• PC World
• » Security

Tracing the Source

Scott Culp, program manager of Microsoft's Security Response Center (which investigates reports of holes and monitors the company's patching process), says that bug-free software is impossible to achieve. "Every piece of software that has ever been developed has had bugs. And every piece of software that ever will be developed is going to have bugs."

But is the problem getting worse, or are we just getting better at finding holes?

Bruce Schneier, CTO for Net security firm Counterpane and author of two books on cryptography, says there is more focus on finding flaws--both among researchers looking to make programs secure and among hackers who want to crack them. But, he says, there are more holes as well. "As systems get more complex, they get less secure," he says. "Computers, software, and the Internet are getting so interconnected that insecurities are mounting faster than our ability to find them."

Vendors, spurred by competition and the consumer cry for more features, bloat their wares with extras, says Schneier. As lines of code increase, so do bugs. There is no industry standard for an acceptable number of bugs, but a sometimes-quoted figure is one bug per 10,000 lines of code--a lot of bugs when you consider that Windows 2000 reportedly contains some 40 million lines of code.

Elias Levy, CTO of SecurityFocus and moderator of BugTraq, adds that poor programmer training leads to security flaws. "Many programmers drop out of college after their first or second year.... And if they do [finish] school, most universities don't teach how to write secure code. It's simply never been part of the curriculum."

Schneier says other security flaws appear when programs designed for different purposes are combined--for example, Microsoft Word macros and e-mail. Macros, pieces of code that automate specific tasks, are a great idea on their own, but can become dangerous when combined with e-mail. Click on an e-mail attachment containing a malicious macro, and it can reformat your hard drive.

But macros, as well as Java and ActiveX applets, aren't unsafe until someone uses them with evil intent. The CSI's Power says that users would benefit from software vendors erring on the cautious side and disabling potentially dangerous functions by default. Programs would then have to ask for your permission when suspicious code attempts to run on your PC. "The very process of going in and opening something that's closed by default," he says, "forces users to make a conscious decision about security."

Of course, Microsoft products aren't the only programs with flaws. Adobe Acrobat Reader, America Online's Instant Messenger, Netscape Navigator, and Symantec's Norton AntiVirus have all had holes. But Microsoft, Levy points out, is the "800-pound gorilla" that critics focus on because the company's software is so pervasive. A security hole that affects millions of its users is naturally an attractive target for malicious hackers.

Target: Microsoft

Critics also focus on Microsoft because it has the resources to do extensive testing but still misses holes. Counterpane's Schneier says Microsoft is too quick to send products to market, and consumers have accused the company of shipping programs with known security flaws.

Microsoft's Culp says the company reviews written code, then tests software by emulating how users might operate it. But, he adds, "there are [always going to be] people who will use the product in ways that we just didn't conceive." And a program as big as Windows can be unwieldy to test. It's broken into parts and produced by separate design teams. Mark Croft, product manager for Windows XP, says that "fewer than a dozen" people have a complete picture of that program.

Culp also says the company addressed the quick-to-market issue with its much-publicized delay of Windows 2000, which was held back a year for debugging.

"In the past...we said it [was] acceptable to ship with a certain number of low-severity, very-difficult-to-exploit security vulnerabilities," says Culp. "At some point you say that the probability of this thing ever being exploited and of it actually ever affecting customers in any type of meaningful way is sufficiently low that we would be comfortable shipping with that bug. In Windows 2000, we said we will no longer make that judgment. If it is a security bug, we will not ship."

Schneier, however, rejects the idea that Windows 2000 raised the security bar. "[Microsoft] said...[Windows 2000] would be more secure than any other version to date. But there are more security holes in it than any other version of Windows."

Response Center

BugTraq's Levy acknowledges that Microsoft has become more responsive to fixing holes. Last year, Culp says, the response center received 10,000 e-mail reports, resulting in 600 investigations and 100 security bulletins. The other e-mail reports were duplicates of the same bug, false reports, or bugs the company fixed in the next version of a product.

"Much as we'd like it to be different, we're both fallible and non-omnipotent," says Culp. "That's where the security response process comes in.... Most vendors stop the development and engineering process when they release the product to market.... We've got a sustained engineering process that follows the product even after it's been released."

But can you really trust any software vendor to properly patch bugs that it created in the first place?

Robert Wallace of Lake Zurich, Illinois, thinks not. He installed a patch for IE 5.5, and then couldn't reboot his PC. After $35, 17 hours, and four Microsoft support reps, his PC was still down. Microsoft said they'd call him back. A few days later, his 15-year-old son helped restore his backup. "Microsoft [reps were] polite when they called, and they did refund the money, but they took five business days to get back to me. That's five days that I was down."

• See more like this:
• bugs,
• holes,
• security,
• protection,
• protect,
• downloads,
• applications,
• apps,
• hackers,
• hacking