News

Vendors Rip Microsoft Over Alleged Security Issues

• By Jabulani Leffall
• September 08, 2009

Software security vendors like to point to glitches in Microsoft products, but they don't always get much acknowledgment from Redmond.

The latest potshots are coming from Sophos, a security software company, as well as database security firm Sentrigo, plus BeyondTrust, which specializes in enterprise password protection. These vendors recently issued public challenges to Redmond concerning security in Windows and other Microsoft products.

For its part, Microsoft said through a spokesperson that it doesn't comment on the theories and opinions of vendors. Yet Redmond's growing network of executive-level bloggers have gone toe-to-toe with no less than two of these vendors in as many weeks.

Sophos' Beef With XP Mode
Sophos is one of Microsoft's most outspoken little-guy critics, even though it partners with Redmond on many security initiatives. Last week, the feud concerned Windows 7's XP Mode, which provides a virtualized Windows XP desktop running in Windows 7.

Sophos panned Windows XP Mode as a potential security disaster.

"Windows 7's planned XP compatibility mode risks undoing much of the progress that Microsoft has made on the security front in the last few years and reveals the true colors of the OS giant," said Richard Jacobs, Sophos' CTO in a July post.

The problem pointed out by Sophos' CTO (and Microsoft emphasizes it too) is that Windows XP Mode requires the maintenance of two OSes -- both Windows 7 and a virtualized Windows XP. Security patches have to be applied separately for each OS, and there's no centralized management control to simplify such patching. While Microsoft has been clear about this, Jacobs has intimated that Windows XP Mode is a security disaster in the waiting.

Jacobs touted the progress that Microsoft has made with its Security Development Lifecycle but added that "XP Mode reminds us all that security will never be Microsoft's first priority." In an August post, Jacobs added that "Microsoft as a whole needs to be much more open about [security issues] or users are going to get a rude awakening in terms of management costs, unexpected security vulnerabilities and/or performance impact."

In a return shot, Windows developer and blogger James O'Neill said that people (like Jacobs) with the title of chief technology officer should have a "better grasp of the key facts before reaching for the insulting rhetoric." Roger Halbheer, Microsoft's chief security advisor for Europe, Middle East and Africa, also questioned Jacobs on his facts.

Sentrigo Scolds Redmond on SQL Server
Sentrigo announced last week that it had discovered a "significant vulnerability" in SQL Server. The company issued a statement describing a flaw that "allows any user with administrative privileges to openly see the unencrypted passwords of other users," or the credentials presented by applications accessing the server using SQL Server authentication.

Microsoft handled the Sentrigo allegation in a low-key manner but still discounted Sentrigo's claims. Microsoft's response didn't mention Sentrigo by name.

"We checked with the security researchers who reported the issue and they confirmed that this is an information disclosure issue requiring the attacker to first have administrative control of the installation," Jonathan Ness of Redmond's MSRC Engineering team noted in a security blog. "Therefore, we do not consider this a bulletin class vulnerability."

BeyondTrust: UAC in Windows 7
BeyondTrust pointed to Windows 7's User Account Control (UAC), a much maligned security feature that was first introduced in Windows Vista. UAC has ongoing unresolved issues, even in Windows 7, the security firm claimed.

"Despite its good intentions, Vista's UAC was widely criticized due to its frequent user prompting, as well as application compatibility issues for standard users," Beyond Trust said in an e-mail statement just before Labor Day weekend. "Despite its good intentions, Vista's UAC was widely criticized due to its frequent user prompting, as well as application compatibility issues for standard users."

As far back as February, Microsoft countered the notion that the UAC function was fundamentally faulty. In addition, security researchers Rafael Rivera and Long Zheng had described an exploit that could turn off the UAC prompt, which typically notifies the user of changes about to be made to the computer. In response, Microsoft announced two planned changes to the UAC in Windows 7.

Complaints as Marketing?
Complaints serve to keep vendors in the news. They also help Windows users understand problems that Microsoft doesn't want publicized or may have missed.

Such research claims and stabs at Microsoft are "cheaper than buying advertising for products and services," according to Phil Lieberman of Lieberman Software.

"In my experience, Microsoft tends to react proportionately to the amount of ink given to an issue brought up by vendors or the press," Lieberman said. "Real or fictitious threats all get a hearing and a response. They also react in proportion to the real risks but generally pretty quietly."