Microsoft Corp.’s recent security problems are the result of a rush-to-market philosophy and the software giant’s upcoming XP operating system could open the door to a barrage of new attacks, a former head of NASA IT security said Tuesday.
Bill Wall, chief computer security engineer for Florida IT outfit Harris Corp., said Microsoft regularly releases products with faulty code, figuring it best to get the software on store shelves sooner and release patches to fix inherent flaws later.
“They’re on a deadline to produce because they’ve already advertised it,” Wall said. “They said XP is going to be out in October no matter what. If there’s a serious flaw, they’re still going to release it and patch it later.”
Microsoft could not setup an interview before press time.
The last couple of weeks have been particularly bad for Microsoft’s security record. This past weekend, the company released a second patch for its Exchange mail-server software. Both Exchange 2000 and Exchange 5.5 had a flaw allowing an attacker to access mailboxes of users who read their mail over the Internet.
The second patch was necessary because the first had a tendency to crash mail servers.
Last week, the DoS.Storm worm accessed corporate networks through an already recognized flaw in Microsoft’s Internet Information Service (IIS) 4.0 and 5.0. Microsoft had released a patch for the flaw in August 2000.
And at the end of May, Microsoft released a patch to plug a pair of holes in its Windows Media Player software. The first hole allowed an attacker to exploit a buffer overrun problem (in which files are streamed without being checked) to run malicious code on a user’s computer. The second flaw saw the Media Player software saving Internet shortcuts to a user’s temporary files folder, allowing an attacker to read files on the user’s computer.
“We’re seeing some sloppy code being written,” Wall said. “What’s happening is that hacker and cracker groups are discovering them before Microsoft.”
Wall said his company, like most in the industry, notifies vendors upon discovery of a security flaw and waits another 30 days before notifying the public.
“Microsoft would like more time before people release (information) to the public,” Wall said. “However, the hacker-cracker community also wants their 15 minutes of fame, to be the first to say they found it. The longer (Microsoft) waits, someone else might find the vulnerability.”
Wall, the founder of Air Force Computer Emergency Response Team, said it was doubtful a company could produce flawless software, regardless of how dutiful and patient it was. But he said Microsoft could seriously reduce the number of flaws in its software if it spent a couple more weeks checking for bugs.
Wall noted that flaws are common to all operating systems, and said he finds perhaps 10 times as many holes in Unix and Linux as in Microsoft environments. But for one company, Wall said Microsoft has a high number of security problems, a situation that could get worse with the release of XP in October.
XP will feature raw sockets, a common Unix feature that allows a user to spoof their IP address so he or she can execute an attack anonymously. Because XP is intended for the home as well as the business market, this spoofing feature especially concerns Wall.
“People will be buying XP for Christmas and 13-year-old kids (will have the ability) to spoof IP addresses. You’ll see a lot more denial of services (attacks) and you won’t be able to trace them on the XP system.”
Wall said large amounts of targeted spoofs have the power to bring down systems.
