In a preemptive strike against hackers, Microsoft has posted advisories on TechNet about newly discovered security vulnerabilities in the company’s SQL Server software and three of its operating systems.
The most critical hole is in Microsoft’s RAS (remote access service) software, which runs as an option in Windows NT, Windows 2000 and Windows XP.
The flaw allows intruders to gain complete control over an unpatched machine and run whatever code they want, according to the company.
The advisories also described problems with the way SQL Server handles XML (extensible markup language) and pointed out flaws with a scripting function called HTR in Microsoft’s Web servers. Microsoft has long recommended disabling that scripting functionality — unless there is a critical reason for retaining it — because Microsoft’s ASP (active server pages) technology replaces it.
Microsoft also issued a critical alert about a hole in its Internet Explorer Web browser. Hackers can exploit the flaw by using Gopher, a largely outdated method of data retrieval.
The Gopher hole threatens computers running Internet Explorer versions 5.01, 5.5 and 6.0, as well as Internet or intranet servers using Microsoft’s Proxy Server 2.0.
The company’s TechNet site provides patches for the security holes. However, since the company does not support older versions of Internet Explorer, users will need to upgrade to take advantage of the fixes.
Guarding the Giant
In January, Bill Gates sent a company-wide e-mail that encouraged employees to craft more secure software. Since that time, almost 40 flaws have been found, each one prompting a new advisory.
Although it might seem that Microsoft is moving slowly in response to Gates’ directive, the company actually is discovering flaws fairly quickly. The greatest difficulty is the sheer size of its software.
“I think the main problem with Microsoft, and with them trying to protect Windows, is that it’s impossible to secure and audit that quantity of source code in such a short period of time,” Oliver Friedrichs, director of engineering at SecurityFocus, told the E-Commerce Times.
The debugging process might take years. In the meantime, Microsoft will have to develop more practices for finding and resolving security issues. Even then, problems still might occur.
“When dealing with an operating system as complex as Windows, there’s always going to be an issue in some component,” Friedrichs said.
Microsoft also faces the challenge of training software engineers to focus on security when they previously had concentrated on other aspects of the applications they were building.
“It’s a learning experience for everyone there to become familiar with security practices,” Friedrichs said. “You can’t just flick a switch to train employees and have your products be secure.”
Not Just Microsoft
All software companies, especially those with several years of development under their belt, face problems with their products.
These companies are not uninterested in keeping software secure, Friedrichs said, but they did not start out by focusing exclusively on security. Now, they are trying to make up for lost time.
“Microsoft is just the most visible,” he said. “That’s why you hear about them more. Also, because they have such a wide customer and user base, security problems with Microsoft affect far more organizations and individuals than any other product.”
When it comes to avoiding malicious users bent on gumming up a system, it appears that size is a disability.
Since Microsoft is such a software Goliath, many hacker Davids seem eager to target the company.
“People tend to attack the most visible systems and products,” Friedrichs said. “Compared to any other company out there, Microsoft products are the most frequently attacked by far.”