I would like to submit, foir the approval of the group a document, I originally wrote for internal use. I think it may need to be revised so that we in no way look as though we're spreading FUD about Microsoft. But this is something like what I had thought about. Feel free to trash and red ink anything I've said. :-)Title: Reviewing The Record: How Microsoft's Attitude Puts You At Risk
D. Clyde Williamson
This document comes on the heels of the most recent exploit to grace Microsoft's record in recent times. On Monday, August 30, I walked into my cubicle to review my usual sources of new security issues. Topping the list in almost every resource was the headline ``Hotmail Cracked''1 or something similar. What was the crack? How did it work? Why did it prompt me to write this paper?
The crack was simple. By changing USERNAME in the application's url anyone's email could be accessed without a password. It should be noted that Hotmail is a free service and users should not expect high levels of privacy or security. However, the concern raised here is not based on the security of a service, but the response of the service provider.
The crack was found sometime before Sunday Morning according to the Swedish newspaper that broke the story. Microsoft says that it was notified Monday morning. Perhaps Microsoft found out about it the same time that I did. Once I read the information about the attack (10 minutes), I created a few test accounts (15 minutes). I then began playing with the security flaw between these accounts (30 minutes). I discussed it with other individuals and we all played with the accounts. About two hours later, the crack no longer worked. That means that for three hours I could have accessed anyone's email account. If Microsoft didn't find out about it until I did that means that they allowed this breach of security to exist for three hours before doing anything. For those three hours they completely ignored the privacy and security of their users. A responsible company would have immediately stopped the Hotmail service until the bug was identified. Fixing bugs is not always a simple task. We won't fault Microsoft for taking time to fix the issue. However, the long delay in alerting customers is certainly a problem.
Interestingly, Microsoft fixed the issue, then made a statement alerting their users to the hole. After Microsoft made the announcement, security experts pointed out that the attack still worked. Microsoft had only fixed one server. The issue wasn't fully resolved until early afternoon Pacific Time. Again, it's not the fact that it took time to fix the bug. The issue revolves around their lack of honesty and promptness in alerting users.
Now we come to the post-mortem, Microsoft's official response to the entire situation. As printed on their website:
Dear Valued Customer,According to CNET news.com, a Microsoft spokesperson said that the crackers accessed the site through specific knowledge of advanced Web development languages. This is not true at all. A URL is quite easily manipulated by anyone who can use a web browser. Finally, Deanna Sanford, MSN lead product marketing manager, plays the victim by laying the blame on the cracker group that found the exploit, ``It was a hacker group or group of hackers that took advantage of that and exposed that''. Instead of simply accepting blame for the bug, Microsoft quickly tries to shift the focus.Here they call the user a valued customer. So free or not, Microsoft apparently believes Hotmail users to be valued customers. Those customers should get the same attention that paying customers receive.
You may be aware from published reports that today MSN Hotmail experienced service issues that have generated questions about security. We can tell you that the issue has been resolved and MSN Hotmail is currently operating normally.
``...service issues that have generated questions about security.'' It did not raise questions about security, there was no question, the site was vulnerable. Users should have been told to assume that any communication in their mail folders should be considered potentially compromised.
This letter is intended to address your concerns and provide you with the latest information concerning this issue.
Microsoft was notified early Monday morning (August 30, 1999) of a potential security vulnerability that could enable unauthorized access to Hotmail servers.
This was not a potential vulnerability. It was a vulnerability. People were actively accessing accounts without proper authentication. This fact should have been clearly stated.
Microsoft immediately began to investigate the issue and in the interest of user privacy and security made the decision to temporarily take Hotmail servers offline. In light of the inconvenience that such an action can cause users, this is not something that we take lightly but felt that, given Microsoft's commitment to protecting people's private data and information, it was an appropriate course of action.
One must wonder when the service was taken offline, since as I said, I personally played with it for three hours.
Since then, Microsoft engineers have worked quickly to pinpoint the issue and to resolve it and have restored the Hotmail servers so that users can continue enjoying the benefits of Hotmail with full privacy and security. Please note that no action on your part is necessary to take advantage of the updated Hotmail.
Note here the promise of ``security'' and ``privacy''. Free or not, a company needs to deliver on promises. Again, see how the entire episode is underplayed as one can now ``take advantage of the `updated' Hotmail'' as if their security fix was simply a new feature.
We apologize for the inconvenience this issue may have caused. We are gratified that you have made Hotmail the world's most popular free e-mail provider, and are committed to further improving the award-winning service in the months ahead.
Finally, the entire episode is summed up as an inconvenience. Nowhere does the statement discuss the gravity of the issue.
Of course, at this point in the document, I imagine some readers are shaking their heads and muttering something about me being simply a bitter ``anti-Microsoft'' person, taking advantage of an embarrassing situation to bash Microsoft. If you're one of those readers, please, don't stop reading now. We are about to embark on a trip down memory lane. Let's review the record of Microsoft and Security.
Users of Internet Explorer 5 found out that they were at risk on August 25,1999. An Active X control, enabled by default, allowed the execution of arbitrary code on the users system from either viewing a web page or receiving mail in Outlook.2 As of the writing of this document there is no mention of this issue in Microsoft's security bulletins. It's been a week.3
On Friday, July 30 a major issue in Office 97 allowed malicious database queries to the ``Jet Database engine4'', to hijack the computer and give unauthorized access. Microsoft acknowledged the bug and stated the the vulnerability existed in Jet 3.5.1 which shipped with Office 97. Within the same paragraph it noted that users of Office 2000 were not at risk.5
On Friday, August 20 Microsoft released the patch for the Office 97 bug, and casually mentioned that it also affected Office 2000 after all 6. Not only did it take them almost a month to officially post the fix, but when they posted they quietly admitted that their statement earlier, regarding the security of Office 2000 was untrue.
