Pentagons

Summary: DHS and Windows - affair revisited

WINDOWS CONTINUES to be a sordid, insecure mess. We will give some examples within days, but in the mean time, here is a new flaw in Internet Explorer 8, which Microsoft loves to pretend is secure:

"A nasty vulnerability exists in the latest Internet Explorer 8," Evans wrote. "I have been unsuccessful in persuading the vendor to issue a fix."

"The bug permits — for example — an arbitrary web site to force the victim to make tweets," he added.

The vulnerability may exist in other versions of IE and appears to be an extension of a cross-browser cross domain theft first documented by Evans via his scarybeastsecurity blog last December. Evans claims Microsoft has been aware of the bug since 2008, producing a harmless proof-of-concept exploit to illustrate his concerns.

A reader of ours has also just contributed the following short article: "Slashdot is running another story that fails to call out Windows. To be fair, neither did the Wired article or the Department of Homeland Security report itself. The last omission is inexcusable because DHS had all the information and should help US citizens make informed decisions by publishing instead of shielding Microsoft by obfuscating.

"There are tantalizing clues in the report and a damning indictment of Windows. The report The US Department of Homeland Security found more than a thousand serious vulnerabilities on their own network. Almost all of the holes were in applications run on Windows and flaws in Windows itself:

Overall, we identified 1,085 instances of high-risk vulnerabilities on the MOE [Mission Operating Environment]; 202 were unique across 174 MOE computers scanned. The majority of the high-risk vulnerabilities involved application [94%] and operating system [6%] and security software patches that had not been deployed ...The application vulnerabilities identified in our scans of the MOE, which NCSD uses for email service and access to NCPS Einstein data, include those involving Microsoft applications, Adobe Acrobat, and Sun Java. ... more exploitation attempts are recorded on application programs, especially email attacks that exploit vulnerabilities in commonly used software and programs such as Adobe and Microsoft Office. Though application attacks are on the rise, operating system ... Though application attacks are on the rise, operating system attacks are still a security concern; more than 90% of operating system attacks involve buffer overflow vulnerabilities against Windows operating systems.

"When someone says "email attacks" they are usually talking about a particular Windows client. Because the DHS did not break down applications by OS, readers are left guessing what they are talking about. Why bother to give the breakdown for the minority problem, OS, while leaving the majority of problems, applications, nebulous?

"We do know from the report that DHS is a Windows shop and that causes most of the problems. The agency flagellates itself for not following Federal Information Security Management Act (FISMA) requirements or their own policies and recommends they, "Implement a software management solution that will automatically deploy operating system and application security patches and updates on all MOE computer systems to mitigate current and future vulnerabilities." If they were using GNU/Linux, they would already have such a thing because every distribution comes with a package manager.

"Updates are nearly impossible on Windows but trivial with GNU/Linux. Updates for Windows are spread far and wide on vendor sites, often behind javascript and other barriers to automated discovery. Many vendors have auto update tools but many resemble spyware, introduce security problems of their own and running them all at once drains system resources. Worse, Microsoft is notorious for breaking Windows and other applications with their updates, and every large organization and software vendor ends up doing their own set of tests before they can roll out anything to users. This is an enormous duplication of effort not found in the cooperative world of GNU/Linux. Free software has no such barriers to discovery or copy, so all of the heavy lifting gets done by distributions' package manager that is already automated."

Does it not seem reasonable to suggest that DHS should abandon Windows? Sadly, it has former Microsoft seniors in house. ⬆