Microsoft (and others) Just Don't Get It

Posted Thu, 09/03/2009 - 11:43 by J. Adams

Microsoft apparently doesn't like to listen and then dialog with their most sophisticated users when it comes to security issues, to name just one way they are failing as a business in the Information Age. A security vulnerability in SQL Server, Microsoft's premier database management application which competes with products like Oracle, MySQL, and others was discovered and reported in the linked article.  In a nutshell, this security vulnerability allows a user with administrative priveledges to SQL Server to access other user's passwords, but not without some "hacking" to do so.  In any case, Microsoft has refused to fix the problem because they don't care about their users.

 
Let me explain why Microsoft doesn't care about their sophisticated users. This vulnerability is described in the article as:
 
"Microsoft has thoroughly investigated claims of vulnerabilities in SQL Server and found that these are not product vulnerabilities requiring Microsoft to issue a security update," a spokesman wrote in an email. "An attacker who has administrative rights already has complete control of the system and can install programs; view, change, or delete data; or create new accounts with full user rights."
 
 
This explanation sounds like a legitimate argument, as the author of The Register article points out:
 
Each side in this kerfuffle has a point. Clearly, the feature exposed by Sentrigo makes it easier for rogue insiders and attackers who breach a network's defenses to sniff out passwords that could aid in additional intrusions. And in the 2000 and 2005 versions of the program, this can be done remotely, raising the possibility that an attack could be done by exploiting a SQL injection vulnerability that gives a hacker administrative access to a backend database.
...
But given the ability of the average administrator to sniff out credentials a half-dozen other ways, the vulnerability seems to be more a sin of omission. While it probably violates principles of security in depth, most IT pros aren't likely to lose much sleep over it.

While most administrators of a SQL Server box, and the users of such a system, certainly WON'T lose sleep over this issue, some will. Think of the company who is having a hard time making ends meet, and has decided to begin layoffs. The admin of a SQL Server system might go rogue and decide to screw up some employee accounts, or steal data from systems that they may not have access to. How would they go about doing so? Just steal the passwords of users on the SQL Server that they DO have access to! Now they can remotely login to the network as that other user, do whatever damage they wish to do, and then when they are layed off it's much harder to point the finger back to the real person who has done the damage.

So is Microsoft justified in calling this such a minor issue that they don't need to address it? Certainly not! Open source software projects address these kinds of seemingly minor security vulnerabilities all of the time, and listen to their users! This is why Microsoft is making a foolish move in this case. Sure, the potential for harm is low, but if a bunch of volunteers working on open source projects in their spare time can make the time to fix such issues, then certainly paid software engineers of one of the largest, most successful software companies in the world should be able to do the same - and much faster, too! But they are not.

Which brings me to my conclusion about this whole "kerfuffle"; it is not simply a kerfuffle, but is instead just another indicator of how Microsoft and many other businesses that are run by people who grew up prior to the Internet revolution do not appear to fully grasp the Information Age. They don't seem to understand how the Information Age has changed the conversation in the marketplace. People are not simply consumers anymore, or at least they don't want to be in most cases. They want to produce goods, services, and experiences as they are using goods, services, and participating in experiences. They want to be a part of the story. And in this particular case, Microsoft is once again viewing people as simple consumers, and are not listening to how those people wish to add value back into the products that they use in their own stories. Microsoft should be more responsive, and find a way to allow those "consumers" to be participants in the process of creating the products that they sell - hence, part of the story of what makes Microsoft great. Google, Amazon, and other companies understand this dynamic - why can't Microsoft?

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

It's not as bad as you make it sound. I agree w/ MS on this one.

by Anonymous - 09/03/2009 - 13:21

It's only SQL passwords this gives access to. So you can only steal SQL data--not domain accounts. And MS is right that if you're an admin, you already have rights to all that usually. So if you can't trust a "rogue admin", they shouldn't have been an admin in the first place. And knowing that isn't Microsoft's responsibility--it's yours.

Also, I didn't read the original bulletin, but I assume it still only gives the encrypted passwords. So the admin would still have to brute force (or dictionary lookup as there are some sites for that) to get the original. And that would still only be helpful if the user doesn't use unique passwords and re-uses that other places. That is somewhat a valid point, but I don't think one that is something Microsoft needs to prohibit. In fact, it's much more common for admins to legitimately need low-level access to passwords when certain passwords are forgotten or lost.

So, I have to disagree with you on this one. MS didn't fail on this one.

Jon Adams

Ah, let me explain further

by J. Adams - 09/04/2009 - 08:57

Suppose you have a SQL Server password that is the same as your Windows NT network domain login ID and password, as is the case in probably more businesses than we care to know about. Let's say that in this case, you've already locked down that "rogue admin" to just the SQL Server box, but the rogue admin then figures out how to get access to all of those lovely SQL Server user login ID/password combinations, which they can then use to breach the security of the Windows NT network domain. Let's also assume that certain other users have automatic access (via their Windows NT network domain login to OTHER SQL Server boxes that contain customer personally identifiable data, financial records, health records, etc. Now you've got a rogue admin with access to more or less all of the company's data, having spent no more than 8 hours (maybe? probably no more than 15min.) to gain such unrestricted and unauthorized access.

Again, I'm surprised not by the likelihood that this kind of edge case would ever occur - I would bet it only would happen once every couple of years by one rogue admin at one company at the most - but that Microsoft just doesn't want to be bothered to fix the problem. The company that found the problem even created a workaround for the issue, but instead of thanking that company and promoting the workaround to SQL Server customers, Microsoft has chosen to bury their head in the sand and claim it's not that big of a problem. Not that big of a problem, yes, but obviously it has generated negative press towards Microsoft, and I am contending in my article that in the 21st century, not all press is good press in the eyes of those who you call "customer."