Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

10/30/2006
11:25 AM
50%
50%

Not Your Grandpa's Microsoft

Think you're being smart by waiting for Vista's SP 2? Think again

Microsoft's a big target -- the vendor takes a lot of heat for poor products or just a lack of responsiveness. While some of that criticism may have been true and even warranted over the years, let's give credit where it's due: Windows XP SP2 turned out to be vastly better from a security standpoint than previous versions. In fact, Microsoft-based enterprises have improved their security so much that even Symantec reports that the attack vectors have shifted to employees' homes.

More often these days, exposures come from security firms that "discover" a potential attack vector that was lying dormant and may have remained undiscovered. It's these discoveries, not actual attacks, that are driving both the perception of Microsoft's security "problems" and the frequency of patches. Now, this doesn't mean you should relax -- on the contrary. But it does mean that it's likely that the vendors of any popular platform will have to have the resources to step up to these potential vectors.

Security firms have learned that their practice of rigorously exposing potential vectors of attack drives revenue. While no one's suggesting they've plumbed the depths of Internet Explorer or Outlook just yet, they are nonetheless already targeting Apple and Linux platforms.

Companies the size of say, Hewlett-Packard, may enjoy an advantage with Linux, since they'd be able to step up to this challenge. Apple, to me, seems way too much like the Microsoft of the late '90s and is not taking the threat seriously enough.

The old Microsoft would never have survived what the current Microsoft is overcoming daily, in terms of the frequency and types of attacks. At least as it relates to security, Microsoft has indeed changed.

Vista, IE7, and the SP1 Tradition
Executives often set policies, many unofficial, which are then followed forever regardless of changing conditions. When I speak on this subject I like to compare companies to the Zulu war with the British Army. At the time the British were the best armed but they were outnumbered. With their weapons they could have easily won, but the policy at the time focused on cost containment, which made it impossible to get ammunition fast to where it was needed. Rifles without bullets turned out to have little advantage over spears, and the British lost badly. Policies need to be consistently re-evaluated because they can become obsolete.

One of the existing policies we seem to be stuck with now is not to deploy any new operating system before SP1 (or SP2 in some cases). This rule has its roots back in the early days of computing where the first release of a product was more like a beta test and needed a couple of revisions before the product was actually ready to ship.

Now before I get the typical, "Oh my god, he's shilling for Microsoft" stuff, I realize that nobody included Vista deployments in their 2007 budgets and you probably won't be able to deploy Vista before SP 1 now anyway. What I'm suggesting, though, is it may be time to revisit this "SP 1" policy. Why? The risk of running old stuff, from a security standpoint, is now greater than the reliability risk that created this policy in the first place.

Think back to Windows 2000 -- does anyone want to argue that it was less secure or reliable than Windows ME or Windows NT, even when those older OSes were fully patched? Windows 2000 was better than either one of those turkeys, particularly if you were on NT and had a notebook computer. At its launch, Windows XP was effectively a comprehensive Windows 2000 patch.

In the last couple years you may have noticed that patches for older OSes tend to get labeled "critical" while the same patch for the current version is "important," or doesn't exist. This alone would suggest being on the current platform could have huge support-cost benefits and being more aggressive would seem to be the more secure path.

This appears particularly true of IE7, which addresses a vast array of IE6 security problems and oversights. Given the level of testing and the lack of any truly major problems since launch, it feels better than a second or third release of earlier versions of IE.

Not Just Microsoft
This doesn't just apply to Microsoft. Products from companies like Oracle, IBM, and EMC are vastly more capable at initial launch than they used to be and should also be evaluated on their merits.

There is an increasing possibility that terrorists, professional criminals, and nuts will be aggressively targeting our employees and companies. The best way to mitigate this exposure may be to move more rapidly between platforms and Web-facing products. That either shuts them down, or forces them to try other, less protected sites.

I think it is time we stopped the practice of thinking service packs were generic indicators of product readiness and evaluated everything on its own merits based on the benefits of the new technology against our cost of implementing it. And a big part of that evaluation should increasingly be how many current security exposures does the new offering take off our daily worry list.

In short, in this new Internet age we aren't living in the same world our grandfathers lived in when they set the SP 1 policies. Products are better tested and the threats of standing still are much more pronounced. You aren't your grandfather: Maybe you shouldn't run your shop the way he did.

Rob Enderle is President and Founder of Enderle Group . Special to Dark Reading

  • Apple Inc. (Nasdaq: AAPL)
  • EMC Corp. (NYSE: EMC)
  • Hewlett-Packard Co. (NYSE: HPQ)
  • IBM Corp. (NYSE: IBM)
  • Microsoft Corp. (Nasdaq: MSFT)
  • Oracle Corp. (Nasdaq: ORCL)

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Sodinokibi Ransomware: Where Attackers' Money Goes
    Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
    Data Privacy Protections for the Most Vulnerable -- Children
    Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
    State of SMB Insecurity by the Numbers
    Ericka Chickowski, Contributing Writer,  10/17/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-17424
    PUBLISHED: 2019-10-22
    A stack-based buffer overflow in the processPrivilage() function in IOS/process-general.c in nipper-ng 0.11.10 allows remote attackers (serving firewall configuration files) to achieve Remote Code Execution or Denial Of Service via a crafted file.
    CVE-2019-16404
    PUBLISHED: 2019-10-21
    Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
    CVE-2019-17400
    PUBLISHED: 2019-10-21
    The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
    CVE-2019-17498
    PUBLISHED: 2019-10-21
    In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a ...
    CVE-2019-16969
    PUBLISHED: 2019-10-21
    In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.