Following Up "Beware the Microsoft Shell Game!"
About an hour after I posted "Beware the Microsoft shell game!", the company that wants you to trust your digital identity and your vital business data to its .NET application servers admitted there is an easy root crack in the standard build of Windows 2000 running the IIS web server. Code for this exploit has been sighted in the wild.
What this means is that unless a
knowledgeable sysadmin has taken explicit action to prevent it, any
15-year-old who can copy code off the Internet, can use Microsoft's
IIS to bypass your firewall, bypass your password system and gain
administrator-level access to the machine that hosts your web
server. They can inspect, alter or delete files at will, no matter
how you have them secured. They can also use root-level access to
that machine as a springboard for attacks on other systems inside
your firewall.
A writeup on this latest in the apparently unending stream of
gaping holes in Microsoft's security is at
http://www.eeye.com/html/Research/Advisories/AD20010501.html.This is about bad as it gets, folks. It's a big, nasty
problem even by Microsoft's security-bug-of-the-month
standards.At Craig Mundie's anti-open-source sermonette in New York
Thursday, I hope someone will have the temerity to ask him a few
simple questions:1. Should Microsoft's record on security inspire confidence
in customers considering entrusting their digital identities to
Microsoft's Hailstorm system and their critical business data to
.NET?2. Even the most cursory inspection of sites that specialize
in tracking security bugs (such as CERT and BugTraq) suggests that
open-source operating systems such as Linux and the BSDs have a far
better security record than Microsoft Windows, both in having fewer
vulnerabilities and in more rapid deployment of fixes. How does
Microsoft propose to close the technology gap and catch up to the
quality level of these systems?3. How can potential operating-system customers with millions
(perhaps billions) of dollars riding on the security of their
computer systems form a rational estimate of their exposure if they
cannot inspect the source code of those systems?4. If the answer to question 3 is "You can see the source
code if you're a big enough company to pay us for the privilege",
then why should customers have to pay for the privilege of doing
the job Microsoft's own QA teams so frequently bungle?5. How would you respond to the following statement: "Any
engineer or executive who, disregarding best practices, entrusts
security-critical functions to closed-source software is committing
an actionable breach of their responsibility to their
employer?"Eric Raymond can be
contacted at Eric S.
Raymond.
______________________
This week 5 lucky Members will receive a copy of The Official Ubuntu Server Book by Benjamin Mako Hill and Linux Journal's very own Kyle Rankin. No entry necessary. Check back here early next week to find out who the lucky Online Members are.
Comments
Post new comment