Microsoft on Security: We'll Break Your Apps

jointm1k writes "Wired.com is running a story about how Microsoft is trying to act responsible and all by fixing (or trying to fix?) many (if not all) security holes in Windows. Not only new versions of Windows will be patched or improved, but as I understood they also plan to force security updates for older versions of Windows down peoples throats. Even if that means that some applications will mallfunction. Nice to see Microsoft taking reponsibility for their mistakes, but they really should have done so when they designed Windows."

Application designers should comply, too.

[Anonymous Custard]

It sucks that Microsoft will be forcing patches, but in the end it would be better if the result is fewer DoS attacks, and fewer compromised systems.

But shouldn't 3rd party application designers be held similarly responsible for relying on these holes in their programs, and release patches of their own to avoid problems, possibly through Microsoft and bundled with the windows patch?

Designed

[Anonymous Coward]

Well, we know a lot of things at that time were not built for security, like our friend the Internet. DOS has no concept of security because such things require a footprint that 80086s simply don't have room for. Windows 9x has no concept of security because such would break all DOS apps, which would have been business suicide back in 1995. Windows NT at least has a pretty solid foundation which extends to Windows 2000. Removing extraneous services would be a good thing. Nice to see IIS not installed by default on Windows .NET Server 2003 (virtually nothing is.) Perhaps they'll fix the "Shatter" attack too by shutting down using Windows Messages as IPC, at least below the WM_USER band, or even perform security checks prior. Oh well, there are a lot of things they can do, and although some legacy apps may break (and most that would already have,) it's ultimately for the best.

Microsoft Vs. Linux

[coryboehne]

Well it looks like they might actually finally have the right idea as to how to compete with Linux,,, although they might have a few details a little skewed from what I would consider ideal, they seem to be heading in the right direction. Good to see that Microsoft might actually be listening to their customers finally.

Disclamer: Yes, I do love Linux, no I do not hate Microsoft, as a matter of a fact I am a .Net developer so this is of a much greater importance to me than it is to most.

Not Correct

[CharlieO]

I read the same story at The Register [theregister.co.uk]

The editiorial is innacurate and opinionated.

They are actually giving up on trying to secure older products.

And they are stating that for new security fixes on current products they are now putting security as a higher priority than not breaking the apps.

So rather than provide the security turned off, in the hope that some MCSE will turn it one once the app has been patched, the security is on even if the app breaks.

Now, regardless of the anti M$ feelings, this has got to be a good approach.

Yes you can read it as "Hear comes DRM, suck it down" or you can read it as "Secure by default really does matter, becasue we know 95% of users never change from the default settings" - the latter approach is taken by Suse in 8.1 and I don't see /. attacking them

Novell guilty of the same

[totallygeek]

Not that I am siding with Microsoft, but to play the devil's advocate, other companies are guilty of the same disregard for what third-party software will break due to OS patches. To date, I have not installed a Novell Netware service pack without jacking-up some other software (ADS, Arcserve, NAV, etc).

There is a bigger problem out there -- laziness. Microsoft and others have made security patches available that admins simply do not install. If they did, the world would be a better place. I mean, I still get tons of Code Red hits on my web server. Patches have been available for that for....how long?!?!?!

God dammit!

[bmetz]

I am so sick of this revisionist, 20/20 hindsight, why-isn't-microsoft-perfect bullshit! Do you know how many applications written by blithering idiots they've had to keep working? I've heard tons of horror stories directly from friends at MS about the hoops they go through to keep COMPETING SOFTWARE from breaking. Yes, MS employees really do sit around figuring out how to keep Wordperfect from crashing.

Ass

[Anonymous Coward]

During the week of Sept. 11-18, 2001, terrorist attacks and the Nimda virus changed the public's perspective on security, he said.

I don't say this often, but... what a fucking wanker.

How does he plan to address these security issues? Say they were all "attacks", and then push legislation through to outlaw them?

Jesus. The fact that he even put a Microsoft fuckup in the same sentence as a 3500-life firebombing shows that he isn't fully mentally developed. I'd stay far away from any corporation who allowed this guy anywhere near their podium.

Implications for software interoperation

[blackcat++]

There is another side-effect: Just think of an update that does not only fix two recent security flaws, but also implements incompatible changes to the CIFS/SMB protocol. All users of MS Software are forced to upgrade, so there won't be any interoperability issues. But all those Samba File/Print/PDC installations across the world are suddenly broken.

And Samba is just a randomly picked example.

Re:Microsoft and Linus

[EggplantMan]

In that way, I would say Bill and Linus are very alike. In his quest to bring his users what they want Bill often breaks backwards compatability during the upgrade cycle (win 2k). However I have to say that Bill is very professional about these compatability breaks only making them every major release, whereas sometimes Linus' behavior makes me wonder. Doesn't anyone remember the disaster called the 2.4.x series?

Re:Life of Brian jumps to mind...

[pohl]

I'm torn on this issue. After years of trade rags ignoring well-designed alternatives in the marketplace and failing to do anything besides sucking Microsoft cock, I still find it refreshing when slashdot, a mere weblog, pulls out a headline with sardonic spin. I also find it amusing that people feel the need to rush to the defense of Microsoft. Seems as silly as protecting god with a sword.

Re:Designed

[Insightfill]

Good point. When Win 95 hit the scenes, the goal was primarily backward-compatibility with the existing Windows and DOS apps, and easy networking. Consumer and small business Internet wasn't even a glimmer.

As they moved forward to later versions of Windows, they were willing to let some, but not all of the backward compatibility slip. However, as the Internet came along, they seemed to have become more concerned with delivering functionality over security - does email really benefit from a scripting language IN the message content?

The goal for the early Windows designs however, had always been about the "isolated" consumer and small business, while the *NIX implementations were looking at shared user environments and workspaces, and had the horsepower to enforce them. The amazing fact that Linus T. managed to shoehorn a *NIX implementation into a cheap x86 box was also largely a testament to the platform had grown beefy enough to handle it.

wonder if this has anything to do with that CA law

[The Evil Couch]

that got slashdotted yesterday [slashdot.org]

With that new law, companies would have to report hacks of systems. If MS fixes as many holes as they can before this new law can get swung around, the public won't find out how vunerable they are by using their OS.

How about 1% ?

[trveler]

I thought the most interesting quote from the article was near the end:

"... slides also showed the surprising results of automated crash reports from Windows users. A mere 1 percent of Windows bugs account for half of the crashes reported from the field."

Misleading...

[ifoxtrot]

There are many problems with this approach to security, as well as a few potential benefits.
Starting with the benefits:
1. Patches in their current form do not work very well as sysadmins don't tend to keep up to date as much as they should. (Windows Update is an attempt to address this. Success is arguable...). Forcing people to install patches "Plugging those holes, he said, would require not just rolling out new versions of Windows, but forcing security fixes onto users of older Windows versions, which he claimed was 30 to 40 times larger than the installed base of current versions" would definitely address this.
2. This would make a lot of currently running, older microsoft machines more secure

On the bad side now:
1. You are forcing people to act in a way that might cause financial damage to them (breaking existing applications), and which might be unnecessary. There is no such thing as blanket security, it's all rather individual. (If someone is running an in-house webserver for their private intranet, patching the OS will not stop the people who might want to damage this as the probability is that they're also working for the company.)
2. This kind of approach is misleading as to the total security of the system. What's the point of patching Win95 when anyone can log in and have adminstrative privileges? Even Microsoft accept that their old OSs (win9X) are not capable of being secure. [theregister.co.uk]
3. We have yet another misleading claim that microsoft are secure and that security is achieved through Microsoft because they are getting tough!!! They're effectively saying that their products will make you secure... Security is not about products, it's about risk and what you do about it. Mr Schneier says it perfectly "Security is a process"...

Re:the fact of the matter is

[redfiche]

[troll]

windows just doesnt seem like it was designed to take on improvements

How many software projects as large and mature as the Windows code base can you name that are not terribly brittle? It's hard to create code that is extensible and maintainable.

When Win2K was being developed, peoples concerns were crashes and reboots, so they focused on that. Now concerns are centered around security. I'm no lover of M$, but it seems to me they are listening to their customers.

[/troll]

Two Things

[4of12]

I don't fault Microsoft for not keeping up with Windows 95 compatibility and security issues this far down the line. Yes, admittedly it's a self-serving decision to push people into buying new Microsoft products that gain them revenue. But it's also a huge cost to maintain the old creaky code for little or no return.

