Home » Data Protection » Network Security

Opinion

In Defense of Microsoft and Windows 7

Microsoft raised some eyebrows last week when its Patch Tuesday release included fixes for Windows 7. CSO Senior Editor Bill Brenner explains why it's not really that big a deal and why Microsoft deserves more credit than it gets.

By Bill Brenner, Senior Editor

October 21, 2009 — CSO —

I've been here before. It's the eve of a major new Windows release. Microsoft has made much out of the security improvements in its latest OS makeover, and anticipation is high that the dregs of the Hackerville have finally met their match.

Then rumors trickle out of the blogosphere that there may already be security holes in need of patching. Then the next Patch Tuesday cycle comes along, and the rumors become fact.

So it was in 2004 when Microsoft rolled out Windows XP Service Pack 2 amid a mountain of hype over its supposedly ironclad defenses. So it was a couple years ago when vulnerabilities and patches immediately followed the release of Vista. Last week history was repeated again when Microsoft included patches for Windows 7 in its October 2009 security update.

Gregg Keizer, my colleague from Computerworld, reported that "Microsoft patched nine vulnerabilities, five marked critical, in Windows 7, a move that will require users upgrading to the new operating system starting Thursday to download a security update to keep their PCs secure."

Related articles:

Microsoft Delivers Massive Patch Tuesday, Fixes 34 Flaws

Microsoft Issues First Windows 7Patches

The Patch Tuesday Survival Guide

I'm not surprised, nor am I really that concerned.

No one should expect security perfection in Windows 7 or any other OS from any other vendor for that matter. These are platforms created by humans. Humans will always make mistakes, no matter how much wisdom we accumulate over time. Expect many more patches for Windows 7 in the future, but don't let that stop you from deploying it.

Microsoft has been subjected to plenty of criticism over security in recent years and a lot of it has been deserved, especially in the years before Bill Gates launched the Trustworthy Computing Initiative in early 2002. Windows was an all-to-easy target for the bad guys, who happily slammed users of the OS with such worms as Code Red and Nimda.

But Microsoft security has come a long way since then. Sure, each OS refresh has failed to eradicate vulnerabilities. Hackers have successfully exploited more recent flaws in the pursuit of data to steal and identities to defile. But Microsoft has gotten much better at communicating the threats and offering users concrete steps to blunt the blow.

For one thing, its monthly security bulletins have gotten a lot easier to digest, with straightforward summaries, the full list of operating systems affected and FAQs. Meanwhile, Microsoft has launched a number of blogs to keep users informed of ongoing security threats and mitigation steps. One example is the Microsoft Security response Center blog.