Following Up "Beware the Microsoft Shell Game!"

About an hour after I posted "Beware the Microsoft shell game!", the company that wants you to trust your digital identity and your vital business data to its .NET application servers admitted there is an easy root crack in the standard build of Windows 2000 running the IIS web server. Code for this exploit has been sighted in the wild.

What this means is that unless a knowledgeable sysadmin has taken explicit action to prevent it, any 15-year-old who can copy code off the Internet, can use Microsoft's IIS to bypass your firewall, bypass your password system and gain administrator-level access to the machine that hosts your web server. They can inspect, alter or delete files at will, no matter how you have them secured. They can also use root-level access to that machine as a springboard for attacks on other systems inside your firewall.

A writeup on this latest in the apparently unending stream of gaping holes in Microsoft's security is at

This is about bad as it gets, folks. It's a big, nasty problem even by Microsoft's security-bug-of-the-month standards.

At Craig Mundie's anti-open-source sermonette in New York Thursday, I hope someone will have the temerity to ask him a few simple questions:

1. Should Microsoft's record on security inspire confidence in customers considering entrusting their digital identities to Microsoft's Hailstorm system and their critical business data to .NET?

2. Even the most cursory inspection of sites that specialize in tracking security bugs (such as CERT and BugTraq) suggests that open-source operating systems such as Linux and the BSDs have a far better security record than Microsoft Windows, both in having fewer vulnerabilities and in more rapid deployment of fixes. How does Microsoft propose to close the technology gap and catch up to the quality level of these systems?

3. How can potential operating-system customers with millions (perhaps billions) of dollars riding on the security of their computer systems form a rational estimate of their exposure if they cannot inspect the source code of those systems?

4. If the answer to question 3 is "You can see the source code if you're a big enough company to pay us for the privilege", then why should customers have to pay for the privilege of doing the job Microsoft's own QA teams so frequently bungle?

5. How would you respond to the following statement: "Any engineer or executive who, disregarding best practices, entrusts security-critical functions to closed-source software is committing an actionable breach of their responsibility to their employer?"

Eric Raymond can be contacted at Eric S. Raymond.


White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState