Microsoft security: Why Redmond should be commended for its efforts

Microsoft, it seems, can’t win for losing. After announcing the Trustworthy Computing Initiative in January 2002, the Redmond company has made what appears to me, at least, to be a very conscientious effort to secure its software from attack. Unfortunately, a lot of its software was already out in the marketplace when the initiative was announced, so the only way to secure its products is to quickly and efficiently patch any security vulnerabilities that are uncovered.

There are alternatives, of course. Microsoft could ignore vulnerabilities in software versions that are no longer shipping. That wouldn’t go over big with customers, the analysts or the press. Microsoft could do a free exchange of current, more secure software for older, less secure apps and services. The customers might like that (although I’m sure some would object) but the stockholders sure wouldn’t. So the company did the best it could by patching and fixing every vulnerability that was (and is) discovered.

Did people thank the colossus of the northwest for this action? Hardly. Instead, the company got even more vituperation heaped upon it because there were so many patches! People don’t like patches and they don’t like the whole patching process. I don’t like patches, either; they shouldn’t really be needed. But since we can’t hop in the Wayback Machine and tell the developers of Windows ME, XP, 2000, et al, about the vulnerabilities that have now been discovered, nor can we change the development climate they worked in, then patches seem the most reasonable way to deal with any problems that crop up. Newer operating systems and applications – the ones being developed now – should benefit from the Trustworthy Computing Initiative and need fewer security fixes.

Last week Microsoft, in reaction to all of the negative publicity about the patching process, announced a new short-term initiative called “securing the perimeter.” People who have used firewall products for many years can, and do, feel a bit smug because in essence Microsoft is talking about building a firewall around its operating systems and applications.

Some wags have already started a campaign to decry this move as simply another way for Bill Gates to make money, implying that the company will abandon application and service security in favor of the new firewall-like security. Referring to the now familiar “house” analogy, one pundit told me that the new initiative means Microsoft can now sell houses without any locks on the doors then turn around and sell you a chain-link, barbed-wire-topped fence to protect it.

Last month, Microsoft CEO Steve Ballmer told an audience in Silicon Valley that computers need a shield to protect against viruses, worms and hacker attacks, rather than products that deal with the problem after it has already reached the PC (“Ballmer: Security woes challenge innovation”, https://www.nwfusion.com/news/2003/0916ballmsecur2.html). You should expect the word “shield” rather than “firewall” to figure prominently in whatever product is rolled out.

Microsoft has discovered security and it is working to create more secure products. It wants to correct security problems in older products. But most importantly, it realizes that it needs to provide the security in as “user friendly” a way as possible so that the security gets implemented as widely as possible. I think Microsoft needs to be commended for its current efforts rather than be castigated (continuously) for its previous failures. As always, my inbox awaits your thoughts.