Computerworld - It's your fault. Yeah you, Mr. or Ms. Corporate IT Person. Microsoft says it's your fault, and the fault of your users, that there are so many security problems with Microsoft software. Oh, sure, there are security holes in Microsoft products. But Microsoft does patch them -- eventually. And unless corporate IT does a better job of promptly applying those patches, as well as training users in safe computing practices -- well, there's only so much Microsoft can do.
Yes, at Microsoft irony is dead. And so, apparently, is shame.
See, last week a high-level Microsoft manager named Jonathan Perera was making the it's-your-fault-too pitch at the Infosecurity Europe conference in London. At exactly the same time, security companies were reporting a new round of attacks on Microsoft products, including IIS and Exchange Server, based on yet another Microsoft buffer overflow vulnerability.
Microsoft had issued a patch for that security hole just two weeks earlier. But the hole is in every version of Windows NT and XP Pro that has shipped since Windows NT 4.0 in 1996.
In other words, it took Microsoft almost eight years to find and fix this hole -- a hole that exists only because of Microsoft product development policies that in another profession would be called malpractice. But now we're told it's corporate IT's fault too, because in two weeks we haven't patched the 12.5 million servers and 200 million client PCs affected. (That's the current Windows NT, Server and XP Professional installed base, according to IDC.)
Why haven't we patched them? Everybody knows the answer: because of the cost. There's such a continuous stream of patches from Microsoft that we can't afford to apply every patch immediately.
Why doesn't Microsoft get it right the first time -- or the second time, or the third -- so all those patches won't be necessary? Remember, this most recent security hole has survived code reviews for several generations of Microsoft products, including the supposedly improved security vetting Microsoft has put in place since the start of its Trusted Computing initiative.
The answer is the same: the cost. A buffer overrun isn't a subtle bug, and it's not hard to spot -- if you're looking. But Microsoft doesn't want to spend the money to carefully examine every line of code before it ships. That would just be too expensive.
Microsoft would rather wait until hundreds of millions of copies are in use -- so we're the ones who pay for applying those patches.
Of course, customers will foot the bill in either case. If the code is
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts