Regardless of your feelings about Microsoft, it was a tough year for what I think of as the integrity of the company's products. Integrity encompasses several items, including basic security, privacy, and reliability, but also a general feeling of trust people have in a given product--an almost subconscious understanding that something just isn't right. This notion covers a wide range of Microsoft products, from Windows servers and desktops to Internet Explorer (IE), Microsoft IIS, and Hotmail. Throughout 2001, Microsoft was the target of hundreds of hacks, attacks, and vulnerabilities. It seems as though Microsoft simply lined up its OSs and applications like yellow ducks in a carnival game--defenseless rows of potential victims, waiting to be knocked over.
Microsoft detractors will tell you that the company builds insecure products that violate its users' privacy and that it doesn't design features with an eye for security. There's some truth to that sentiment. The company and its backers, however, will say that Microsoft is a target simply because of its success. The company has so many products, the story goes, that hackers have almost no choice. There's some truth to that statement as well. But the most damning aspect of the story, in my mind, is Microsoft's response to security issues. When the same types of attacks confronted Microsoft, again and again throughout the year, the company simply promised--again and again--to get security right. Microsoft announced initiatives and code reviews, promised to make customers' systems and data secure and keep them secure--while it patched bug after bug after bug. The term Microsoft security is a joke of sorts in many circles, an oxymoron that geeks can knowingly nod their heads over and laugh about. How did the situation get this bad?
I have my own theories, which involve events such as integrating an immature IE product into Microsoft's desktop and server OSs a few years ago, then requiring customers to install IE to get critical upgrades such as the IIS Web server. Instability and poor coding opens vulnerabilities. And in a connected world, enterprising hackers tend to compromise vulnerabilities.
But that's not the primary concern, of course. What has Microsoft done to us lately? It's almost sobering to look back at 2001, especially when you consider that the lengthy list I present here is but a small subset of all the security and privacy problems Microsoft faced last year. Indeed, I focus solely on the newsworthy issues, if you will, because it would require a dedicated publication to track nothing but security and privacy issues. Not surprisingly, we provide such a service through Mark Joseph Edward's excellent Security Administrator site.
For Microsoft, 2001 began with a preview of things to come: The company's Web properties were the victim of a multiday Denial of Service (DoS) attack that left customers unable to reach the sites. Microsoft was quick to point out that the attacks didn't take advantage of vulnerabilities in any of its products, but security experts still took the company to task for not correctly setting up its network. If Microsoft's DNS servers, which translate IP addresses into human-readable Internet locations, hadn't all been on the same subnet, hackers couldn't have attacked the company's sites so easily. Microsoft's response? The Internet is poorly designed, Microsoft executive Craig Mundie said, and it will be years before people can rearchitect the Internet to protect sites from this kind of attack. I guess DoS attacks weren't the only type of denial making the rounds that week.
In February, Microsoft Chief Operating Officer (COO) Bob Herbold detailed a network attack from the previous October, which might have compromised the source code for Windows and Office. I mention this story only because the company once again directed the blame away from its products or standards and practices. "It's not the technology, folks; it's the people," Herbold explained. "When we trace \[such attacks\] back, it's always human error."
Hotmail hit the radar in early March, when news stories revealed that the world's largest Web-based email service was sharing its customers' private information with the InfoSpace Internet White Pages, which then published the information on public Web sites. Microsoft defended the practice, noting that its Hotmail sign-up pages clearly state that information is shared unless users clear a specific check box. However, this practice opens up Hotmail users to mountainous piles of spam because their valid email addresses are freely and publicly available on InfoSpace, which lists up to 1000 such addresses per page.
In April, Microsoft opened up two Windows XP beta machines to the Internet, hoping to see whether hackers could breach its defenses. The company did this with Windows 2000 and said that the experience provided useful feedback. But I've received no word about the success of the two XP machines, which tested Internet Connection Firewall (ICF), Auto Update, and other new Internet-connected features.
