Bill Gates will deliver a major speech today. He may
have been embarrassed by the appearance of Microsoft source code on
the internet, but Jay Heiser insists it was no big
deal.
After the ludicrous estimates of MyDoom damage were
proven false, you might think that Chicken Little would have the
good grace to spend some quiet time in the coop.
Unfortunately, the double whammy of Microsoft releasing a
"critical" security patch and the leakage of some of its source
code has wound the hype mill right back up again. Expect falling
skies and the end of life as we know it.
Before taking Chicken Little's fowl advice and shutting down your
e-commerce site, let us be realistic about the significance of the
source code theft. Yes, it is security relevant, but it is not an
event of life-changing significance.
Having access to source code is useful in finding bugs, but it does
not mean that any vulnerabilities it contains are immediately
apparent, let alone exploitable. Years of debate within the
specialist community over the security ramifications of releasing
source code have yet to reach any useful conclusions, but it is
important to remember that the December 2000 release of much of the
Solaris 8 source code did not result in a spate of new Unix
attacks.
Second, in "internet years" this stolen Windows 2000 and NT 4.0
code has been around for a while. Presumably much of it remains
within XP, but a fully-patched XP box today benefits from a
significant number of security fixes and re-engineering in security
code. Thousands of people have been poking and prodding the binary
version of this code for years, so it is pretty well picked
over.
Third, of all announced vulnerabilities, fewer than 1% is ever
exploited in significant ways. Even if access to this source
results in the discovery of 100 new "vulnerabilities", the odds
would be against any of them representing a significant opportunity
for widespread attacks. It is a needless burden to assume that all
vulnerabilities must be immediately fixed.
We have already seen one, and over the coming weeks, more hackers
and "security researchers" will announce that they have discovered
security holes in this source code, claiming profound
ramifications. History demonstrates that these people are much
cleverer at hacking than at estimating risk implications for the
business.
Interpreting every piece of bad news as the precursor to disaster
is counterproductive, sending the message to the user-base,
management, law enforcement and general public that everything they
read about information security is hype. The next time a real
information security wolf arrives, I hope the much-abused internet
villagers do not ignore the warnings.
If you are concerned about this latest Microsoft embarrassment,
maybe it is a legitimate subconscious concern that your security
house is not in order. The most important thing you can do is
concentrate on the basics. Organisations that figure out which
practices are essential and implement them consistently across the
enterprise will maintain a low rate of security failure, even in an
ever-changing threatscape.
What do you think?
Did the latest Microsoft alert worry you?
Tell us in an e-mail >>
ComputerWeekly.com reserves the right to edit and publish
answers on the website. Please state if your answer is not for
publication.
Jay Heiser is principal analyst at
TruSecure