OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[ISN] Analyst claims additional security layers in Windows add to risk

From: InfoSec News (isnc4i.org)
Date: Tue Mar 09 2004 - 02:38:15 CST

http://www.computerweekly.com/articles/article.asp?liArticleID=128907

by Cliff Saran
9 March 2004

Microsoft is planning a series of security improvements to Windows,
yet each layer of software protection it adds increases the security
risk, an analyst firm has warned.

A report by Burton Group said that although Windows 2003 could be
deployed as a flexible and inexpensive application server, its
security has a chequered past. According to Dan Blum, senior
vice-president and research director at Burton Group, attacks such as
Nimda, Code Red and Slammer have slowed Windows server adoption in
large enterprise extranet and service provider environments, where
Linux/Unix servers are generally preferred.

The problem lies with Win32, the programming interface used by most
applications, he said.

Because there is no code access control in Win32 subsystems, Com, or
ActiveX, Blum warned that any software component running on the
Windows system could invoke any other component and attempt to do
anything it wants.

Malicious programs have many opportunities to attempt buffer overflow
or other attacks to subvert discretionary access controls and other
system protections. In other words, a rogue Win32 program would be
able to undo any steps Microsoft may take to lock down Windows
security.

The report recommended that users avoid ActiveX and the Win32
application programming interfaces and instead develop code in .net,
an architecture based on managed code, which reduces the effect of
programming errors.

Blum said, "Like Java, managed code based on .net runs in a sandbox."
Such a sandbox is designed to prevent the code from crashing the
operating system. The code runs on a virtual machine rather than
computer hardware. As a result, it is much harder to compromise, he
added.

Security problems are exacerbated by the fact that Windows 2003 is
designed to be an integrated platform and as a result is based on
complex dependencies between various operating system components.

To tighten security on a Linux or Unix platform users can remove
functionality by configuring the kernel or recompiling it, but this is
not as easy on Windows. "All Linux and Unix operating systems are much
simpler than Windows," said Blum.

Bradley Tipp, national system engineer responsible for security at
Microsoft, defended Windows 2003's security. "With an integrated
approach it is much easier to apply patches, since the user does not
have to go to multiple supplies to secure the operating system," he
said.

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.