IIS security raised its ugly head in May when Microsoft released an important security patch designed for both Internet Information Services (IIS) 5.0 on Win2K and Internet Information Server (IIS) 4.0 on Windows NT 4.0. This patch was fairly unprecedented because it included fixes for all previous IIS vulnerabilities. The message was clear: Not enough people were patching their Web servers and, although it would take a few months, Microsoft later agreed to ship the next version of its Web server, IIS 6.0, in a more secure locked-down mode. IIS is a typical example of ease of use winning out over security, and although this practice builds market share, it probably hurt Microsoft's reputation in the long run. Maybe the task of administering servers should be difficult. That change would eliminate a lot of the people who think they can use Microsoft's server products simply because they have experience with desktop versions of Windows.
In June, one of the seminal security events of the year unfolded--the inclusion of raw sockets in XP. According to security expert Steve Gibson, XP's full support for raw sockets would open up users to a new generation of DoS attacks. The debate ran for months, but in the end, Microsoft decided to leave the feature in XP. Gibson says that Microsoft made this decision because removing the feature would have disrupted XP's development cycle, which the company designed so it could release XP during the lucrative holiday selling season, and not for technical reasons.
But XP's security and privacy problems weren't limited to raw sockets. In July, debates about Windows Product Activation (WPA) reached a head when a private study determined that the activation routine maintained user privacy. Complaints and fears about WPA fueled many an editorial in rival publications, but Microsoft eventually came out ahead in this area: After the company released XP, WPA was a nonevent.
July also brought with it a new IIS compromise that affected the White House Web site as well as some of Microsoft's own Web properties. A gift from Chinese hackers, the Code Red worm exploited a bug that Microsoft had found--and fixed--months earlier. But again, patches are only as good as the administrators who install (or don't install) them. Variants of Code Red dogged IIS for the next 30 days or so, hitting sites such as the Associated Press (AP), Federal Express, and Hotmail.
NT 4 went out with a bang in August, when Microsoft canceled Service Pack 7 (SP7) and instead issued a Security Rollup Package that combined all the security patches the company had issued since SP6. The Security Rollup contained more than 60 security hotfixes, which included 27 corrections to the core OS and 22 corrections to IIS.
Also in August, Microsoft changed its Passport service in response to privacy groups that charged that the service put users' data in a single location that Microsoft owned; the company could then sell or aggregate the information and use it secretly. Microsoft's change separated Passport's authentication servers from those servers that stored user information. But the move didn't appease privacy critics. "The problem is that Microsoft has the information," said Chris Hoofnagl of the Electronic Privacy Information Center (EPIC). Concerns about Passport were so widespread that Sun Microsystems started an industry consortium called Liberty Alliance expressly for the purpose of creating an open Passport alternative.
Attempting to address its mounting security problems, Microsoft issued two tools in early August: the Microsoft Personal Security Advisor (MPSA) and the awkwardly named HFNetChk, which are designed to test security policies and system security-patch status, respectively. An IIS Lockdown Tool joined these tools in late August; this new tool placed IIS in the secure mode it should have been in from the get-go. And in September, Microsoft also issued another IIS security tool, URLScan, making it unclear how any one human can keep up with IIS security. URLScan would reportedly protect IIS users against "every known IIS vulnerability." Sun Microsystems later took advantage of IIS' problems when the company introduced an ad campaign aimed at converting users to its iPlanet Web server.
Hotmail was in the news again in August, when Microsoft plugged what it called a minor security hole in the service. This act is of note because it was the first time the company attempted to show that it was reacting quickly to problems: Microsoft says it fixed the vulnerability less than 12 hours after a hacker Web site advertised it. But the company just couldn't help itself; Microsoft issued a statement in which the company described the implausibility of anyone succumbing to the vulnerability. "\[Malicious hackers\] would have to conduct thousands, if not tens of thousands, of attempts before they could hit on a valid message ID, and even that would only give them a portion of the information they would need to fully exploit this issue," the company wrote. Sounds like something a computer would be pretty good at, doesn't it?
In late August, Steve Gibson revealed that, to thwart piracy, Microsoft was secretly marking the Windows XP CDs it was giving to beta testers. The company promised that it wouldn't mark retail XP CDs in a similar manner (cue ominous music).
