PC Security: Holey Software!
Imagine you own a small company that has a few high-profile clients. One day you discover that confidential data you store about these clients--credit card numbers, personal contact information, and promotional plans--is being broadcast over the Web for all to see. You have no clue how it's happening or how to stop it.
That was the real nightmare for one company that sought the help of James Sinclair, chief technology officer of Global Network Security Services in Los Angeles. In July 2000, after three weeks of searching for the data leak, the company (which understandably wants to remain anonymous) called Sinclair's firm to investigate.
A few hours later, GNSS discovered the problem: a security hole in FileMaker Pro Web Companion desktop database software that allowed an intruder to access the data from outside."We don't know how our client was targeted," says Sinclair. "There are so few people who use FileMaker--comparatively speaking--that it was really the luck of the draw that they got hit."
FileMaker had posted an announcement and a fix for the hole two months earlier, but Sinclair's client never heard about it. The company had no tech staff, and they would have discovered the flaw only by visiting FileMaker's Web site--the software vendor never notified customers about the problem by e-mail.
Buggy software has long been the bane of computer users. But bugs can cause double the trouble when they involve a security hole. It's frustrating enough when your system locks upon opening an application, but when a security flaw leaves your PC open to attack, you want to know who to blame.
There are no easy answers. Tracking down your attacker is usually a fruitless task, and vendors are loathe to accept responsibility for a program's failings. Even more frustrating: Security holes may simply be a fact of life, given the complexity of today's software.
Fortunately, there are plenty of things you can do to protect your PC
From operating systems to browsers to antivirus packages, nearly every
major software product has had a security flaw or two. BugTraq, a mailing list
While some holes clearly spell bad news, other bugs can be exploited only in rare cases or they affect few users. The FileMaker glitch, for example, "[could have] affected only a small percentage of customers," according to FileMaker spokesperson Steve Ruddock. "As far as I know, the security hole was only theoretical. We never heard of anyone who suffered problems from it." Of course, that's no comfort to James Sinclair's client.
Security holes in popular desktop programs like Outlook or Norton AntiVirus are more likely to touch you directly, but holes in server-based software can affect you, too. A flaw in an e-commerce site's online shopping cart program, for instance, could give thieves access to the credit card number you submit to the site.
Even more unnerving is the fact that the U.S. Navy controls its submarines with Windows NT, a program that has been plagued with bugs, including security holes, since its release. In 1997 a missile cruiser was rendered dead in the water because of a data-calculation bug in NT. BugTraq lists 164 holes in Windows NT 4.0, predecessor to Windows 2000 and Windows XP Professional. "The program was marketed as being secure," says Richard Power, editorial director of the Computer Security Institute in San Francisco. "But it had so many holes that hackers [said] the NT stood for 'nice try.'"
Scott Culp, program manager of Microsoft's Security Response Center (which investigates reports of holes and monitors the company's patching process), says that bug-free software is impossible to achieve. "Every piece of software that has ever been developed has had bugs. And every piece of software that ever will be developed is going to have bugs."
But is the problem getting worse, or are we just getting better at finding holes?
Bruce Schneier, CTO for Net security firm Counterpane and author of two books on cryptography, says there is more focus on finding flaws--both among researchers looking to make programs secure and among hackers who want to crack them. But, he says, there are more holes as well. "As systems get more complex, they get less secure," he says. "Computers, software, and the Internet are getting so interconnected that insecurities are mounting faster than our ability to find them."
Vendors, spurred by competition and the consumer cry for more features, bloat their wares with extras, says Schneier. As lines of code increase, so do bugs. There is no industry standard for an acceptable number of bugs, but a sometimes-quoted figure is one bug per 10,000 lines of code--a lot of bugs when you consider that Windows 2000 reportedly contains some 40 million lines of code.
Elias Levy, CTO of SecurityFocus and moderator of BugTraq, adds that poor programmer training leads to security flaws. "Many programmers drop out of college after their first or second year.... And if they do [finish] school, most universities don't teach how to write secure code. It's simply never been part of the curriculum."
