Microsoft may take the most heat on security vulnerabilities, but other software vendors need to catch up when it comes to dealing with flaws found in their products, according to users and analysts interviewed last week.
Many credited Microsoft for having made good progress in its efforts to develop a formal strategy for addressing vulnerabilities in the four years since Bill Gates, the company's chairman and chief software architect, announced its Trustworthy Computing initiative in January 2002. But the same isn't true for Oracle and other vendors that are lagging behind Microsoft when it comes to vulnerability discovery, remediation and disclosure processes, the users and analysts said.
"I think Microsoft has developed a strategy and a vision around security and vulnerabilities that they just didn't have a few years ago," said Lloyd Hession, chief security officer at BT Radianz, a New York-based provider of telecommunications services to financial firms. "It's hard to point to a single vendor who is doing a better job."
Policies for responding to the discovery of security flaws are taking on increased importance as database, application and networking software become more prominent targets of cyberthreats that previously were aimed at operating systems, particularly Windows.
For instance, more than one-third of the top 20 Internet security vulnerabilities listed by the SANS Institute as part of an annual report released in November involved flaws found in application, security and data backup software.
Earlier this week, Oracle released a quarterly roundup of software patches designed to fix 82 vulnerabilities -- many of them rated "critical" by the company. Cisco Systems also issued patches this week for several flaws affecting its routers and Call Manager software. And EMC released patches for its NetWorker backup software to fix security problems that could lead to a system crash or unauthorized remote access.
Such disclosures highlight the fact that Microsoft isn't the only vendor with security problems, although it often gets the most criticism, said Steven Gelfound, IT director of the National Center for Missing & Exploited Children in Alexandria.
"They're just in a situation where everyone is gunning for them," Gelfound said. "[But] it's not that any one operating system or application is more secure than the other. Given enough time and computing resources, you can crack just about anything out there."
In fact, based on information provided by each of the vendors, Microsoft disclosed a total of 12 vulnerabilities over the past three months, compared with 167 for Oracle, 18 for Cisco and eight for Sun Microsystems.
Center of attention
A lot of the attention that Microsoft gets has to do with the fact that its security vulnerabilities typically "cause the most pain" because of its huge user base and the arduous task of patching desktop PCs, especially inside large companies, said John Pescatore, an analyst at Gartner.
Microsoft is also an obvious target for malicious hackers, who often put the company's flaws in the public eye. For instance, users earlier this month pressured the company to release a patch for the so-called Windows Metafile flaw in advance of its usual monthly security updates because attackers were actively trying to exploit the vulnerability.
Because of those factors, "Microsoft is held to a higher standard, which lets other vendors get away with practices that Microsoft would have gotten creamed for," Pescatore said. Oracle, for one, rarely divulges the details of the vulnerabilities in its products as completely as Microsoft does with its flaws, according to Pescatore. That makes it hard for Oracle users to do risk assessments or prioritize their patching plans, he said.
"Oracle has sort of this 'Trust me, I know what I'm doing' attitude with their customers," said Jon Oltsik, an analyst at Enterprise Strategy Group in Milford, Mass. "With the security community, they've got an antagonistic attitude. As more difficult or esoteric attacks begin to happen, that's not a recipe for success."
Patch quality also remains a big issue for Oracle, said David Litchfield, managing director of Next Generation Security Software, a security research firm in Surrey, England. "Every critical patch update so far has been flawed in some fashion or the other and has been rereleased multiple times," said Litchfield, whose firm has uncovered several vulnerabilities in Oracle products, including one covered by this week's patch release.
Vendors such as Cisco, Sun and Red Hat also aren't as forthcoming as Microsoft in sharing vulnerability information that can help users mitigate their exposure to threats, said Michael Sutton, director of VeriSign's iDefense Labs unit in Reston, Va.
Some vendors have gone to great lengths to prevent security researchers from disclosing details about certain vulnerabilities. Last July, Cisco won a court injunction preventing a researcher from publicly discussing a hack of its router software. The company even compelled the organizers of the Black Hat USA conference to destroy CDs and rip out more than 30 pages containing slides about the vulnerability from the conference proceedings. Last March, Sybase Inc. temporarily threatened to sue Litchfield's firm if it published details on eight security flaws in Sybase's database software.
Cisco and Sun don't follow a regular schedule for releasing patches and instead roll them out as fixes for flaws become available, which makes the patching process less predictable for users, analysts said. In addition, Cisco doesn't rate its flaws, leaving it up to IT administrators to decide how serious a vulnerability may be.
"Of all the vendors we deal with, Microsoft is one of the best in terms of the processes they have in place" for addressing security threats, Sutton said. That includes having formal procedures for vulnerability discovery and assessment, patch development, testing and automated distribution, as well as a predictable patching cycle, he said.
Microsoft has also shown a growing willingness to work with security researchers who discover flaws, according to users and analysts.
Because of such efforts, Gartner no longer believes that there is any difference as far as security is concerned between Windows Server 2003 and rival operating systems such as Solaris, HP-UX and AIX, Pescatore said. But, he added, the planned launch of Windows Vista later this year will be a key milestone in Microsoft's effort to prove that it has made real progress on improving its security procedures. "It will be the first desktop OS to ship after they said they are getting serious about security," Pescatore said.
"Their biggest problem now is trying to get past all of the negative legacy perceptions," said Hugh McArthur, director of information systems security at Chantilly, Va.-based Online Resources Corp., which offers online banking and bill payment services to the financial industry. McArthur added that he would give Microsoft "an A for effort and a B+ for execution" on security issues.
Executives at Oracle and Cisco defended their companies' security approaches.
Oracle's vulnerability remediation and response strategies are very customer-focused, said Duncan Harris, the company's senior director of security assurance. He said Oracle's decision to move to a quarterly update schedule last January was based on feedback from database administrators, who said they would prefer a longer gap between updates.
Similarly, Oracle's decision to limit the amount of vulnerability information it discloses is driven solely by the interests of users, Harris said. "Our advisories are for our customers' benefits," he said. "They are not for the benefit of the security community." Harris claimed that more complete disclosures of the sort issued by Microsoft only increase the security risks faced by users.
Oracle's centralized vulnerability handling group has been working over the past two to three years to ramp up its processes for developing, testing, porting and distributing patches, Harris said.
Cisco officials have said that their response to the vulnerability disclosure at the Black Hat conference was reasonable because they were trying to protect the vendor's intellectual property and prevent the release of information that attackers could use as instructions for targeting routers.
This week, Mike Caudill, Cisco's product security incident manager, said Cisco plans to continue releasing security fixes as they become available instead of making users wait for periodic updates. And it's unlikely that Cisco will start rating the severity of its flaws.
"Our approach is to explain the risk and not say if it's a 'red' or a 'yellow' or a 'green,' " Caudill said. "We'll explain the problem and let customers decide" what to do.
Caudill said Cisco has a long tradition of working with security researchers who find vulnerabilities in its products. But, he added, researchers need to be more consistent in the manner in which they disclose flaws to vendors.