Microsoft Insecure

By Joel Hruska

Date: November 14, 2001

Microsoft's .NET vision is no big secret anymore. The company has admitted it sees its future as a type of content enabler, a company which will "lease" software on a periodic basis to consumers, and whose Passport services will be used by millions to store personal data and website preferences.

As the company has pressed this goal forward, however, serious questions have been raised about Microsoft's ability to ability to provide a secure medium in which people can entrust their personal data. Major security flaws are discovered in Windows products almost daily and Gartner officially recommended moving away from the IIS platform earlier this year.

What concerns me most about this situation is that MS may be pursuing two mutually exclusive goals. Specifically, the company is seeking to aggressively integrate its product offerings and to offer more secure products simultaneously. I'll admit right away that I'm no network security specialist or engineer, but I see a potentially serious problem brewing here. You readers can let me know if I'm barking up the wrong tree or not.

Is It Good to Give the Customer What He Wants?

For years Microsoft has aggressively bundled outside products with the Windows operating system. Starting with IE, the company has greatly expanded its list of available products. WindowsXP includes fully functional CD-burning software, internet browsing capabilities, MP3 and DVD playback capability, Unzip capability, and reasonably advanced photo editing tools (for the end user). MP3 ripping capability is only a "Plus" pack away, as is also featured as a Microsoft product. Email functionality is also included.

Certainly, for the average PC user, this looks like a good thing. (Whether it is a good thing in terms of monopolistic control is a different article entirely). After all, it gives Average PC User maximal functionality with absolutely minimal fuss. No more calling up his knowledgeable friends to get help on where to find certain types of programs on the Internet.

Microsoft is certainly giving the customer easy access to a great deal of software, but at what cost? It's no secret that IE is deeply tied to the operating system itself, but what about all of these new products? How closely are they tied into the core operations of the system? Can they be used to open flaws in a system that would not have existed, if not for the close level of integration between separate products?

I first thought of this idea back in May when I read an article from the UK IT tabloid The Register. The piece describes a vulnerability in Windows Media Player version 6.4 and 7.0, that "contains an unchecked buffer susceptible to an overrun which could enable an attacker to run arbitrary code on a machine with the victim's level of permission, a Microsoft security bulletin warns."

The Potential Danger of Integration

My question is how much did the continued integration and expansion of Windows Media Player contribute to this problem? Perhaps even more importantly, can the problem be prevented in future Microsoft products? My guess is, if integration does cause a problem, it's a problem that'll be nearly impossible to fix, despite Microsoft's best efforts.

It certainly won't be for lack of trying. I know for a fact that Microsoft employs some very talented programmers and I believe they are honestly committed to building a secure product. Needless MS bashing aside, it makes no sense for them to design a purposefully insecure product which only creates situations such as the Gartner IIS debacle.

Take a moment, however, and consider the true size of WindowsXP when viewed from the code level. I have no idea how many lines of code are inside Microsoft's latest OS, but I'm sure it's a gobsmackingly-huge number. From there, consider all the lines of code inside all the integrated products that tie them into the OS itself. Furthermore, consider that security dangers can arise if one part of the integrated product allows some type of command to be executed or security feature to be bypassed that it normally shouldn't. In other words, the OS might function perfectly and the product might function perfectly, but the integrated link between them might be flawed and allow for the mis-execution of a command.

I'm not sure its possible for any firm to properly bug-check a product of that size or complexity. It'd be equivalent to walking down a beach looking for one particular grain of sand-while blindfolded with gloves on. In the end, it seems possible to me that continued integration of products into the WindowsXP operating system could only cause future problems down the line for security engineers.

The Biggest Target in Hacker History

Even if MS does succeed in producing a truly secure product, how long will it last? Keep in mind what Passport is designed to do. It's a system that will store YOUR personal data, from your email addresses, credit card information, and web site preferences. All that personal data, all those credit card numbers, all that possibility to create havoc and mass destruction, and all in one place.

The above scenario seems akin to not just leaving the front door of one's house unlocked, but moving to the worst neighborhood in town, hurling open the front door, stocking the entire house with jewelry, and putting up a sign in 50 foot lights that said "Welcome thieves and crack-heads!"

Some of them will come for the challenge. Some will want the credit card numbers. Some will attack just because its Microsoft. But regardless of their motives, I see little chance that any serious cracker would pass up a chance to take a "crack" at breaking Microsoft's Passport system and gaining access to a potential gold mine of data.

The DMCA won't stop these people and neither will the Redmond giant's attempts to constrain security issues. They will only delay the inevitable. Microsoft might as well paint a giant red bulls-eye on every Passport server, because that's what they'd become-targets.

So what do you readers think? Is product integration a threat to stability? Can a Passport-type of system be created and made secure by ANY company (not just MS)? Write me and let know-some of you are considerably more advanced in the field of network security than I am. I'm curious to hear your thoughts. 


Pssst!  Our Shopping Page has been updated.