[Am-info] Bill Gates' latest security thoughts miss the mark

[Gene Gaines]

Interesting take on Microsoft by the Network World guy
who writes their "Windows Networking Tips" column.

(Sorry, no mention of trees, bushes, or shrubs.)

Gene Gaines
gene.gaines@gainesgroup.com
Sterling, Virginia

 - - - - - - - - - - - - - - - - - - - - - - - - - - -

NETWORK WORLD NEWSLETTER: DAVE KEARNS ON WINDOWS NETWORKING TIPS

06/23/04
Today's focus: Bill Gates' latest security thoughts miss the mark
...

By Dave Kearns

I get dozens of mailings from Microsoft every week, many of 
which are pure marketing drivel and quickly go to my trash 
folder. Occasionally, though, there are nuggets - such as the 
hands-on security labs I mentioned last week - that can prove 
useful. It happens rarely, though, and this week was no 
exception. Still, there was one note that deserves a closer 
look.

In the latest Microsoft Business Insights newsletter ("a monthly 
newsletter highlighting the latest news and resources on using 
Microsoft products, technologies, and partners to help solve 
your line-of-business challenges," according to the blurb at the 
Business Solutions Web site ( 
<http://www.microsoft.com/BusinessSolutions/> ) was the 
headline: "What Bill Gates Is Doing to Protect You from 
Hackers."  Well. This I had to see.

The link took me to the "Microsoft Progress Report: Security," 
from Bill's Executive E-mail at the end of March ( 
<http://www.microsoft.com/mscorp/execmail/2004/03-31security.asp>
).

After a lot of verbiage about the rise of worms, viruses and 
Trojans, Bill finally got around to telling me what he was doing 
to help, much of which centered on Service Pack 2 for Windows 
XP, due out any day now.

One vulnerability, which I've harped on about in this 
newsletter, is the infamous "buffer overflow" ( 
<http://www.nwfusion.com/details/746.html> ). Here's what Bill 
says will happen with XP SP2:

"Although no single technique can completely eliminate this type 
of vulnerability, Microsoft is employing a number of security 
technologies to mitigate these attacks. First, core Windows 
components have been recompiled with the most recent version of 
our compiler technology to protect against stack and heap 
overruns. Microsoft is also working with microprocessor 
companies, including Intel and AMD, to help Windows support 
hardware-enforced data execute protection (also known as NX, or 
no execute). NX uses the CPU to mark all memory locations in an 
application as non-executable unless the location explicitly 
contains executable code. This way, when an attacking worm or 
virus inserts program code into a portion of memory marked for 
data only, it cannot be run."

While that might seem commendable (and it probably does deserve 
a cheer along the lines of "it's about time!"), the "NX" 
technology doesn't prevent crackers from exploiting buffer 
overflows; it only makes it more difficult. The cracker will 
have to be sure that the exploit code overwrites existing 
executable code. Crackers generally have lots of time to find 
that information, and willingly share it among themselves.

What we really need are better programmers, Bill. We need 
programmers who take the time to put in the bounds checking and 
error handling that's necessary to catch buffer overflows before 
they've had time to insert malicious code and without crashing 
the machine, which would simply lead to more denial-of-service 
attacks. It's not difficult, it doesn't require an advanced 
degree in security services; it just requires dull grunt work on 
the part of the application coders, designers and managers to 
see that all avenues for exploits are cut off. Tell us how 
you're going to do that, Bill.

...

Copyright Network World, Inc., 2004