bigc73542
October 25th, 2003, 08:11 PM
http://www.internetweek.com/breakingNews/showArticle.jhtml?articleID=15600147
Patches Aren't The Answer To Microsoft Holes
By Don MacVittie, Network Computing
When Microsoft introduced its Trustworthy Computing initiative 18 months ago, those who wanted to believe that Windows could be made secure without major changes found some hope. Since then we've seen MSBlaster and countless Internet Explorer exploits. Microsoft's new answer is to change the way it manages patch distribution.
It's a worthy exercise, to be sure. But after a second RPC (Remote Procedure Call) buffer overflow in 30 days, this one targeting machines running Visual Basic for Applications (VBA), the focus on patch management seems misplaced.
The real problem plaguing Microsoft, and the reason Windows has been the target susceptible to so many recent attacks, is twofold: First, the company's deep integration of applications with the operating system requires open communication between systems and parts of systems. Although Microsoft doesn't generally document these interfaces, most of them are easy to find and misuse if you know how and have the right tools. Second is the never-ending demand for more and deeper application integration. The more integrated the OS is with the applications that run on it, the more code there is to exploit in order to gain access to the OS.
Deep integration is core to Microsoft's value proposition as the provider of the world's dominant operating environment, but the company needs to address this trade-off once and for all if it is to be taken seriously with its Trusted Computing initiative.
Because it hasn't, we get solutions that don't fully address the problem. When Microsoft created the patch for MSBlaster, it missed a buffer overflow. The technology exists to scan source code for buffer overflows, so why after all of these problems is Microsoft (apparently) not using a tool for this purpose?
It's time for us, the customers, to tell Microsoft to give up hyper-integration and give us a truly secure OS that doesn't consume huge budgets in maintenance. Strip all the bells and whistles out of Windows. We don't need a browser integrated into the OS. Let us choose our own. SharePoint Services? It's an application, not part of the OS. MediaPlayer is an audiovisual tool, not part of core services. The list goes on.
As you prepare your budgets for next year, be sure to account for the many hours you'll spend patching Windows. It's an expense you can't control or avoid, short of changing your OS.
Related Links
Patches Aren't The Answer To Microsoft Holes
By Don MacVittie, Network Computing
When Microsoft introduced its Trustworthy Computing initiative 18 months ago, those who wanted to believe that Windows could be made secure without major changes found some hope. Since then we've seen MSBlaster and countless Internet Explorer exploits. Microsoft's new answer is to change the way it manages patch distribution.
It's a worthy exercise, to be sure. But after a second RPC (Remote Procedure Call) buffer overflow in 30 days, this one targeting machines running Visual Basic for Applications (VBA), the focus on patch management seems misplaced.
The real problem plaguing Microsoft, and the reason Windows has been the target susceptible to so many recent attacks, is twofold: First, the company's deep integration of applications with the operating system requires open communication between systems and parts of systems. Although Microsoft doesn't generally document these interfaces, most of them are easy to find and misuse if you know how and have the right tools. Second is the never-ending demand for more and deeper application integration. The more integrated the OS is with the applications that run on it, the more code there is to exploit in order to gain access to the OS.
Deep integration is core to Microsoft's value proposition as the provider of the world's dominant operating environment, but the company needs to address this trade-off once and for all if it is to be taken seriously with its Trusted Computing initiative.
Because it hasn't, we get solutions that don't fully address the problem. When Microsoft created the patch for MSBlaster, it missed a buffer overflow. The technology exists to scan source code for buffer overflows, so why after all of these problems is Microsoft (apparently) not using a tool for this purpose?
It's time for us, the customers, to tell Microsoft to give up hyper-integration and give us a truly secure OS that doesn't consume huge budgets in maintenance. Strip all the bells and whistles out of Windows. We don't need a browser integrated into the OS. Let us choose our own. SharePoint Services? It's an application, not part of the OS. MediaPlayer is an audiovisual tool, not part of core services. The list goes on.
As you prepare your budgets for next year, be sure to account for the many hours you'll spend patching Windows. It's an expense you can't control or avoid, short of changing your OS.
Related Links