In a final footnote to Microsoft's month of discontent, in the last days of August an encryption expert who simply wanted to bypass the company's hardnosed eBook policy cracked Microsoft's eBook format. The format limits users to reading each title on only two devices. In a similar vein, in October someone hacked Microsoft's Digital Rights Management (DRM) software, which the company designed to prevent music piracy.
Finally, in October Microsoft admitted that the company wasn't doing right by security and announced a sweeping change in its security policies and practices. The company created a new Microsoft Strategic Technology Protection Program (STPP) to help customers take a simple two-phased approach to security: Get Secure and Stay Secure. The Get Secure phase includes proper planning and configuration before companies connect their systems to the Internet. The Stay Secure phase helps companies maintain ongoing security after they connect. The sweeping plan deserves more time than I can give it here. But whether it's been effective remains to be seen.
In October, Microsoft admitted that its own Web site was revealing private customer information such as addresses and phone numbers because of a bug that let any user search the site and access the internal sales database. The problem? Human error, according to the company. Also in October, Microsoft issued a series of stinging warnings to security Web sites, asking them to kindly stop popularizing security breaches in the company's products. In an essay posted to the Microsoft Web site, Security Manager Scott Culp called on these sites to "end information anarchy" and stop posting information that he said only helped hackers and not users of the products in question. Culp said that information posted on such sites made recent security exploits, such as Code Red and Nimda, possible, and that the company had in fact posted fixes long ago that would have prevented any problems. The ploy worked: A month later, a computer security company reported a damaging Universal Plug and Play (UPnP) vulnerability in XP directly to Microsoft rather than posting information about it on its Web site first. A few weeks later, Microsoft announced that it would work with other companies to jointly develop and refine security-flaw disclosure rules in a bid to prevent Web sites from publishing hacks and other programs that bypass software-security vulnerabilities until well after they're fixed.
In early November, Microsoft revealed that a Passport vulnerability caused the company to shut down the service temporarily, even though none of its 2 million customers were at risk. Passport, of course, is at the center of the company's .NET plans, leading to questions about Microsoft's ability to securely deliver this future.
As evidence that almost any Microsoft product could be the subject of a security warning, the company announced in mid-November that its Media Player 6.4, 7.x, and 8.0 applications required an important security patch. The good news? XP users would get the patch automatically, assuming they didn't change the default behavior of XP's Auto Update feature. The same week, however, Microsoft admitted that it had known about a new IE cookie vulnerability and failed to provide a fix a week before the company publicly accused a security company of placing IE users at risk when it published details of the problem. Microsoft said it needed more time to address the problem, however, and noted that the vulnerability didn't harm any users; the company has since addressed the vulnerability with a security patch. "Microsoft argued that by releasing details of the bug, it would give people time to take advantage of the vulnerability," said Jyrki Salmi of Online Solutions, the company that first published the information. "But we did the responsible thing. People who are using software that their businesses rely on to hold personal information should be aware in reasonable time that the program is not secure." Salmi noted that the company gave Microsoft a week to respond before it issued its warning.
Microsoft Outlook, an old security-vulnerability favorite, hit the headlines in early December with a new worm dubbed Goner, which deleted data on infected computers and replicated through the Outlook address book. Microsoft detractors now refer to Outlook as "Lookout" because of the number of security vulnerabilities the product has suffered.
In mid-December, Microsoft issued an "important" security patch for IE 5.5 and 6 that addressed vulnerabilities in those products. Microsoft's recommendation was curt and obvious: "Customers using IE \[5.5 or 6\] should install the patch immediately." A week later, the company patched a serious XP vulnerability related to that system's UPnP subsystem. Contrary to reports just about everywhere else, the company acted quickly to fix this bug. But the UPnP vulnerability does betray the basic problem, I think, with all Microsoft products: The company designs for ease of use and functionality first, security later.
And in that sense, the UPnP issue, which ended Microsoft's worst year ever on a low note, is emblematic of the problems the company faces regarding security. If Microsoft does the right thing and still gets overwhelmingly bad press, how will the company ever recover from the perception that it doesn't do the right thing regarding security? That reputation will probably dog Microsoft for years to come.