=============================================================== T H E S E C U R I U S N E W S L E T T E R =============================================================== January 22, 2002 | Vol. 3, #01 | http://www.securius.com/ CONTENTS: * Windows XPloitable * New Software from PC Guardian =============================================================== A service of PC Guardian | San Rafael, California Computer security products | http://www.pcguardian.com/ "Protecting Computers & Data Worldwide -- Since 1984" =============================================================== -------------------------------------------------------- WINDOWS XPLOITABLE -------------------------------------------------------- Imagine this dilemma: You know that the company you work for is shipping a popular product that contains a dangerous problem. There are hundreds of millions of dollars of revenue on the line and only a handful of people outside the company who know about the problem. Do you inform your customers about the problem -- thereby letting them make an informed decision about whether to continue to use a dangerous product -- or do you keep them in the dark until you have a fix? For many people, this would be an ethical test. For Microsoft, it's business as usual: you maintain secrecy. Last October, independent computer security researchers discovered and reported to Microsoft a major vulnerability in Windows XP that allows a remote attacker to gain full control over a machine running Microsoft's newest operating system. Rather than promptly notifying customers, Microsoft waited two months before releasing a security advisory and a patch. The defect -- originally discovered by eEye Digital Security -- is in Microsoft's Universal Plug and Play (UPnP) facility. If you are running Windows XP and have not installed the patch, you need to close the UPnP hole as soon as possible. Here's a link to Microsoft's belated bulletin: http://www.microsoft.com/technet/security/bulletin/MS01-059.asp and here is a link to eEye's report: http://www.eeye.com/html/Research/Advisories/AD20011220.html Microsoft's decision to delay the release of information about this vulnerability is consonant with the bug secrecy policy articulated by Scott Culp, the Manager of the Microsoft Security Response Center. Right around the time that the UPnP hole was reported to Microsoft by eEye, Culp released a landmark essay entitled "It's Time to End Information Anarchy". In his essay, Culp blasts the computer security community -- which by and large practices full disclosure when reporting security defects -- for publishing too much detail about software vulnerabilities and for publishing before the software's makers have had sufficient time to distribute a fix. He accuses security researchers of propagating "information anarchy" by "deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used." You can find the essay at http://www.microsoft.com/technet/columns/security/noarch.asp While reputable computer security practitioners would be likely to agree that publishing exploit code is irresponsible, Microsoft is interested in suppressing any public discussions of vulnerabilities. The company is now pushing for embargoes on third party security alerts in order to provide time for fixes. Microsoft's certified security partners must agree to not disclose vulnerabilities they discover. According to Microsoft's code of conduct, if a security partner finds a vulnerability: Microsoft Gold Certified Security Solutions Partners shall take reasonable steps to ensure that they do not publicly disclose details that would directly allow an outside party to develop or execute an attack exploiting the vulnerability. You can find out more about Microsoft's security solutions program at http://www.microsoft.com/partner/partnering/goldcertifiedoverview/ gold_sec.asp Clearly, Microsoft has a compelling economic reason for stifling public discussion of security holes: the company sells and assumes some liability for hundreds of millions of dollars worth of software each month. The company would surely like to squelch the endless stream of reported security problems and deal with them -- or not -- on its own secretive terms. But is this best for Microsoft's customers and users? Millions of users deployed Windows XP between the time eEye found the hole and Microsoft announced a patch. Most of them probably would have deployed it anyway. Some, however, surely would have preferred to hold off until a fix was available. Last week, Microsoft Chairman Bill Gates sent an email to all Microsoft employees outlining a major strategy shift for the company, from a focus on adding more and more features to a focus on security. In it, he states: In the past, we've made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We've done a terrific job at that, but all those great features won't matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. You can read the full text of Gates' email here: http://news.com.com/2009-1001-817210.html In the email, Gates does NOT address the disclosure issue, so it's not clear whether Microsoft will back off its "secrecy first" approach. Overall, it's not clear whether his email is a PR stunt or whether Gates is serious about re-aligning the company's priorities. If Gates & Co. are committed, they should give serious consideration to embracing security through full disclosure rather than security by obscurity. Microsoft is an extremely important company, and its customers deserve the full truth right up front, even if it delays the company's market share growth. A security-focused Microsoft should embrace the security research community, even as that community discovers and publicizes embarrassing vulnerabilities. Here are some links related to the disclosure issue: Crypto-Gram Newsletter, November 15, 2001, Bruce Schneier http://www.counterpane.com/crypto-gram-0111.html "Who Needs Hackers? We've Got Microsoft!", Richard Forno http://www.infowarrior.org/articles/2001-15.html "Security Flaws May Be Pitfall for Microsoft", Joseph Menn http://www.latimes.com/business/la-000003463jan14.story "Security in an Open Electronic Society", Elias Levy http://www.securityfocus.com/news/270 Here's coverage and commentary on Bill Gates' email: "Microsoft Announces Strategy Shift", D. Ian Hopper and Ted Bridis http://dailynews.yahoo.com/h/ap/20020117/tc/microsoft_19.html "Will Microsoft's Trustworthy Computing Sell?", Brian McWilliams http://www.securityfocus.com/news/310 -------------------------------------------------------- NEW SOFTWARE FROM PC GUARDIAN -------------------------------------------------------- The software development group here at PC Guardian has been cranking out the code. In the past couple of weeks, we've released Windows XP-compatible versions of Encryption Plus(R) Folders, our on-the-fly encryption program, and Encryption Plus Secure Export, one of our communications security tools. Both programs come in three varieties: an enterprise version that supports administrative key recovery, a single-user version for individuals, and a feature-limited freeware version. You can find out more about Encryption Plus Folders 5.0 here: http://www.pcguardian.com/software/folder_s.html And the enterprise version here: http://www.pcguardian.com/software/folders_e.html You can find out more about Encryption Plus Secure Export 4.1 here: http://www.pcguardian.com/software/secure_s.html And the enterprise version here: http://www.pcguardian.com/software/secure_e.html To download any of our freeware versions, visit http://www.pcguardian.com/securius_download/ See you next issue. 'Til then, keep your guard up! /------------------ BEGIN ADVERTISEMENT ------------------\ PC GUARDIAN OFFERS DEFENSE-IN-DEPTH NOTEBOOK SECURITY Purchase a Notebook Guardian(R) for $59.95 and receive a FREE copy of Encryption Plus Folders 5.0 (list price: $49.95). The Notebook Guardian is a one-piece tamper-proof notebook anti-theft system made with a sleek black polyvinyl-coated galvanized steel cable and a patented stainless steel locking head, cased in chrome-plated brass lock face. The cable lassoes to any secure stationary object and the head fits the security slot on most notebooks. Encryption Plus Folders 5.0 delivers transparent on-the-fly encryption that protects multiple folders and files from being deleted or snooped by those who have physical access to your PC. Don't delay securing your computer and its private data any longer. Visit PC Guardian today at: http://www.pcguardian.com/hardware/nbg2000_folders.html \------------------- END ADVERTISEMENT -------------------/ =============================================================== ABOUT THIS NEWSLETTER The Securius Newsletter is published periodically by PC Guardian. For information about our simple and effective crypto software and anti-theft devices, please visit us at http://www.pcguardian.com/ To download our crypto software, visit http://www.pcguardian.com/securius_download/ You can find our archive of back issues at http://www.securius.com/newsletter/archive/ SUBSCRIBING/UNSUBSCRIBING To unsubscribe from this newsletter, send an email to leave-securius-nl@lists.securius.com To subscribe to this newsletter, send an email to join-securius-nl@lists.securius.com FEEDBACK OR QUESTIONS Write the author, Seth T. Ross sross@pcguardian.com PC Guardian 1133 East Francisco Blvd. San Rafael, CA 94901 US ABOUT THE AUTHOR Seth is the Chief Strategy Officer at PC Guardian and author of the book, _UNIX System Security Tools_ (McGraw-Hill 1999): http://www.amazon.com/exec/obidos/ASIN/0079137881/pcguardian-20 SPECIAL THANKS TO Emily Navarre, editor extraordinaire FORWARD THIS MAIL RIGHT NOW Please take a moment and forward this newsletter to a colleague or friend. =============================================================== Redistribution of this newsletter is permitted, as long as the entire message body and this notice are included. Copyright 2002 PC Guardian. All rights reserved.