Other operating systems like Linux, Unix and Macintosh,
experts say, all have security vulnerabilities. "But they
don't get the attention and the attacks because, unlike
Microsoft, the other technologies are not deployed on 300
million computers," said Russ Cooper, a security expert at
TruSecure, a computer security company. "This is not just
Somehow I doubt that *nix has even half the security vulnerabilities that
Windows does. *nix might not be running on 300 million machines, but it's
often running on the 1 million that really count--web servers, mail servers,
government machines, etc. I imagine those are tastier targets, but are
attacked less because there are fewer vulnerabilities to exploit.
It /is/ comforting to know that Microsoft is trying to be on top of their
----- Original Message -----
From: <[log in to unmask]>
To: <[log in to unmask]>
Sent: Monday, September 29, 2003 8:35 PM
Subject: NYTimes.com Article: To Fix Software Flaws, Microsoft Invites
> This article from NYTimes.com
> has been sent to you by [log in to unmask]
> excellent article
> [log in to unmask]
> /-------------------- advertisement -----------------------\
> Explore more of Starbucks at Starbucks.com.
> To Fix Software Flaws, Microsoft Invites Attack
> September 29, 2003
> By STEVE LOHR
> Microsoft's Security Response Center in Redmond, Wash., is
> the computing equivalent of a hospital emergency ward. When
> a problem comes in the door the center's director, Kevin
> Kean, and his staff must swiftly make an assessment: Is the
> security weakness detected in a Microsoft software product
> only minor? Or is it possibly so serious that, if exploited
> by a vandal's malicious code (as happened last month with
> the Blaster worm) it might crash computers and networks
> around the world?
> If the threat appears grave, the problem goes immediately
> into the center's emergency operating room, where it is
> attended to by a team of Microsoft engineers, working
> nearly round-the-clock to analyze the flawed code,
> anticipate paths of attack, devise a software patch to fix
> the defect and alert millions of customers of the problem
> and the patch.
> "It's triage and emergency response - so it's a lot like an
> E.R. ward in that sense," Mr. Kean observed last week.
> The race to protect the computing patient has begun again.
> On Sept. 10, after Mr. Kean's team completed another E.R.
> mission, Microsoft issued an emergency warning of a
> critical vulnerability in its Windows operating systems and
> released a patch - its 39th so far this year. What
> particularly worries computer professionals about the
> warning is that the security hole in Windows is the same
> kind of flaw, in the same feature of the operating system,
> that was exploited in August by the notorious Blaster worm.
> Those who monitor Internet crises know that once Microsoft
> raises the alarm and releases a patch, a curious race
> begins. Digital vandals - those who write worms, viruses
> and other rogue programs - eagerly download the patch and
> reverse-engineer, taking it apart to search for clues on
> how to exploit the very Microsoft security hole the patch
> was meant to cover.
> Some portion of Microsoft customers, from corporations to
> home PC users, takes the time to download the patch, but
> most do not. Meanwhile, there is a scramble to write
> malicious code and spread it across the Internet.
> The Blaster worm was sighted on the Internet 25 days after
> Microsoft warned of that security hole. The company issued
> the latest warning 19 days ago. So if recent history is a
> guide, Blaster 2 may be coming soon to a computer near you.
> The brand-name worms and viruses of the last couple of
> years - Blaster, SoBig, Slammer, Code Red, Nimda, ILoveYou
> and others - are simply the most virulent representatives
> of an alarming surge in attacks by malicious programmers.
> The CERT Coordination Center at Carnegie Mellon University,
> which monitors rogue computer programs, reported 76,404
> attack incidents in the first half of this year,
> approaching the total of 82,094 for all of last year. And
> the 2002 incident count was nearly four times the total in
> 2000. If anything, the CERT statistics may understate the
> problem, because the organization counts all related
> attacks as a single incident. A worm or virus like Blaster
> or SoBig, a self-replicating program that can infect
> millions of computers, is but one event.
> The security flaws Mr. Kean's team is scrambling to catch
> and patch are part of the larger problem with software
> today. The programs that people rely on for all manner of
> tasks - from writing reports and sending e-mail, to
> monitoring factory floors and managing electric power grids
> - are becoming increasingly large, complex and, all but
> inevitably, filled with bugs. The problem is magnified by
> the fact that most computers are now linked to the
> Internet, enabling programs to travel around the globe and
> mingle with other programs in unforeseen ways.
> Most software bugs are a result of small oversights by a
> programmer. And most large software programs are
> combinations of newer code and old code, accumulated over
> time, almost as if in sedimentary layers. A programmer
> working years ago could not have foreseen the additional
> complexity and the interaction of software programs in the
> Internet era. Yet much of that old code lives on, sometimes
> causing unintended trouble.
> Security holes, computer experts say, are a manifestation
> of the fragile and often unreliable software foundation
> that underlies today's economy. "These worms and virus
> attacks are just the visible tip of a massive iceberg,"
> said Peter G. Neumann, a computer scientist at SRI
> International, a research firm.
> The major rogue programs all exploit vulnerabilities in
> Microsoft products, and Microsoft is the leading target of
> criticism by computer security experts. Indeed, Microsoft
> must shoulder a lot of the responsibility for the security
> woes suffered by its customers, analysts say. But the
> security weaknesses in Microsoft products, it seems, stem
> mainly from the company's success as the leader of the PC
> era of computing.
> The PC business model has been to push products out the
> door fast, add features constantly and market each product
> version as a millennial event. Microsoft perfected the
> model and attracted millions of customers. But security
> experts note that the PC business model has not placed much
> value on building secure, well-engineered software.
