to raise questions about Microsoft’s future. The company badly needs more customer confidence for its shift toward interactive services.
A surprising sign of how quickly opinion is changing came last week. A blue-ribbon panel of technology experts assembled by the National Academy of Sciences said lawmakers should consider ending Microsoft’s and other software companies’ special protection from product liability lawsuits, which have long forced makers of cars, medical devices and just about everything else to pay closer attention to the safety of their wares.
That kind of talk would have been heresy a year ago. But it now makes sense to people such as Rep. Rick Boucher (D-Va.), who co-chairs the Congressional Internet Caucus. “The producers of software should be responsible for any flaws that the software contains,” especially if the flaws lead to hacking, Boucher said after the National Academy of Sciences report. “There’s a very good possibility that Congress will examine the matter.”
Microsoft acknowledges that it needs to do a better job of making the systems it sells more secure. The Redmond, Wash.-based company has begun offering free virus-related support, intensified its checks for holes and convened an industry working group on how to create a world of “trusted computing.”
“We’re going to make our systems more resistant and more resilient,” said Microsoft’s director of security assurance, Steve Lipner. “We want to be unquestionably, unequivocally the best.”
*
Adding Features at the Expense of Security
Many security professionals say Microsoft finally is taking some appropriate steps. But they also say the company has yet to reverse a long history of adding features at the expense of security.
“All the things Microsoft has been saying about ‘this is better and that’s better’ have been blown out of the water,” said Marc Maiffret of eEye Digital Security in Aliso Viejo, which discovered the flaw in Windows XP.
That hole was severe enough that the FBI told the public to apply Microsoft’s patch or disable the program’s “Plug and Play” feature for automatically connecting PCs to other devices.
“Microsoft treats security problems as public relations problems,” said Bruce Schneier of Counterpane Internet Security in Cupertino, Calif. “They’ll fix a security problem insofar as it gets made public.”
To some experts, much of Microsoft’s philosophy about security was revealed in an essay last fall by Scott Culp, manager of Microsoft’s Security Response Center. The paper took aim at security researchers who publish too much detail about software vulnerabilities, or who publish before the software’s makers have had sufficient time to distribute a fix.
“An administrator doesn’t need to know how a vulnerability works in order to protect against it,” Culp wrote. And software companies might say less in the future about the counter-steps they take, he wrote: “If openly addressing vulnerabilities inevitably leads to those vulnerabilities being exploited, vendors will have no choice.”
The debate about how much detail about a problem should be published, and when, is an old one, but many in the field say publication is the best way to get results. Without much disclosure, proponents contend that serious hackers would know more than security workers. And they say Culp’s position is extreme, especially given the company’s track record.
“Some vendors have been very slow to respond to vulnerabilities,” said Larry Rogers of CERT. “Only after the notion of broaching public disclosure have they marshaled resources.”
Several of Microsoft’s changes follow last year’s record number of viruses, including Code Red and Nimda, which spread through Microsoft’s products and cost businesses an estimated $2 billion in damages.
From a marketing perspective, the pressure on Microsoft is going to keep growing. More powerful viruses are expected this year, and Microsoft’s biggest strategic gamble is on what it calls “.Net,” its initiative toward more interactive and automated services.
“They’re betting the entire company on software as services, and if you don’t trust Microsoft, you won’t use .Net,” said John Pescatore, a Gartner Group security expert who worked at the National Security Agency.
Finally, Microsoft is getting increased demands for security from business customers, where it is trying to gain ground against Sun Microsystems Inc. and others.
*
Democratization of the Hackers
Some companies already cite security reasons for choosing other vendors, and Gartner recommended that Code Red and Nimda victims “immediately investigate” alternatives such as Apache, free Web server software that has twice Microsoft’s market share.
Security concerns have been growing for years, as average PC users have become more at risk of penetration or infection, said Vincent Weafer, Symantec director of security response.
Some of the reasons for the increased risk have little to do with Microsoft. More people are on the Internet at higher speeds, more new services are available, and more patches that have been released haven’t been applied by customers. Many other companies produce programs with holes.
There also has been a “democratization of the hackers,” as Weafer put it, where information has been spread more widely about how to take advantage of weaknesses.
Microsoft is doing its best to keep the focus on the hacker part of the equation, often calling for increased penalties for wrongdoers.
But a growing number of experts believe a bigger issue is money.
Time and again, Microsoft has chosen to activate a new feature automatically rather than leave it dormant until a user turns it on.
That happened with Plug and Play in Windows XP, and it happened with Microsoft’s Outlook e-mail system, which allowed incoming e-mails to execute many types of programs, including malicious viruses that scoured Outlook’s address book for the names and locations of fresh victims.
It also happened with features of the Internet Information Server for Web traffic, which Microsoft included when it shipped its Windows 2000 software for running corporate networks. That server was the Typhoid Mary of both Code Red and Nimda, whose effects still are being felt.
Each decision to include the extra features was “a good business decision and a bad security decision,” said Gartner’s Pescatore. Customers have wanted products with the new features, he said.
*
Customers Can’t Sue Over Bad Software
Microsoft’s Lipner agreed that there are trade-offs between features customers want and security. He said the company has changed its approach.
New versions of Outlook block incoming mail from spreading through the address book, and the Information Server is now turned off within the network server software.
“If the question is, ‘is there tension between feature-rich, usable products and secure products?’ the answer is ‘absolutely,’” Lipner said. “We’re absolutely moving that line more toward security, and if we have to give up some functionality or ease of use, we’re paying that price.”
Thus far, if the rewards to Microsoft for shipping programs laden with features have been high, the risks of exposing its customers to attacks have been low.
That’s because courts generally have found that bad software isn’t a product that a customer can sue over. Instead, software has been held to be something that is “licensed,” with many rights given away after the buyer reads a long list of electronic disclaimers and clicks “I accept.”
Microsoft and other big software companies have been trying to get even more legal protections by having state legislatures pass versions of a bill called the Uniform Computer Information Transactions Act.
But the rash of devastating viruses and other Internet attacks has persuaded some experts that what Microsoft and other software makers need is more liability, not less.
“If there is actual software liability, I would assure you they would devote resources” to not messing up, said Schneier of Counterpane Internet Security.
No such laws appear to be in the works.
“I don’t know what seminal event it’s going to take,” said Rogers, of CERT. “Where’s the Ralph Nader of the computer industry, who writes ‘Unsafe at Any Network Speed’?”