Skip the navigation


By Frank Hayes
May 3, 2004 12:00 PM ET

Computerworld - It's your fault. Yeah you, Mr. or Ms. Corporate IT Person. Microsoft says it's your fault, and the fault of your users, that there are so many security problems with Microsoft software. Oh, sure, there are security holes in Microsoft products. But Microsoft does patch them -- eventually. And unless corporate IT does a better job of promptly applying those patches, as well as training users in safe computing practices -- well, there's only so much Microsoft can do.
Yes, at Microsoft irony is dead. And so, apparently, is shame.
See, last week a high-level Microsoft manager named Jonathan Perera was making the it's-your-fault-too pitch at the Infosecurity Europe conference in London. At exactly the same time, security companies were reporting a new round of attacks on Microsoft products, including IIS and Exchange Server, based on yet another Microsoft buffer overflow vulnerability.
Microsoft had issued a patch for that security hole just two weeks earlier. But the hole is in every version of Windows NT and XP Pro that has shipped since Windows NT 4.0 in 1996.
In other words, it took Microsoft almost eight years to find and fix this hole -- a hole that exists only because of Microsoft product development policies that in another profession would be called malpractice. But now we're told it's corporate IT's fault too, because in two weeks we haven't patched the 12.5 million servers and 200 million client PCs affected. (That's the current Windows NT, Server and XP Professional installed base, according to IDC.)
Why haven't we patched them? Everybody knows the answer: because of the cost. There's such a continuous stream of patches from Microsoft that we can't afford to apply every patch immediately.
Why doesn't Microsoft get it right the first time -- or the second time, or the third -- so all those patches won't be necessary? Remember, this most recent security hole has survived code reviews for several generations of Microsoft products, including the supposedly improved security vetting Microsoft has put in place since the start of its Trusted Computing initiative.
The answer is the same: the cost. A buffer overrun isn't a subtle bug, and it's not hard to spot -- if you're looking. But Microsoft doesn't want to spend the money to carefully examine every line of code before it ships. That would just be too expensive.
Microsoft would rather wait until hundreds of millions of copies are in use -- so we're the ones who pay for applying those patches.
Of course, customers will foot the bill in either case. If the code is

Our Commenting Policies