Security News > 2001 > October > Microsoft Redux
Forwarded from: security curmudgeon http://www.wkeys.com/articles/CF/MS_Redux.html Microsoft Redux by Carole Fennelly It's deja-vu, all over again. Yet another worm attacks Microsoft servers, leading me to add yet another article to my continuing saga on Microsoft infestations: "Worm Droppings" (August, 2001) http://www.wkeys.com/articles/CF/itworld/worm_droppings.html "MS Right" (October, 2000) http://www.landfield.com/isn/mail-archive/2000/Oct/0100.html "Feeding the Virus Frenzy" (June, 2000) http://www.cnn.com/2000/TECH/computing/06/27/security.frenzy.idg/ So why bother writing another one? Well, the difference this time is that research and advisory group Gartner - not typically controversial - advised (http://www.gartner.com/DisplayDocument?doc_cd=101034) companies to consider dropping Microsoft's IIS web server in favour of iPlanet or Apache. I've been saying for years that we should address the root cause of viruses and worms: poor development practices. It is much more efficient to find and correct problems in products *before* they are shipped to thousands of customers than to have those customers retroactively apply patches. Obviously, no software is perfect and sometimes patches are necessary. But, come on - Microsoft has released over 50 security advisories this year alone. It appears that they are outsourcing system test to the customer while at the same time demanding that discovered vulnerabilities not be disclosed to the public: http://www.newsbytes.com/news/01/171173.html They can't have it both ways. Critics of the Gartner report claim Gartner's recommendations are a knee-jerk reaction that would cause more harm than good. It is irresponsible to just rip out an application without justifiable cause. This is a valid point - you should use the application that best suits your business requirements, and not just follow the herd. But it wasn't that long ago that many IT shops were forced to switch to Microsoft platforms because management bought into Microsoft's marketing claims significantly reduced administration costs. Hey, any college kid can run an NT machine. Cut the IT staff and get rid of those expensive Unix geeks. Now NT administrators are suffering the consequences of the perception that they aren't as technical as the Unix guys. News flash: Windows administrators can and should be just as technically savvy as their Unix counterparts. Microsoft offers no free ride on administration, as has been clearly demonstrated. Any software product with such a frequently repeated track record of security problems deserves the reputation it acquires - and this is not limited to Microsoft. For years, the Internet's most popular Mail Transfer Agent package, sendmail, earned a deserved reputation for poor security. Many sites chose to look at alternatives to sendmail, having grown tired of dealing with the bug-of-the-week. Others, who wanted the features unique to sendmail, invested time and effort to develop the expertise to run sendmail securely. There clearly is a serious issue with Microsoft's IIS server, and I don't buy the argument that it's just because Microsoft is a favourite target for hackers. It's been demonstrated on a Attrition survey (http://www.attrition.org/mirror/attrition/os-graphs.html) and on the Netcraft web server survey (http://www.netcraft.com/survey/) that Microsoft web servers do *not* dominate the market in anything but vulnerabilities. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.