Schneier says other security flaws appear when programs designed for different purposes are combined--for example, Microsoft Word macros and e-mail. Macros, pieces of code that automate specific tasks, are a great idea on their own, but can become dangerous when combined with e-mail. Click on an e-mail attachment containing a malicious macro, and it can reformat your hard drive.
But macros, as well as Java and ActiveX applets, aren't unsafe until someone uses them with evil intent. The CSI's Power says that users would benefit from software vendors erring on the cautious side and disabling potentially dangerous functions by default. Programs would then have to ask for your permission when suspicious code attempts to run on your PC. "The very process of going in and opening something that's closed by default," he says, "forces users to make a conscious decision about security."
Of course, Microsoft products aren't the only programs with flaws. Adobe Acrobat Reader, America Online's Instant Messenger, Netscape Navigator, and Symantec's Norton AntiVirus have all had holes. But Microsoft, Levy points out, is the "800-pound gorilla" that critics focus on because the company's software is so pervasive. A security hole that affects millions of its users is naturally an attractive target for malicious hackers.
Critics also focus on Microsoft because it has the resources to do extensive testing but still misses holes. Counterpane's Schneier says Microsoft is too quick to send products to market, and consumers have accused the company of shipping programs with known security flaws.
Microsoft's Culp says the company reviews written code, then tests software by emulating how users might operate it. But, he adds, "there are [always going to be] people who will use the product in ways that we just didn't conceive." And a program as big as Windows can be unwieldy to test. It's broken into parts and produced by separate design teams. Mark Croft, product manager for Windows XP, says that "fewer than a dozen" people have a complete picture of that program.
Culp also says the company addressed the quick-to-market issue with its much-publicized delay of Windows 2000, which was held back a year for debugging.
"In the past...we said it [was] acceptable to ship with a certain number of low-severity, very-difficult-to-exploit security vulnerabilities," says Culp. "At some point you say that the probability of this thing ever being exploited and of it actually ever affecting customers in any type of meaningful way is sufficiently low that we would be comfortable shipping with that bug. In Windows 2000, we said we will no longer make that judgment. If it is a security bug, we will not ship."
Schneier, however, rejects the idea that Windows 2000 raised the security bar. "[Microsoft] said...[Windows 2000] would be more secure than any other version to date. But there are more security holes in it than any other version of Windows."
BugTraq's Levy acknowledges that Microsoft has become more responsive to fixing holes. Last year, Culp says, the response center received 10,000 e-mail reports, resulting in 600 investigations and 100 security bulletins. The other e-mail reports were duplicates of the same bug, false reports, or bugs the company fixed in the next version of a product.
"Much as we'd like it to be different, we're both fallible and non-omnipotent," says Culp. "That's where the security response process comes in.... Most vendors stop the development and engineering process when they release the product to market.... We've got a sustained engineering process that follows the product even after it's been released."
But can you really trust any software vendor to properly patch bugs that it created in the first place?
Robert Wallace of Lake Zurich, Illinois, thinks not. He installed a patch for IE 5.5, and then couldn't reboot his PC. After $35, 17 hours, and four Microsoft support reps, his PC was still down. Microsoft said they'd call him back. A few days later, his 15-year-old son helped restore his backup. "Microsoft [reps were] polite when they called, and they did refund the money, but they took five business days to get back to me. That's five days that I was down."
Despite the product evaluation that Microsoft and other vendors perform, security holes clearly pass through unnoticed. That is, until products hit the market and bug hunters take over with their own brand of rigorous testing.
Bug hunters find and publicize holes that vendors miss. They include a range of people: security researchers; system administrators; crackers (criminal hackers), who reverse-engineer a program specifically to exploit its flaws; and "white-hat" hackers, who find and publicize holes with no intent to wreak havoc on systems. Their aim is to force vendors to fix holes.
After finding a flaw, a bug hunter may or may not contact the vendor before posting the information to a list like BugTraq, where system administrators, security consultants, and journalists can read it. Vendors, of course, would prefer that vulnerabilities were never made public.
But hackers and security pros say that publication forces vendors to quickly fix problems they would otherwise ignore. It also lets users and system administrators take measures to protect themselves, thus decreasing the amount of time during which crackers who already know about a hole can silently exploit it. Even if a patch isn't available, users can disable a vulnerable feature until the patch is posted.
