Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: Sat Jan 25 2003 - 21:27:06 CST
Its late, I've been going since 4:30am, and y'all have had a lot to say
today. As Editor, one of the wonderful things I get to do is read your
thoughts and mull it over, then put my piece out for the rest of you.
Hopefully, its meaningful.
I tried to put out a representative post for the "two" camps, blame MS
or blame the Admins. With all due respect, the issue is far more
complicated than something which can be whittled down to one focus of
But since Microsoft chooses to have us view them in the context of
"Trustworthy Computing", let's look at this issue from that perspective.
1. There's no doubt whatsoever that there is no minimum requirement on
Administrator access. Heck, Active Directory even gives us the ability
to delegate it (how on Administrator delegates Administrator to another
is beyond me, but hey, that's what we have). Anyone remember an old
Sierra game called "Leisure Suit Larry"? You had to answer a set of
questions that pretty much assured you were of age. Not so with MS
products, got a password...you're in! Heck, in the case of SQL it often
doesn't matter if you have a password or not. A basic premise of
Microsoft (and the security world-at-large) is if you can sit in front
of a machine, you're pretty much assured of owning it.
Not exactly a stellar group of individuals to provide products for, is
But instead of trying to teach Administrators the perils of their
rights, they're taught to patch, patch, and repatch.
Case in point; MS02-039, MS02-043, MS02-056, MS02-061 all patch machines
afflicted with the UDP1434 vulnerability against it. Yes, that's true,
but did you read the fine print on the download pages of those
bulletins? If not, you may not have noticed that you must install the
hotfix (note, not security bulletin, just a hotfix) supplied via KB
Q317748 *before* you apply any of those security bulletins? Heck, 3 of
those were "cumulative", but they didn't cumulate Q317748. Now let me
say that Q317748, which is a memory leak, isn't a terribly serious
problem (I know of people who have lots of SQL boxes and haven't been
affected by months of it running on their boxes)...but that's not the
point. If you now really read those bulletins (because its important to
be sure today), you'll discovery you needed Q317748 *before* you applied
the fix you just rushed out to apply. Um, ok, so now I'll apply
317748...well, no, if you do that you'll regress ssnetlib.dll and put
yourself back into vulnerable mode...duh!
You look at any of those download pages and tell me they're written for
the type of people who *could* be Administrator on a SQL or MSDE
2. But hey, its your fault, you choose to sit in the drivers seat behind
the wheel of this awesome vehicle, so you should be responsible for what
it does. You don't patch, its your fault. Microsoft made they patches
available months ago, and if you hadn't figured out how to read the
minds of the people who wrote those pages by now, you've got serious
Some people suggest this problem exists because you're not serious, you
don't take your job responsibly enough. I say "Hogwash!" You'd think
these people were getting paid equal to their Managers or something.
Give me a break, the people responsible for figuring out what needs to
be done, and when, barely get paid for the overtime it takes to do it
when Management says its acceptable to get it done!
And with instructions like those we get, even with the "simplified
english version" of the bulletins, its just not possible to say you'll
always get it right the first time. Besides, shouldn't we test it
first?? There's no time. Sure, its been 6 months since the patch was
released...wanna tell me when during that 6 months you've been told
there's going to be a week available for you to make decent testing??
Not likely, you've been busy putting out fires as dufus' set up their
independent XP test or installed some app that did a broadcast
storm...yeah, we've all been given weeks to do our testing without
interruption...but then that was on a different planet, somehow the
gravity here makes it work differently.
3. Oh, but I was talking about "Trustworthy Computing", wasn't I. So,
let's see, can I trust a security bulletin to give me the information I
need? Well, sure, as long as I read it all, pick it apart and print it
on different sheets of paper and then assemble it together like a jigsaw
myself after I figure I understand what it means.
But wait, we can call PSS, because we all have support accounts and TAMs
and such to help us understand this stuff...don't we?
Ok, so I do, what should I expect? How about the *right* answer, the
*first* time? That'd be nice, wouldn't it?
Sorry, no amount of money is going to get you the support you think you
should. It just doesn't exist, heck, the guys and dolls who wrote this
stuff don't know what's going to happen when you do this, or that, or
some other thing. The only way they'll be able to tell you much is if
they do it first, even then all they can tell you is what happened in
*their* environment...not yours!
