[Am-info] UNSAFE AT ANY VERSION

Fred A. Miller fm@cupserv.org
Thu, 17 Jan 2002 14:22:29 -0500 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

========================================================
SECURITY ADVISER                           InfoWorld.com
========================================================

Thursday, January 17, 2002

Network protection commentary by:       P.J. Connolly  

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

UNSAFE AT ANY VERSION

Posted January 11, 2002 01:01 PM  Pacific Time


I'M GOING TO take care of some old business before we
get too far into 2002. Last month I wrote that a
Symantec representative indicated the company's
security products might deliberately ignore
government-sponsored snoopware. Fortunately for all of
us, the person quoted was speaking without
authorization from Symantec HQ, and it appears that
the company's position, paraphrased by yours truly, is
quite the opposite, "Malware is malware and we'll warn
our customers of it." I hope this clarifies that issue.

While I was on my holiday, a flap arose over a security
hole in Windows XP's Universal Plug and Play
subsystem. Even the mainstream media found room to
cover it. And while Tim Mullen's New Year's Eve
contribution to Security Focus was right on the money
about the overreaction, I was glad that I cancelled my
plan to load Windows XP on my notebook.

It's not so much a matter of being concerned about XP's
security as I feel like it's déjà vu all over again.
In the last three years I've sat through briefings on
Windows 2000, XP, and .Net Server, and every time
heard how Microsoft is stressing security like never
before, how every known attack is thrown at the beta
code, yadda, yadda, yadda.

But then Microsoft releases Windows XP, and as soon as
I install it on a lab machine, Windows Update goes out
and tells me there was already a patch a few weeks
before release. OK, patches happen. But I'm writing
this column in the tenth week after the XP release,
and already I count three critical patches: the
Universal Plug and Play patch from December and two
patches for Internet Exploiter 6, one that handles a
cookie problem, the other an HTML header vulnerability.

I don't know about you, but if I bought a brand-new car
and had to bring it back to the dealer every three
weeks because the door locks didn't work, I'd be
pretty ticked. Sure, downloading the patch from
Windows Update and rebooting the system are trivial
compared to a long sit in a dealer's waiting room. But
I really have to wonder if Microsoft has gotten too
big to write secure code.

I'm certain Microsoft's developers are trying to do so,
but the results show otherwise. I couldn't keep the
grin off my face when a Microsoftie was bending my ear
about how secure Windows XP was going to be. The next
time I hear the spiel, which will be for Windows .Net
Server, I'm not sure whether I'll laugh out loud or
just roll my eyes. All I know is, Microsoft's claims
of security ring more hollow with each press tour.

Doesn't this mean that I can't ever be fair to
Microsoft? Not hardly. After all, I'm being paid to
have an opinion. All it means is that Microsoft's
spokespeople have to work harder every year to
convince me -- and more importantly, you -- that the
company got it right this time.

P.J. Connolly (pj_connolly@infoworld.com) covers
collaboration, networking, operating systems, and
security for the InfoWorld Test Center. Get this
column free via e-mail each week. Sign up at
http://www.iwsubscribe.com/newsletters .

- -- 
Fred A. Miller
Systems Administrator
Cornell Univ. Press Services
fm@cupserv.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8RyR2IhTtc6nTZIIRApxfAJwJGoU4uUgkAYTTTOS6wzWjAwrHkwCfWeAn
MugyeHqo5LCdH03Ws7QiAfo=
=IYSN
-----END PGP SIGNATURE-----