Computerworld - It's your fault. Yeah you, Mr. or Ms. Corporate IT Person. Microsoft says it's your fault, and the fault of your users, that there are so many security problems with Microsoft software. Oh, sure, there are security holes in Microsoft products. But Microsoft does patch them -- eventually. And unless corporate IT does a better job of promptly applying those patches, as well as training users in safe computing practices -- well, there's only so much Microsoft can do.
Yes, at Microsoft irony is dead. And so, apparently, is shame.
See, last week a high-level Microsoft manager named Jonathan Perera was making the it's-your-fault-too pitch at the Infosecurity Europe conference in London. At exactly the same time, security companies were reporting a new round of attacks on Microsoft products, including IIS and Exchange Server, based on yet another Microsoft buffer overflow vulnerability.
Microsoft had issued a patch for that security hole just two weeks earlier. But the hole is in every version of Windows NT and XP Pro that has shipped since Windows NT 4.0 in 1996.
In other words, it took Microsoft almost eight years to find and fix this hole -- a hole that exists only because of Microsoft product development policies that in another profession would be called malpractice. But now we're told it's corporate IT's fault too, because in two weeks we haven't patched the 12.5 million servers and 200 million client PCs affected. (That's the current Windows NT, Server and XP Professional installed base, according to IDC.)
Why haven't we patched them? Everybody knows the answer: because of the cost. There's such a continuous stream of patches from Microsoft that we can't afford to apply every patch immediately.
Why doesn't Microsoft get it right the first time -- or the second time, or the third -- so all those patches won't be necessary? Remember, this most recent security hole has survived code reviews for several generations of Microsoft products, including the supposedly improved security vetting Microsoft has put in place since the start of its Trusted Computing initiative.
The answer is the same: the cost. A buffer overrun isn't a subtle bug, and it's not hard to spot -- if you're looking. But Microsoft doesn't want to spend the money to carefully examine every line of code before it ships. That would just be too expensive.
Microsoft would rather wait until hundreds of millions of copies are in use -- so we're the ones who pay for applying those patches.
Of course, customers will foot the bill in either case. If the code is
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts