[SECURITY-L] Windows security scanner in the works

Daniela Regina Barbetti daniela em ccuec.unicamp.br
Qui Fev 21 15:23:20 -03 2002 

----- Forwarded message from Jacomo Dimmit Boca Piccolini <jacomo em cais.rnp.br> -----

From: Jacomo Dimmit Boca Piccolini <jacomo em cais.rnp.br>
Subject: [S] Windows security scanner in the works 
To: <seguranca em pangeia.com.br>
Date: Thu, 21 Feb 2002 10:56:02 -0300 (EST)

Noticias - Centro de Atendimento a Incidentes de Seguranca (CAIS/RNP)
---------------------------------------------------------------------

[fonte:http://news.com.com/2100-1001-841770.html?legacy=cnet&tag=pt.rss..feed.ne_8868487]

Windows security scanner in the works

By Robert Lemos
Staff Writer, CNET News.com
February 20, 2002, 6:00 PM PT

SAN JOSE, Calif.--As part of a push to regain the public trust, Microsoft
plans to release a wizardlike program to help home software users and
network administrators protect their computer systems from outside attack.

Called the Baseline Security Advisor, the program will scan Windows
computers for unpatched programs, weak passwords and vulnerabilities in
the operating system and in several Microsoft products.

"Our goal is to allow (home) users to check their own machines," said
Jason Shaw, lead product manager for Microsoft. "Company administrators
can also use it to check their entire network."

Although Microsoft has not yet released the product, the software titan
showed off an early version of the scanner at its booth at the RSA
Conference 2002 here. Shaw said the program will be available for free
download from Microsoft's Web site in March.

The scanner is the latest move by the software giant to beef up Windows
security. Microsoft was stung by a series of embarrassing flaws in 2001
that demonstrated how vulnerable some of the company's products were to
outside attack. In mid-January, Chairman Bill Gates wrote a memo exhorting
the company's employees to smack bugs to earn customers' trust in
Microsoft software.

While other companies have come out with scanners, none has the reach of
Microsoft. Many other scanners are also designed to sniff out
vulnerabilities in other software.

"It won't matter what we do now and in the future if people don't trust
computers," Craig Mundie, Microsoft vice president and chief technical
officer for advanced strategies and policy, said during a Wednesday
afternoon keynote address.  "This is not a new initiative at the company;
there has been a lot of people at it for a long time."

Microsoft has trained more than 9,000 of its programmers and developers in
secure coding techniques since last fall, Mundie said. The company has
also had outside security consultants pick through the source code for
Windows, the .Net Web services framework and .Net server.

"For all of us, this cycle really has no end," Mundie said. "Programmers
today are still human beings, and despite training them, it is difficult
to get them to look to the future."

Sometimes the effort to better secure against attack makes it difficult
for software users to take full advantage of the software they receive.
For example, Microsoft's latest operating system, Windows XP, includes the
company's Web server software, IIS 5.1. Unlike past versions, the Web
server is turned off by default, protecting the software user from
potential security problems posed by a Web server.

The new Microsoft Baseline Security Advisor (MBSA) adds user education and
an additional check for Windows users who want to ensure that their
systems are up-to-date on patches from Microsoft, are using good password
policy, and are aware of any insecure settings.

Unlike many vulnerability scanners, the MBSA doesn't take the role of an
attacker and look for vulnerabilities. Instead, the scanner acts as an
expert administrator looking for problems on the Microsoft security
checklist.

The MBSA downloads a 700KB vulnerability and patch database from Microsoft
that the company has created in Extensible Markup Language, or XML. XML is
a popular Web standard by which businesses can easily exchange data
between employees, customers, partners and suppliers. The software giant
intends to maintain the database and provide the software for free.

Considering that Microsoft has a group studying the feasibility of diving
headfirst into the security marketplace, a full-featured service may also
be in the works.


----- End forwarded message -----

Mais detalhes sobre a lista de discussão SECURITY-L