In Defense of Microsoft and Windows 7

I’ve been here before. It’s the eve of a major new Windows release. Microsoft has made much out of the security improvements in its latest OS makeover, and anticipation is high that the dregs of the Hackerville have finally met their match.

Then rumors trickle out of the blogosphere that there may already be security holes in need of patching. Then the next Patch Tuesday cycle comes along, and the rumors become fact.

So it was in 2004 when Microsoft rolled out Windows XP Service Pack 2 amid a mountain of hype over its supposedly ironclad defenses. So it was a couple years ago when vulnerabilities and patches immediately followed the release of Vista. Last week history was repeated again when Microsoft included patches for Windows 7 in its October 2009 security update.

Gregg Keizer, my colleague from Computerworld, reported that “Microsoft patched nine vulnerabilities, five marked critical, in Windows 7, a move that will require users upgrading to the new operating system starting Thursday to download a security update to keep their PCs secure.”

Related articles:

Microsoft Delivers Massive Patch Tuesday, Fixes 34 Flaws

Microsoft Issues First Windows 7Patches

The Patch Tuesday Survival Guide

I’m not surprised, nor am I really that concerned.

No one should expect security perfection in Windows 7 or any other OS from any other vendor for that matter. These are platforms created by humans. Humans will always make mistakes, no matter how much wisdom we accumulate over time. Expect many more patches for Windows 7 in the future, but don’t let that stop you from deploying it.

Microsoft has been subjected to plenty of criticism over security in recent years and a lot of it has been deserved, especially in the years before Bill Gates launched the Trustworthy Computing Initiative in early 2002. Windows was an all-to-easy target for the bad guys, who happily slammed users of the OS with such worms as Code Red and Nimda.

But Microsoft security has come a long way since then. Sure, each OS refresh has failed to eradicate vulnerabilities. Hackers have successfully exploited more recent flaws in the pursuit of data to steal and identities to defile. But Microsoft has gotten much better at communicating the threats and offering users concrete steps to blunt the blow.

For one thing, its monthly security bulletins have gotten a lot easier to digest, with straightforward summaries, the full list of operating systems affected and FAQs. Meanwhile, Microsoft has launched a number of blogs to keep users informed of ongoing security threats and mitigation steps. One example is the Microsoft Security response Center blog.

Microsoft also eliminated a lot of chaos for IT security administrators six years ago when it instituted its monthly Patch Tuesday cycle. [See also: In Six Years of Patch Tuesdays, 400 Security Bulletins, 745 Vulnerabilities] Many IT security administrators have told me that the set schedule has made it much easier for them to develop orderly patch deployment procedures for their environments. The company has not shied away from breaking out of its cycle when necessary, however. In July, for example, it issued emergency Windows patches on the spot after researchers at Black hat 2009 found a way to bypass critical security controls in Internet Explorer.

And for all its remaining faults, the software development process is much more security-focused than it was a few years ago, thanks in part to its Security Development Lifecycle (SDL).

When Windows 7 is officially released this week, the world of security won’t change. New flaws will continue to be discovered and Microsoft will keep releasing patches. This will continue to be the case in the years ahead, when future versions of Windows are released.

IT security practitioners should not get caught up in counting every flaw found in Windows 7 going forward. Their time will be better spent doing what they do already — maintaining layered defenses, keeping their patch deployment process updated and, perhaps most importantly, educating users on the dangers they can unlock if they visit the wrong websites or lose themselves too freely in the myriad applications available to them — applications attackers are increasingly targeting instead of launching frontal assaults on Windows itself.

It’s also useful to remember that a company faces just as much risk from misconfigured systems — if not more so — as it does from the latest Windows flaw. 

Human error is as rampant in the typical IT shop as it is within the walls of Microsoft.

Of course, it won’t hurt to keep nudging Microsoft to continue improving its code-writing process.