> The other reason Microsoft is the white whale for most
> digital vandals is that more than 90 percent of all desktop
> PC's run on the Windows operating system software. And the
> company's Office package of programs has more than 90
> percent of the market for word processing, spreadsheet and
> presentation software.
> Other operating systems like Linux, Unix and Macintosh,
> experts say, all have security vulnerabilities. "But they
> don't get the attention and the attacks because, unlike
> Microsoft, the other technologies are not deployed on 300
> million computers," said Russ Cooper, a security expert at
> TruSecure, a computer security company. "This is not just
> Microsoft's problem."
> The task of making software more reliable and secure will
> not be quick or easy. But computer scientists and industry
> analysts say that the goal is achievable, and that some
> encouraging steps have been taken. Improvements, they note,
> will depend largely on changing attitudes in the
> marketplace so that software makers have a greater
> incentive to invest in building better software.
> "By and large, vendors build what people are willing to pay
> for," said Edward Lazowska, a professor of computer science
> at the University of Washington. "People have historically
> been willing to pay for features - not reliability or
> There is evidence, though, that corporations and the
> federal government are placing a greater emphasis on
> obtaining secure software. Within the last two years, the
> government has pushed security initiatives in its
> technology policy, especially in the aftermath of the Sept.
> 11 terrorist attacks.
> Recent moves by the government include placing greater
> emphasis during the purchasing process on software design
> and reliability standards like the Common Criteria and the
> National Security Telecommunications and Information
> Systems Security Policy No. 11, a Pentagon directive that
> went into effect 14 months ago.
> Such standards now apply mainly to the Department of
> Defense and national security agencies, but Congress is
> looking to extend similar standards to other federal
> agencies. The federal government is the world's largest
> buyer of information technology, spending nearly $60
> billion a year.
> "If the government made a serious commitment to buying
> better software, it would change the industry," said Mary
> Ann Davidson, chief security officer of Oracle, the big
> database software company.
> Two weeks ago, the House Subcommittee on Technology,
> Information Policy, Intergovernmental Relations and the
> Census, which is under the Committee on Government Reform,
> held a hearing on the impact of the Pentagon's programs to
> link procurement to tighter security standards for
> Representative Adam H. Putnam, the Florida Republican who
> is chairman of the subcommittee, said he saw great promise
> for adopting similar standards for civilian agencies. "The
> government can leverage its purchasing power," he said,
> "and can be a leader for the entire industry in setting
> rules and standards of engineering behavior."
> A decisive step toward changing market incentives would be
> to expand product liability law to include software
> products. So far, software companies have sidestepped
> liability suits partly by selling customers licenses to use
> their programs, not own them, with a lengthy list of
> caveats and disclaimers.
> The industry has resisted any suggestion that software
> should be held legally liable for bugs. The industry's
> argument is that software is a highly complex product,
> which users tend to misuse or modify, so trying to assign
> responsibility for a failure would be unfair to any single
> Whether the software industry can continue to operate
> beyond the reach of product liability suits is uncertain.
> A report last year by a panel of the National Academy of
> Sciences, "Cybersecurity Today and Tomorrow: Pay Now or Pay
> Later," included the recommendation that "policy makers
> should consider legislative responses to the failure of
> existing incentives to cause the market to respond
> adequately to the security challenge."
> Professor Lazowska, a member of the panel who at times has
> advised Microsoft, explained, "You could draw an analogy to
> auto safety, where a set of government actions has caused
> automobiles to become far more safe over the course of the
> past 35 years."
> Technology is giving programmers tools to build more
> reliable software. The Java programming language, created
> at Sun Microsystems, and C#, developed later by Microsoft,
> are technologies for creating "managed code," which sharply
> limits the damage that can be done by errant lines of
> programming. "You have to design it so that bad things
> don't happen when programmers make mistakes," said William
> Joy, the former chief scientist at Sun.
> At Microsoft, much more time is now being set aside in the
> design cycle of products for security considerations, a
> mandate approved by senior management this spring. "There
> is a shift from mainly an emphasis on working features to
> an emphasis on trustworthy and secure computing," said
> Steven B. Lipner, director of security engineering strategy
> at Microsoft.
> Some of the tougher security standards, Mr. Lipner said,
> have shown measurable improvement in Windows Server 2003,
> which shipped earlier this year. The number of security
> vulnerabilities detected so far is half as many as at this
> stage after the release of Windows Server 2000, Mr. Lipner
> Yet years of steady progress in the quality of software
> engineering will be needed for big gains in security and
> reliability to become apparent. And it starts with
> education, noted Shawn Hernan, a security specialist at
> CERT. He makes a game of seeing how quickly he can find
> security vulnerabilities in the programming examples used
> in college textbooks. It rarely takes him more than few
> "The textbook examples are riddled with vulnerabilities,"
> Mr. Hernan noted. "Computer science culture is based on,
> build it, get it working and fix it later. We need a
> culture change away from the cowboy and toward the
> Even as his E.R. team scrambles to patch Microsoft's
> security holes, Mr. Kean agreed. "It's not just Microsoft,"
> he said. "The world will commit itself to more secure
> computing. There will be a cultural change."
> Get Home Delivery of The New York Times Newspaper. Imagine
> reading The New York Times any time & anywhere you like!
> Leisurely catch up on events & expand your horizons. Enjoy
> now for 50% off Home Delivery! Click here:
> HOW TO ADVERTISE
> For information on advertising in e-mail newsletters
> or other creative advertising opportunities with The
> New York Times on the Web, please contact
> [log in to unmask] or visit our online media
> kit at http://www.nytimes.com/adinfo
> For general information about NYTimes.com, write to
> [log in to unmask]
> Copyright 2003 The New York Times Company