But that's what we can trust, that they'll try. Well, I for one won't
say that MS people don't try, they honestly do, individually...but where
the heck is the Corporate Mandate to ensure they bloody well *know*??? I
mean, come on, it seems that Corporate Loyalty has been replaced with
Personal Loyalty, and as nice as that feels, it sure feels just like
"Open Source" to me. Isn't one of the best features of Open Source the
fact that individuals will strive for the collective? So the thing we're
looking for when we opt to pay for our software is the responsibility a
Corporation has for its paying customers. I don't want to get the warm
fuzzies, I want the damn answer!!! I don't care if its Monday morning,
or Saturday night, I paid for the answer to get it!!!
Hmm, maybe its a West Coast thing, maybe its about living next to a few
Volcanoes for too long. Maybe its all that rain??
4. But ok, Microsoft isn't the only one to blame. Lyris Listserver comes
with MSDE, where's their security bulletin? McAfee's Virus Control
Center comes with MSDE, where's theirs? Lots of other 3rd party products
ship with software which makes you vulnerable to SQLSlammer, and who's
telling you about it? Oh, its not their fault, its Microsoft's. I guess
that's what we call Trustworthy.
But let's see, surely Microsoft makes a royalty on this? No?? Ok, but at
least they'd be told that a vendor is shipping their product?? No??
Shouldn't somebody, somewhere, be able to give us a full list of all
"products" that ship with MSDE??? Wouldn't that connote Trustworthiness?
It would to me.
5. Oh but what's all this fuss about, any dufus can simply go to
WindowsUpdate and get themselves patched...um, well, not for this, but
for many other things! But any dufus can simply monitor the Microsoft
Security Bulletin Notification list and get themselves patched...um,
well, not for things like the memory leak described in Q317748. But any
dufus can simply read the simplified description of security bulletins
and understand all they need to do, and how, and where to get
things...um, well, not the SQL ones (at least).
6. But hey! SQL is from a different planet. All those ex-Tandem
employees over there doing what they used to do with Guardian. How can
we possibly expect them to understand the needs of the average
Administrator? Anyone who deals with SQL is myopic, from a different
planet, and loves Edward Scissorhands. That's who the bulletins are
written for, and since SQL Administrators have nothing else to do,
they're not given nice little GUI installation packages...heck, who
*doesn't* copy new binaries over old to install a patch...and don't you
just love the Visual C++ sample exploits provided *by Microsoft* so you
can verify the patch is applied???
7. Oh and we can't forget Cisco, and other device vendors. When will
they get honest and tell us the real reasons their devices fall over,
the way they do, when these sorts of attacks occur? Oh, we can
speculate...probably because they're all based on x86
architecture...meaning they have 8086 processors!! Ok, maybe they don't,
but they have to be the least efficient processing platform we know of.
But when you're a monopoly...
8. Oh, but its your fault, after all. Howard Schmidt, formerly in charge
of Microsoft Security and now 2nd to Richard Clarke helping the U.S.
President understand the problems of the Internet (yeah, right) says
"People need to do a better job about fixing vulnerabilities,"...hmmm,
who do you think he was referring to?
I think he was referring to you...
...and I think he doesn't have a clue!!!
9. So some people, including clueless Schmidt, say you need to do a
better job fixing vulnerabilities. Like fixing vulnerabilities causes no
problems, costs nothing, and takes no time whatsoever. Have you ever
tried running a Hosting Center??? You think you can mandate to your
customers like you might be able to mandate to the employees in your
LAN? I think not, after all, they're in the business to make money and
your customers are paying you to minimize their work.
10. Then there are the arguments about "Why the heck has anyone got
T1433/U1434 open in the first place??" Of course they should be closed,
who wouldn't? Well, have you considered remote control of SQL Enterprise
Manager? Oh, of course, that should be via Terminal Server or at least a
VPN...because we all know how well they work and how broad they are
deployed. The technology exists, so who wouldn't employ it? But then
someone has to administer it...no?
11. I think people all to often forget that there are only 31,000+
subscribers to NTBugtraq today. We're amongst a very small community,
far smaller that I wish it were, who are concerned with these security
and trustworthiness issues. Maybe if the fixes were easier to apply,
more consistent, or sans the rocket science, maybe we could get people
to pay more attention.
I don't know for sure, but I can say that a "Default Deny" rule at
routers/firewalls prevented this attack completely. That's a pretty easy
concept, required no "patch", and wasn't rocket science. But hey, maybe
its too simple??
Anyway, if you're read this far, thanks. Its been a tough day, with lots
of rumors and lots of "new information". Maybe my rant has missed the
mark...I just hope it rounds things out a bit.
As an MS employee told me an hour ago..."Apply MS02-061 and go to
bed!"...we'll see come Monday.
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
Delivery co-sponsored by TruSecure Corporation
TICSA - Anniversary Special - Limited Time
Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.