I would no more blame MS for dropping support for old software than I would blame the Linux kernel developers for not supporting older kernel interfaces.

Second, this is a real opportunity for Linux to take up that ball of mud. I know it's ugly, but there's lots of people out there running crusty old Windows 95 compatible applications that would break if they upgraded to Windows XP.

They might really love that particular application, see no other need to upgrade, and not want to upgrade if they're going to lose the use of their favorite application.

Let them drink WINE at the Linux table!

Wonderful!

[Arjuna01]

This is the same mentality where I work. We have users still using Lotus 2.4, WordPerfect 5.1, and other crazy applications because the IS people refuse to **MAKE** the users do their own work. The users want the IS departments to migrate and test all the spreadsheets and documents for them because we have Office '97 or Office 2000 installed on the machines. Now 10 years ago when Lotus 2.4 and WordPerfect were introduced we didn't go around making macros and cell calculations for them did we? But we try to introduce new products to keep up with the times and they act stupid on us and say we are killing business because we **WON'T** migrate their stupid macros.

We can't even get the users to try and open the spreadsheets in Excel or Word. They just refuse to do it. My recommendation in the last meeting was to just turn off Lotus 2.4 and WordPerfect (apps run on server) and tell the user either to use Microsoft Excel and Word or find a new job.

My point being, Microsoft is doing exactly what should be done. You want everything to be stable and secure, well you better be ready to upgrade or patch whatever doesn't work after we do our fixes.

Re:Microsoft and Linus

[afidel]

Actually MS just dumped the next server version after .NET, so it looks like they are headed towards longer release cycles. Since Liscense 6 gives you support for the last 5 years of os's it would not behoov MS to come out with a new OS every year, that would mean supporting 5 OS's for corp customers and testing all their apps against 5 OS's, not cheap. Instead it looks like MS is going the opposite way, look at the next version of Office, it won't run on any OS's other than win2k with SP3+, or winXP. MS is trying to dump the old kruft to reduce problems and hence support costs both external and internal.

Re:Microsoft and Linus

[Anonymous Coward]

I think he was referring to the VM changes that kept happening. You know, the cause for all the serious bugs found in all 2.4.x kernels except for 2.4.9 and 2.4.18+...

The fact is that 2.4.x has been a horrible series with only a couple usable versions.

Re:Microsoft and Linus

[Reckless Visionary]

What are you talking about? Bill Gates is the Chief Software Architect [com.com]. He gave up his job as chief executive for exactly that reason, to have an active role in OS development. Of course he's not the one compiling the releases, but to say he "actually has very little to do with Microsoft these days" is just flat incorrect. From link (prepare sarcastic tone):

"I might be threatening to write code."

Re:Life of Brian jumps to mind...

[Anonymous Coward]

"if he is naive enough to think that MS architects would design the perfect OS from the start."

Wait do you mean 18 years ago? Or do you mean they shouldn't shoot for the perfect OS every time they release a new re-hash of the previous operating system?

Albert Brooks said plan to throw one away, not release it as Millenium Edition.

Re:Microsoft and Linus

[Anonymous Coward]

No, he's implying that the 2.4.x had some very major VM changes made to it when it was supposedly "stable". You knew full well what he was refering too.

Re:God dammit!

[coryboehne]

LOL, you really have a fine point there, it's obvious that some software may have a few issues that will cause it to work in unexpected ways/not work at all. This is not something that cannot be fixed by whomever owns/writes said software. If Microsoft is putting forth this kind of effort to ensure security through some other method than obscurity then I say GREAT! And of course Microsoft wants to keep competing software vendors products working, after all, the main reason windows has captured the market share that it has is mainly due to their large base of 3rd party software and business apps (competing or not) If they were to alienate this valueable resource they would be crazy, as it is largely due to this base that they are so successful. And yes, when you're dealing with a product that is millions of lines of code long there are always going to be problems when trying to do anything... My current project that I'm working on is only about 50,000 lines of code (one developer, namely me) and I can tell you that once in a while when I go to change something that seems fairly menial I can cause myself more headaches that you can imagine (although this doesn't happen often, it does happen). So thank Microsoft for at least showing that they DO care, thank you. :)

Forced Security update = Forced Application update

[dnoyeb]

So now all the people that put out software packages 8 years ago for win98 are being told their apps are collateral damage.

Now all users on win98 will be FORCED to upgrade if they did not turn off garbage auto update.

See, just like homeland security, automatic patching starts out with a clean purpose, then they change it on you.

Recall how many "tricks" were necessary to get around M$ BS. Now their going back to erase those. Yea I can see WordPerfect 7 blowing up now. But I can't see Corel having the resources to fix it.

This will basically ensure that nothing runs on old "patched" OSes.

I call this XP strategy #2.

Re:Whiners

[_bug_]

Microsoft fixes problems: you bitch because it breaks shitty apps.

They haven't fixed anything yet, so what apps are you referring to?

Microsoft doesn't fix problems: you fucking bitch because it doesn't fix problems.

Call it what you will, but after paying 150 bucks for a piece of software with numerous bugs and security holes I damn well have a right to complain.

Now the submitter claims that "they should have fixed them when they designed Windows." What kind of fucking bullshit logic is this crap?

Microsoft has had more than six tries to get it right and they have yet to do so. SIX! Don't you think Microsoft should have had at least a good handle on the many chronic bugs and security holes that plauge its operating systems by at least attempt #4?! If you say no, then I say "What kind of fucking bullshit logic is this crap?" ...they are not 'forcing upgrades down people's throats." It's still your option to have a shitty, fucking security hole laden sloth of an OS.

"security hole laden soth of an OS" ... you're absolutely right. When it comes to security and privacy who really cares? It's overrated. I don't need an upgrade that helps protect me and my family.

Now come back to reality.

Forcing? Okay it's not forcing. It's extortion. "Upgrade now to protect yourself from our mistakes." My choice is run a buggy OS and risk having my box rooted and all my personal information stolen or upgrade to a newer version that has a better chance at protecting that information (at least while the bugs are still undiscovered).

It's that kind of irrational logic that drove me to Linux for a desktop OS in the first place.

Re:Application designers should comply, too.

[Anonymous Custard]

Absolutely, hold the application designers to the same strict standards.
But you can't really do that until the base upon which the applications are written is itself secured. Can you?

Right. You'd have some serious application down-time between MS and 3rd party patch releases. Thus, the need for MS and 3rd parties to work together to release the patches concurrently (=logistical nightmare).

Re:Designed

[mesocyclone]

Microsoft finally took the big step towards *kernel* security with XP, where they forced everyone out of the DOS mode. As I understand it, with XP an application there is a kernel between all applications and all hardware (perhaps with the exception of video buffers). This is the *first* thing necessary for security, and was something Microsoft wanted to do earlier but was forced by demands for backwards compatiblity to leave the DOS hooks in to 95 and 98.

But kernel security is only a small piece of the problem. Most modern virii and trojans operate strictly in the applications domain - they don't need to touch any kernel files or memory in order to do their nasty work.

Microsoft adopted the COM mentality a long time ago. And it was a very good concept - it introduced componentized software for the first time into a large scale market (see caveat below). But unfortunately it was done without regard for security, with the result that any old script can use COM (or whatever the marketing droids call it this year) to control dangerous software (such as outlook). So on the one hand we have a very nice software concept, implemented by the largest OS supplier; but on the other hand we have a great increase in security holes.

Microsoft also did not until recently pay enough attention to the security monster they had created. In fact, it is very hard for them to do much at this point without breaking their nice paradigm. They can patch holes in network connected middleware and systems software (for example, exhaustively searching for buffer overflows cuased by careless C/C++ programming). But stopping users from executing viral scripts is much harder.

A couple of asides...

I discovered, by accident, that anything that windows considered executable can apparently be binary code! For example, a .pif file, which should be a specific set of instructions to run a program, can apparently itself be executable and Windows will blithely execute it! Same with .bat! This is beyond dumb, and I cannot imagine what they were thinking.

Regarding COM. COM is a neat idea. Unfortunately Microsoft apparently became so enamoured with it that they just ignored another extremely powerful and much older concept for componentized software: command line execution of everything, with pipes (filtering), and with character (ASCII) formats for almost all files. This is the UNIX model and is a very nice, simple abstraction that beats the pants off of COM for many, many things. As one who uses Windows2000 as a primary desktop, with Cygwin as a primary software development platform, I really appreciate having BOTH models, and really get disgusted with the lack of scriptability for most Windows utility, and the cryptic, bloated binary file formats that most Microsoft software use for configuration and simple data storage.

Tightening up Windows

[Animats]

It used to be, in the NT 3.5 era, that many apps supposedly written to the Win32 API didn't run on NT, generally because the apps were broken. NT 4.0 put in more backwards compatibility stuff (mostly by sticking mediocre code from Win95 into the NT kernel, over Dave Cutler's objections), and XP stands on its head to keep some old apps working, with lots of little "hint" files. All of that stuff should go.

Microsoft may prohibit self-modifying code and code on the stack. You don't get any performance gain with either technique any more, since processors went superscalar.

And maybe Microsoft will delete the 16-bit compatibilty engine. It's time. In NT 3.5x, the 16-bit engine was optional, the system ran fine without it, and it should have stayed that way.

Microsoft will probably do something to break Word 97, and blame it on "security". They need the revenue. But there's a problem:

Plugging those holes, he said, would require not just rolling out new versions of Windows, but forcing security fixes onto users of older Windows versions, which he claimed was 30 to 40 times larger than the installed base of current versions.

XP sales must be lower than Microsoft admits. Microsoft has to make sure that their pressure forces people to upgrade to XP, rather than locking people into the legacy OS. Expect something on the server side that makes Internet usage difficult for legacy users.

Re:Designed

[Anonymous Coward]

It's called the Hardware Abstraction Layer (HAL) and it's a fundamental concept of NT itself, not just XP. In my mind, I'm not sure if I prefer DOS or NT.

On the one hand, we have a system where the hardware is available for any app to fully utilize, where there are no real privelage seperations. It's Gamer Mecca, honestly. A Windows 98 box, firewalled, that does not and will not ever use IE for general browsing, is safe, so long as you don't run any old binary you get off the net. This is how I run my P3-933, with Win98, drivers, Phoenix/Mozilla plus the 3 games I play.

On the other hand, we have a system where there are privelages, administrators, normal users and all that lovely stuff. Which, in theory, should make you safe. In practice though, if you go around as a Power User or Adminstrator, the various IE sploits can own you. You're only a small amount safer than with Win98. You still have to follow the same safe practices.

Anyway, my point is this. Not everyone needs a aystem of permissions and protections, as those systems are still vulnerable if the user is not careful. If Win98 was a lot more stable (and it is surprisingly stable if you run a small number of apps and reinstall/re-image every 6 months), I'd want to use it on most of my machines.

A terrific move by Microsoft

[erroneus]

Recall that long ago, Microsoft wanted to move away from 16bit code by going to Windows9X and also with NT, they wanted to grow in the server and professional side. Ultimately, they hoped to merge their products and so far, I don't feel they've been all that successful.

The biggest problem with NT is that it attempted to maintain compatibility with older stuff. It was important at that time they do it like this. (Personally, I think they should have thrown compatibility to the wind long ago to focus on stability and security... it's a SERVER after all, not a game machine or a workstation... make a separate workstation product with compatibility modules... but that's history now anyway...)

Now, with intense focus on security, they are proving themselves as serious players in sacrificing "performance and compatibility" by closing serious holes even at the expense of current software compatibility. I say BRAVO Microsoft for making such a bold and courageous move. Only a company with monopoly force can really afford to pull that move off and if you ask me, it's a decision late in coming.

Many people have me labelled as anti-microsoft [yacg.com] and a Linux pusher but actually I'm not. While I agree with most of the anti-microsoft commentary and just about all of the pro-linux and open source stuff, I'm not religious about it. If I like it or see value in it, I'll use it. It's that simple. I appreciate what I interpret as a mature direction Microsoft is about to undertake.

I think it's a bit unfair for jointm1k to tack on the bit about "shoulda done it before they designed Windows..." In an industry that changes as often with technology as it does with "fashion" (consider shifts to and from client-server) It's tough for any company to keep up with current times let alone predict the future of computing 10 years down the road... even a company that, at times, sets the standards of industrial computing.

Microsoft has lost a lot of respect in the industry -- not only in the eyes of IT professionals, but also in the eyes of blue/grey-suited business people. I think it's important for Microsoft's future to do that. I'm also a little afraid of what would happen to computing in general if there were a mass shift away from Microsoft. I wish it were, but I don't think Linux based business solutions are ready for prime-time. (* brace for impact! *)

Long live Linux and all it stands for. Peace out.