Remember, if you didn't follow the online articles about security, you didn't know about this issue in a timely fashion, by anyones definition. Is it acceptable to be warned of security holes in a piece of software, not by the company you purchased it from, but by ZDnet or the New York Times? ` Do you recall hearing about Back Orifice? What about Back Orifice 2000? These programs allowed a person to take control of your system. Microsoft has continually played down the capabilities of these tools, and redirected any discussion to the tool creators.7
Winnuke and Teardrop, both denial-of-service attacks, were also handled poorly. Instead of properly fixing the holes in their TCP/IP stack. Microsoft simply closed the port that the attackers were using!
Finally, let's look at the vulnerability found by the security group eEye. The security firm was testing some software and stumbled across a major hole in Microsoft's Webserver IIS. This flaw allowed anyone with programming skills (or access to someone with those skills) the ability gain complete control over a web server.
eEye alerted Microsoft on June 8th, instead of warning users, Microsoft kept quiet, even refusing to respond to eEye's email, so eEye went public with the find. The following day CERT8 released an advisory. Microsoft still did not publicly acknowledge the issue, or alert anyone.
When Microsoft finally began talking, it wasn't about the breach of security. It was about how upset they were that eEye published the vulnerability! Again, pushing the blame, changing the focus, and not dealing with the security issues that their clients so desperately needed answers for. Eventually, eEye figured out the way around the bug and posted it. Microsoft was silent.9
These are not all, or even most of the recent security issues that have plagued Microsoft. But remember, as I said at the outset, it isn't just the fact that there are bugs. It's the lack of concern and dedication that Microsoft appears to have toward security.
Think about the everyday home user of Microsoft products. Do you think that they follow the online trade magazines on a daily basis? Probably not. Besides, as with all other products, most of them expect that any ``warnings'' or ``advisories'' would come from the company. Reading any of Microsoft's alerts on the security issues above, one would be inclined to think that the issue is a mere annoyance, and anything said otherwise is hype. Think now about what people do on their computers today.They have everything from their Bank/credit information to their taxes (including their social security number). Some of the vulnerabilities listed above would give unscrupulous people access to such information. But, did MS actively alert their user base? No. Millions of users trust the security and privacy of their computer, they have no idea that such issues exist. Ignorance is no excuse, but Microsoft certainly shares a part of the blame.
What about corporate users? How many small companies run their entire business on NT servers? How many companies use MS Office, or Outlook. Most of them find out about security issues long after the less reputable members of our society. Indeed, if you are in IS management, were you aware of the major issues related to MS products?
Indeed, Microsoft's lax attitude toward security puts everyone at risk. Think about the hospital that keeps your medical records, the web site that you trade stock on, your corporate network and your home computer. If Microsoft software is running in any of those places, you're at risk.
If you had an employee that was well groomed, kept a neat desk and was well spoken, I'm sure you'd value that employee. But what would happen if the employee, rarely told you about mistakes they made, even though it put your business in danger? What if the employee, when confronted with mistakes, tried to shift the blame to another employee, would you keep them? Would their nice, neat appearance be worth the risk? Is Microsoft's value worth the risk to your security and privacy?
Microsoft's current attitude toward security issues, reminds me of the tobacco industry. Of course, those who smoke knowingly take risks with their health. However, tobacco companies are now being held liable because they didn't disclose information regarding the severity of the risk. Asbestos companies similarly had information about the health risks of asbestos and kept quiet. Any company that acts in this way acts irresponsible at best, some people may even consider it criminal.
So what can you do? In short, if you decide to continue with Microsoft products as a key part of your infrastructure, then you have to trust them to be honest. But is that a safe way to proceed?
Let's look at one last example. Microsoft has long pushed their desktop Operating Systems, Windows 95 and 98 as a key for successful business. Most companies use one of these two OS's on their desktops. These companies have trusted Microsoft to be honest. At the end of August 1999, long after companies decided to trust those two Operating Systems, Peter Torr, a program manager for Microsoft, stated on the Usenet group microsoft.public.scripting.wsh ``If you're talking about Windows 9x [indicating Windows 95 and Windows 98], forget it. No one ever (seriously) claimed that it was secure''.
Now I leave it to you the reader. Only you can decide if you're going to trust your security and confidentality to a company which has exhibited a non-caring attitude toward these issues. Indeed, will you trust a company which has intentionaly mislead the public, as eariler examples indicate?
There are other options. If you're interested in running a business on software that can be trusted, look at the BSD and Linux operating systems. Another Office Suite which you might look at is ``Star Office'' from Sun Microsystems. Their source code is freely available and bugs are easily identified and quickly fixed. It is impossible for a vendor of these products to misdirect the public about security issues, since the actual code is in the hands of individuals which can refute any mis-statement with proof.
So what will you do? I'm not saying that you should dump all Microsoft products and run to the Open Source solutions. That's a decision which will take careful consideration. You must determine where security and privacy or confidentality rates in your situation. Is it less important than the ``ease-of-use'' that you get with Microsoft products? Have you looked at competing products which are written based on a better security model? If not, perhaps you should.
These are the belief of the author not necessarily the beliefs held by the authors employer.