Ads by TechWords

See your link here
Receive the latest technology news and information.
Security
Virus and Vulnerability Roundup
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
Cloud Computing
View all newsletters




Privacy Policy
 

Shameless

May 3, 2004 12:00 PM ET

Computerworld - It's your fault. Yeah you, Mr. or Ms. Corporate IT Person. Microsoft says it's your fault, and the fault of your users, that there are so many security problems with Microsoft software. Oh, sure, there are security holes in Microsoft products. But Microsoft does patch them -- eventually. And unless corporate IT does a better job of promptly applying those patches, as well as training users in safe computing practices -- well, there's only so much Microsoft can do.
Yes, at Microsoft irony is dead. And so, apparently, is shame.
See, last week a high-level Microsoft manager named Jonathan Perera was making the it's-your-fault-too pitch at the Infosecurity Europe conference in London. At exactly the same time, security companies were reporting a new round of attacks on Microsoft products, including IIS and Exchange Server, based on yet another Microsoft buffer overflow vulnerability.
Microsoft had issued a patch for that security hole just two weeks earlier. But the hole is in every version of Windows NT and XP Pro that has shipped since Windows NT 4.0 in 1996.
In other words, it took Microsoft almost eight years to find and fix this hole -- a hole that exists only because of Microsoft product development policies that in another profession would be called malpractice. But now we're told it's corporate IT's fault too, because in two weeks we haven't patched the 12.5 million servers and 200 million client PCs affected. (That's the current Windows NT, Server and XP Professional installed base, according to IDC.)
Why haven't we patched them? Everybody knows the answer: because of the cost. There's such a continuous stream of patches from Microsoft that we can't afford to apply every patch immediately.
Why doesn't Microsoft get it right the first time -- or the second time, or the third -- so all those patches won't be necessary? Remember, this most recent security hole has survived code reviews for several generations of Microsoft products, including the supposedly improved security vetting Microsoft has put in place since the start of its Trusted Computing initiative.
The answer is the same: the cost. A buffer overrun isn't a subtle bug, and it's not hard to spot -- if you're looking. But Microsoft doesn't want to spend the money to carefully examine every line of code before it ships. That would just be too expensive.
Microsoft would rather wait until hundreds of millions of copies are in use -- so we're the ones who pay for applying those patches.
Of course, customers will foot



Jump to comments

Viruses

Additional Resources

WHITE PAPER
Approximately 60 percent of data migration projects overrun time or budget, while some fail completely. Download this white paper, "Enhancing Your Chance for Successful Data Migration," to learn the critical steps you need to take to execute a data migration project with minimum cost and risk to your business.
WHITE PAPER
Read the Gartner research note to learn why the TCO of a server-based computing deployment used to deliver all applications to users is around 50% lower than that of an unmanaged desktop deployment.
WHITE PAPER
Economic downturns have a tendency to accelerate emerging technologies, boost the adoption of effective solutions, and punish solutions that are not cost competitive or that are out of synch with industry trends. This IDC White Paper presents the results of an IDC survey of 330 companies in Western Europe, Asia/Pacific and the Americas that measures the receptiveness to Linux and takes into consideration changing views driven by the disruptive economic environment that businesses face today.