Rain Forest Puppy, a hacker who has written a
But not everyone thinks publicizing holes is a good idea, since crackers (some of whom are consultants and administrators, too) also read bug lists, looking for new holes to exploit. A month after a flaw in Microsoft's Information Internet Server (IIS) software was published, a cracker wrote the Code Red worm to exploit it.
Marcus Ranum, CTO of software vendor NFR Security, says that many PC users and administrators--for whatever reason--don't fix their systems even when a patch is available. Thus, publicity about holes makes their systems more vulnerable.
The problem is exacerbated if a bug report includes exploit code--programming code that demonstrates in practice what the report describes in theory. Bug finders sometimes post exploits to allow administrators to test their systems for holes or test a vendor's patch. And some programmers need the exploit to convince their bosses of the need to create a patch for customers. But once an exploit is published, it can also be used by crackers to break into systems.
Levy admits that disclosing holes is a double-edged sword. "Once you inform the good guys, you also inform the bad guys," he says. But he and Schneier say that disclosure has done more to help security than harm it--as evidenced by Microsoft's improved response to holes. And, Levy says, "Incredibly enough, until this year Apple didn't even have an e-mail address to report security problems. Now they do."
Disclosure, in the end, puts the onus on users and administrators to
patch their systems. Hundreds of thousands of systems could have escaped the
Code Red scourge in July had administrators fixed their systems a month earlier
when Microsoft released a patch for the buffer overflow problem that the worm
exploited. (See more coverage of
Though security problems might be endemic to software, Schneier says software vendors get away with more defects than other industries do. "Chrysler won't [knowingly] sell you a car with an [unsafe] feature--they know if you get into an accident, they'll be held liable. But there is no such product liability in software."
Schneier adds that software makers are slow to learn from mistakes.
"Buffer overflows are the poster child of why problems aren't getting better,"
he says. "They were discovered in the 1960s and were first used to attack
computers in the 1970s.... Here we are 40 years later, and buffer overflows are
But vendors have little legal incentive to address problems--no current laws require vendors to fix holes. Of course, if a hole in a personal finance package results in users' data being open to perusal, for instance, the vendor will have to issue a patch, or suffer consumers' ire. But many holes are less obvious--such as ones that let a cracker use your PC to attack a Web site. In that case, you may never know your system has been compromised.
Schneier says the only things that will force vendors to produce better software are consumer lawsuits and higher insurance premiums for software makers and the businesses that use their products.
Insurance broker J.S. Wurzler Underwriting Managers now charges higher premiums for clients using Microsoft's IIS and Windows NT, but no security-related consumer suits seem to be pending against software makers. Vendors anticipating the sting of litigation are taking pains to protect themselves. Terms-of-service agreements that users must click through before installing software carry "limitation of liability" clauses. Accepting such agreements means you may be relinquishing your right to sue. Enforcement of these clauses has not been tested in court, however.
"Liability would be a great incentive," says Levy, "but...even under the best efforts, software will still have some errors. So are we placing [software vendors] in a position in which they simply can't deliver?"
In the final analysis, Levy says, consumers may have more clout than they think. "Microsoft is very customer-focused," he says. "If customers asked them for security, or if they voted with their wallets, I believe the company would pay attention. But even with all of the press about security problems in Microsoft products, customers simply don't view security as a high priority. Or at least they don't make that known for Microsoft to make it a priority."
Perhaps it's time consumers let software vendors know how they feel about security--and take their business elsewhere when it appears that no one is listening. Of course, going elsewhere won't always be a viable option, especially in a Microsoft-centric world. But until software security improves, it's mostly up to users to defend themselves.
Feel as if your PC is under siege? In addition to installing antivirus and firewall software, there's a lot you can do to guard against intruders. Follow this list to help secure your PC.
Malicious hackers tend to be opportunists. Rather than expend the effort to find new security flaws, they usually attack well-known holes in software. The good news is that patches are available to plug these holes. But if you're weary of installing all of them (patches, after all, can be buggy and sometimes introduce new problems to your PC), knowing which ones you really need can be confusing. Here's a list of the most crucial cures for your vulnerable system.