Still Hardly Trustworthy?

Security is a priority at Microsoft, especially if it's for Microsoft.

. What's this?

By

February 27, 2003CSO — It was almost a year ago that this column told you to remain skeptical of Microsoft's claims on security. The advice stands. Here's a progress report.

The good: Microsoft seems genuinely interested in security.

This could be because, as the head of CERT Rich Pethia said to me, "There's a ton of money to be made." That's OK. You'll take it. Microsoft has marketed other venturesstorage comes to mindpurely for the value of saying they do it, and not actually caring much about doing it.

The security effort seems at least a little more earnest than that. Microsoft has added outside audits of code and has paid for some training for most of its developers. But please don't be impressed by $200 million the company keeps reminding us it spent. It's nice, and necessary, but it's also a fraction of the billions in damage Microsoft's insecure products seem to have been party to over the years.

The bad: Slammer.

Everything about the recent affair suggests that Microsoft's security initiative is, to some extent, lipstick on the pig. Back in 1999, the Melissa virus exploited what Microsoft insisted was an Outlook feature, the ability to expose the address book to script which can forward mail without user intervention. Four years later, little SQL servers everywhere are a feature of Microsoft's design ethos, meant to make the Microsoft experience across applications better, even though it seems to have compromised security. And SQL servers are everywhere, for architectural reasons. There's a SQL desktop engine running in the background of many PCs. It's in games. In some anti-virus software. And what did Slammer, the fastest-moving virus in history, exploit? The SQL server. Plus ça change.

Then there was the patch for Slammer, six months old and so klugy that one anti-virus company reported that some Microsoft engineers themselves were unable to install it properly. The patch, it turned out, needed a patch. This served to highlight the sheer awfulness of patching in general as a response to bad software. Microsoft's patching hierarchy is particularly involute. Consider this user question posed to a third party services firm in a security newsletter late last year:

How do I know when I need to re-apply a security roll-up patch (SRP)? For example, applying IE6 SRP1, do I then need to re-apply Win2K Service Pack 2? When applying hotfixes, do I need to re-install them after more recent SPs?

The answer took up a page-and-a-half.

The Frustrating: Microsoft does what it takes. For itself.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER