Security and Microsoft and .Net

“Microsoft is insecure!” have you heard that before? Yes of course. Everyone is talking about Microsoft products being in-secure. Well very few have actually questioned the fact. What is the cause behind this belief among the computing community?

 

Well the possibilities could be many. One possibility that goes around the Microsoft communities is that all the computing schools and colleges teach computing in Non-Microsoft technologies, like Unix. Now when they grow up and enter the industry, and see technologies like .Net and Longhorn, they get overwhelmed. Overwhelmed by the rate at which technology is growing. Overwhelmed by its speed and magnanimity.

 

They want to go back into their safe and secure domain in which they were brought up. So they sub-consciously find ways to downgrade Microsoft Technologies.

 

Another reason why Microsoft is thought of as insecure is that it comes up with a security patch every other day. Now if it needs to send a security patch every other day, it creates a feeling that the operating system is inherently insecure. Microsoft has realized that its reputation is deteriorating because of this belief and has taken this issue very seriously. In fact last year Bill Gates even issued a memo saying that security would be Microsoft’s top criteria. And later Microsoft even had a security lockdown when every developer had to stop whatever they are doing and had to identify security aspects in their code bases.

 

Every activity that is happening at Microsoft since last year has security as its primary focus. And .Net has a major hand in it. A classic example given in .Net newsletter May 15 2004 goes like this.

 

“The C run time library string handling routines are flawed because, in general, they do not have protection against buffer overruns. To counter this, Microsoft generated the strsafe.h file of safe string-handling routines. These routines were developed in direct response to the security lockdown at Microsoft.

 

Of course, string buffer overruns are not a problem with .NET because of the design of the System::String class. Even if it was possible to access past the end of a string buffer in managed code, this still would not allow a hacker to control your process because string buffers are never allocated on the stack. Even if string buffers were allocated on the stack, a buffer overrun would not give access to the stack because the .NET run time manages access to the stack. Finally, and importantly, .NET applies validation, verification, and code access security checks on all .NET code, and through these checks it determines whether the code has been altered, whether the code plans to do something unsafe, and how much the run time trusts the code and hence what it is allowed to do.”

 

.NET is inherently secure, it has had security built in from the bottom up. As more and more applications are built using .NET, most security breaches will disappear. As more and more parts of Windows are implemented using .NET, the operating system will get more and more secure.

 

The .Net framework was made this way because the Microsoft developers discovered that security holes were natural because of the code is located, loaded and executed. Before windows can be made more secure, they had to change the way the code was loaded and executed.

5 Comments

  • I hope you are kidding.

    A "buffer overflow" is the same thing in any language. An unchecked buffer is the same thing in any language. Saying that programmers write bad .Net software because they studied Unix is nothing but bu*?%hit.



    However I can see something in your point: a programmer "born" (tecnologically speaking) with VB3 will be more "error prone" than his colleague who studied C++, if they both try to work with C#.

  • One of the reasons for this belief is that at one time Microsoft products WERE insecure - there's no getting away from that. Don't believe me - put an unpatched NT4 system on the internet - you've got maybe...30 seconds before it's wasted. In a lot of ways Microsoft was a victim of it's own success, it was forced to add a TCP/IP stack in a hurry to early versions of Windows, unfortunately Windows really wasn't designed for multi-user use (WFW 3.11 was so easy to crack I never used to have to remember my password), unfortunately this rush meant that they left the system exposed to attack.

  • The irony is that still to this day the penguinistas and Unix zealots constantly accuse MS of FUD while they're out there referring to the insecurities of Windows because the last windows they used was 95/98.



    What MS needs to do is to educate the press a little and show them the great things it's doing -- the least of which is .NET.



    MS really screwed the pooch with their first .NET marketing drive by confusing all the PHB's about what .NET was exactly. They then renamed a bunch of non-managed products '.NET' which added to the confusion.



    Now that the memory has faded, it's probably time MS comes back and markets .NET properly and a clear message about code access security, the end of buffer overruns, unsecure code, etc.

  • In order to avoid Chad's "irony", I'll point out that I use Linux, Solaris, and Windows 2000 at work, and I use Linux and Windows XP with SP2 RC1 at home. I program in several languages on both platforms, including ASP.NET. I agree that C# and the .NET initiative are some great things, and are bound to help shape application architectures in the Unix world as well.



    But you've made several poor assumptions. Very few (if any) High Schools use any Unix derivative to teach programming. Every one I know of uses Windows and Visual Studio. More and more colleges are moving towards a Windows-based approach for Computer Science as well (I'm a CompSci graduate from RPI, and by the time I graduated in '02, there were only two or three Unix labs left, out of the dozens that were there when I matriculated.)



    You also say that "Another reason why Microsoft is thought of as insecure is that it comes up with a security patch every other day." This is demonstrably untrue. Microsoft comes out with security patches once every few weeks, and it often takes them weeks if not months between the publication of an exploit on the Web and its patch. The Open Source community's ability to release patches almost immediately after the discovery of the security hole (for example, yesterday's CVS vulnerabilities) is its greatest advantage over Microsoft.

  • The college point of view. I still know a lot of colleges that have UNIX as there base operating system. Secondly, agreed most of the schools and colleges are moving towards the Microsoft platform. Primary reason, Ease of use on the Microsoft Platform is much better than other systems. Focus on Functionality rather than Usability. Besides, Microsoft is taking some serious action in educating the student community, regarding the latest Technologies.



    Second point. The people downgrading Microsoft communities are experienced professionals who passed out during the UNIX days. Before the opinions are formed, it is the grapevine that hits the young minds... that was my point...



    Third if you are talking about the open source community being fast and prompt, let me tell you I am a great fan of open source community too. But you can't deny the fact that you have to be very very organized to actually implement a software project to full maturity. There are scores of projects that are abandoned midway. One look through source forge will tell you how many projects are standing still since last 2-3 years.



    Last but not the least, whether you go for open source or Microsoft product, it is your choice and surely you are going to follow it religiously. I didn't start this post as a debate between Microsoft and open source. The sole intention was to discuss how .Net is adding on to make Microsoft Technologies more secure and reliable. There are so many other initiatives that Microsoft is taking to make technologies more secure, like trust worthy computing. Discussing those initiatives and learning in the process was the primary goal. Let us keep it that way.

Comments have been disabled for this content.