Gartner Questions Microsoft's Commitment To Operating-System Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Gartner Questions Microsoft's Commitment To Operating-System Security

The research firm warns that the ASN.1 vulnerability made public this week could prove worse than the vulnerability that made MS Blaster possible.

Research firm Gartner issued a note late Thursday that raises serious questions about Microsoft's internal commitment to rid its operating system of security holes that make worms such as MS Blaster, SQL Slammer, and Code Red possible.

The report from Gartner was spurred by the Abstract Syntax Notation vulnerability which Microsoft made public and issued a corrective patch for earlier this week. The vulnerability affects most every modern version of the Windows operating system and most security experts agree systems that aren't quickly patched are at high risk of hacker attacks or a quick-spreading Internet worm.

"This smells like Blaster all over again," says John Pescatore, a research director at Gartner and one of the authors of the report. But Pescatore warns that this vulnerability could prove worse than the vulnerability that made MS Blaster possible. Blaster created havoc for system operators in August 2003, the same week as the major blackout that left many in the Northeast without power. The ASN.1 vulnerability can be accessed through port 80, as well as other ports widely used to communicate over the Internet.

Pescatore says April marks the one year ship date for Windows Server 2003 and he had hoped Microsoft's internal push to improve the security of its applications would have caught these types of flaws. He said it was troublesome that these types of flaws have been uncovered by external security researchers and not by Microsoft.

Eeye Digital Security was the company that found the ASN.1 vulnerability and reported it to Microsoft in July of last year. The vulnerability that MS Blaster attacked, which was within Microsoft's Distributed Component Object Model (DCOM) Remote Procedure Call interface, was discovered by The Last Stage of Delirium Research Group.

The ASN.1 vulnerability exists in versions of Windows prior to Windows 2003 Server, including Windows NT and 2000. "These old bugs being found in Windows 2003 are more worrisome than if only new bugs that only affected Windows 2003 were found," says Pescatore. "It means they've not been doing enough to find these holes on their own."

Gartner had previously recommended to its clients that they delay deployment of Windows 2003 Server in "sensitive Internet-exposed applications" until sometime after the second half of this year, but the note published Thursday indicated the firm may change its recommendation.

"We may have to revise even this cautious position if Microsoft fails to commit publicly to extraordinary efforts to eliminate glaring holes in its operating systems. Enterprises should continue to heavily weight the cost of continually patching Microsoft products when deciding which operating system to purchase," the report stated.

Gartner recommends companies immediately:

  • Install the Microsoft patch on all PCs and servers;
  • Block vulnerable ports as they are identified;
  • Configure enterprise firewalls correctly to limit exposure; and
  • Install personal firewalls on all PCs and intrusion-prevention software on all business-critical Windows servers.
  • In a statement E-mailed to InformationWeek, Microsoft said that it never expected to perfect security overnight, but it continues to believe that Window Server 2003 demonstrates significant progress.

    We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
    Comment  | 
    Print  | 
    More Insights
    2021 State of ITOps and SecOps Report
    2021 State of ITOps and SecOps Report
    This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
    InformationWeek Is Getting an Upgrade!

    Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

    Remote Work Tops SF, NYC for Most High-Paying Job Openings
    Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
    Blockchain Gets Real Across Industries
    Lisa Morgan, Freelance Writer,  7/22/2021
    Seeking a Competitive Edge vs. Chasing Savings in the Cloud
    Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
    Register for InformationWeek Newsletters
    Current Issue
    Monitoring Critical Cloud Workloads Report
    In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
    White Papers
    Twitter Feed
    Sponsored Live Streaming Video
    Everything You've Been Told About Mobility Is Wrong
    Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
    Sponsored Video
    Flash Poll