Why is that we hear so many attacks on Microsoft products, despite the
"Trustworthy computing" thrust announced by Gates a year ago? The
attacks on Microsoft’s OSes and applications are much higher than Linux or
Macintosh systems.
"One
of the many problems in the security initiative is that it fails to address
pre-2001 legacy systems still deployed. Three OS’–Windows 95, Windows NT
3.51 and Windows NT4–are no longer supported. That means no patches/updates
available for them," says Govind Menon, technology writer. The company’s
patching strategy is simply not working. "A major problem is that Microsoft
is taking too long to fix patches", says Vaidhy G Mayilrangam, Senior
Technical Leader, Aztec Software.
"Opera Software released an updated build of its Opera 7 browser after
Greymagic software pointed out some serious security vulnerabilities. The time
taken: 4 days (issue reported Friday, updated version released Monday).
Microsoft has never been able to better that kind of turnaround despite being a
bigger company with more people, systems and money (or maybe that size is a part
of the problem). adds Menon. "The patching schedules seem to be a ‘marketing
(we got to do something)" vs. development (we got to build and test it
first)’ conflict. Marketing wins since the company’s public face depends on
an effort to release a patch. It’s a fact of software marketing today: you got
to release buggy apps because if you don’t you’ll get left behind. You also
are forced by user demand and stock prices to release inadequately tested
updates." adds Govind Menon
Systems administrators treat patches with skepticism and simply do not
install patches if they can help it. Are they to blame?
"You decide. I recently experienced a poor update firsthand. MS
Installer v2 (release late 2001) was incompatible with Installer v1 versions,
broke most software (you couldn’t uninstall) and was finally withdrawn for all
platforms except Windows XP. I was an informed user who managed to recover. What
about the less experienced who faced, and still suffer from its fallout? Another
example is the SQL server patch itself. We have production SQL database servers
for site testing. Although they don’t connect to the Internet, we need to
install all updates so that they mirror client’s boxes. The SQL Slammer update
from Microsoft actually blocked *all* requests to the SQL Box. Luckily, we were
able to manually rollback the update and restore services" says Menon.
A very fine line distinguishes usability and security, and Microsoft seems to
have strayed too far from security. The fact that Microsoft is feature-centric
has led to many of its security problems. "It’s also true–to some
extent–that Microsoft’s dominant market position leads to security
flaws", chorus Menon and Vaidhy. Linux and Mac OSes have fewer bugs, but an
innately flawed design from Microsoft reaches nearly every Wintel PC on the
planet.
Should Microsoft review its software code line-by-line and clean it up? Years
of service packing, patching, and re-patching Windows products have made them
buggy and vulnerable to hacking. " That’s a tall ask. The basic Windows
OS would have a minimum of 50 million lines of code as compared to Linux, which
has about 12 million", says Vaidhy. More rigorous testing by independent
third parties, a re-look at the design of Windows, avoiding code-sharing between
applications and the OS are some measures that could salvage the company’s
security record.