Congratulations are due to Information Week and John Foley for Billing/Belling the Cat. Information Week in its February 14th issue has dared to put on its front cover a story that the IT trade press has tiptoed through the tulips for too long about – the continuing stream of security and reliability problems associated with Windows both on the desktop and on the server. And Information Week does not mince words – “You call this trustworthy computing ? Three years into the Microsoft security initiative, the bugs keep coming. At the RSA conference … Microsofts Chairman will detail other accomplishments and forward-looking plans that portray a company delivering on his 3-year old promise to make Windows environs trustworthy. It is a compelling message, except for one unavoidable fact: The software patches just keep coming. Microsoft last week issued a dozen security bulletins addressing 17 software vulnerabilities , tantamount to a shotgun blast of holes through the companies product line.”
The story goes on to point out that Microsoft is certainly trying to cope with the security problems. It has acquired in the past 2 years a number of outside security software firms:
– GeCAD Software for for antivirus protection;
– Giant Company Software for spyware detection;
– Pelican Software for behavior based security;
– Sybari Software manages the whole virus,spam, phishing filtering process.
But in process of making these moves Microsoft has also created a ruckus. Because Sybari currently uses a number of third party antivrus, antispam, and other security scanning tools; the concern is that Microsoft will narrow that down to Microsoft owned filtering tools. And because a good portion of the software will be given away for free, Microsoft will come to own all “security” software for Windows. And the implications of that can be seen with some of the extra, non-bug targets that Microsoft is taking on in the interests of security – such as the elimination of WINE and other non-Microsoft approved Windows emulators .
But the article also raises three issues that Keep an Open Eye has been emphasizing as being critical security problems with Microsoft software. First, the article cites John Pescatore at Gartner “They still havent shipped a desktop operating system that was designed and coded after they started caring about security”. We would expand that statement to include the fact that not just Windows desktop but also most of the Windows Application Servers from SQL Server through Exchange to SharePoint; none of Office and its associated Applications; nor Visual Studio have been coded in the .NET Framework. This is crucial because the .NET Frameworks Managed code option considerably improves the reliability and security of Microsoft apps. It will be interesting to see how much of the soon to be released Visual Studio 2005 and SQL Server 2005 are coded in the .NET Managed code framework as opposed to the more vulnerable .NET Unmanaged code option or simply not done in .NET at all.
However, my second issue with Microsoft is that even working within the .NET Managed Code framework leaves other vulnerabilities untouched. To my surprise John cites one of the most crucial in his article: “Among other security advances, Longhorn is expected to minimize situations in which PC users have administrative privileges, leaving systems more open to attack.”This vulnerability is critical. For example, the current problems with IE are directly connected to this issue and so it will be noteworthy to see how Microsoft codes the upcoming IE 7.0 for these and the ActiveX problems currently plaguing IE 6.0.
The third problem has been the attitude toward security within Microsoft. As late as 1999 and 2000 reports show how security loses to features and ease of use in Redmond. But the the virus attacks of 2002 forced the issue and Trustworthy Computing was installed as a prioriy at Microsoft. But as John Udell sites in this article the development of scalable and rigorous source code analysis has been a very rough row to hoe. Despite acquireing PREfix and PREFast source code analysers , getting them to work efficiently and effectively has taken close to five years. And they wont see the light of day in Visual Studio until VS 2005 release late this summer.
In effect, Microsoft, famous for turning on a dime regarding its commitment to the Internet, has gone slow on security even after the Trustworthy Computing epiphany. Until the .NET languages and framework, Microsoft did not have basic uniform and rigorous try/catch/finally, exception handling and memory management protocols in place among other security and reliability gaps. But despite the Trustworthy Computing mandate key pieces of software were excused from .NET implementation requirements including Office, Windows desktop and other software cited above. Now the question remains will the .NET Unmanaged Code option leave security gaps similar to the infamous use of ActiveX in IE, Outlook and other external facing software.
Meanwhile, let John Foley have the last word: “… a Microsoft spokewoman [says] Ultimately, what matters is not what we say, but what we do. When Bill Gates talks this week, thats something to remember”.