 |
• August 29, 2003 •
I've gotten several interesting comments after I published an article MSBlaster Worm Fails To Bring Down Microsoft Windows Update Site, and featured this in my Newsletter last week. You can read the comments here.
Let's talk a bit more about this.
It now seems that Microsoft is rethinking a few things, but there haven't been many details released yet about the way it wants to implement these changes.
The first idea seems to be to have the Windows firewall enabled by default. For good measure, we're speaking about the Windows XP Internet Connection Firewall here. Windows XP is the only Windows version that ships with a built-in firewall.
I think this is quite a good idea... only allow a few ports open (E-mail & Web browsing), and for all other stuff, users would have to manually open ports when needed.
According to Microsoft's Mike Nash, Corporate Vice President of the Security Business Unit, Microsoft is currently looking into some issues that will arise from this firewall change, including compatibility issues and some legal issues.
Another thing discussed is the whole "AutoUpdate" feature. The consensus seems to be that it is still relying to much on the end-user, and so Microsoft seems to be contemplating "forced" updates. That is, updates will be automatically downloaded & installed.
This too I find a good idea.
Now I can hear a lot of people shout & scream. But the way this is thought out, Microsoft will offer businesses a way to "opt-out" of this "forced" updates. I think that for the "home user" segment, forced updates are the way to go. End users have proven on too many occasions that they are not capable of keeping their systems secure & up to date.
In a business environment, forced updates are not a possibility. Some financial institutions for example, mandate six weeks of regression testing before a patch is allowed on "production" machines. Workarounds have to be put in place to secure systems before an "approved" patch can be put in place.
In many cases Microsoft does provide these workarounds in its security bulletins. For example in the case of the MSBlast worm, setting a firewall to disallow traffic to ports 135,139,445 and 593 will prevent the worm from entering a machine.
Many people are complaining that Microsoft's OS is too full of holes. Well, it's not as secure as we would like it to be, but security vulnerabilities are something that will be with us for quite a while: there will always be bugs in software code, and some of these will be serious enough to be exploitable.
But Microsoft isn't deaf. According to Mike Nash, Microsoft is working on making their products a safer & more secure experience (secure by design, secure by default & secure by deployment). Microsoft is aware they have to do more to meet these goals.
Microsoft is also looking at the whole patching process, and wants to make patches less complex, and reduce the number of patch utilities to two, which will further reduce the complexity of patches.
All in all, I think that the MSBlaster worm has managed to open some eyes, both from Microsoft, and from System Administrators & end users. I think it's a shared responsibility: Microsoft needs to do more to make Windows more secure, and end users need to do more to keep their systems secure.
