Software designed by humans will always have flaws, says Microsoft, but the company argues that its security record is improving. Microsoft has admitted it does not expect to ever release completely secure, flawless code, but denied that its software was any less secure than any other complex code.
Microsoft Defends Security Track Record
2003-07-04 Privacy, Security 26 Comments
The problem is, that no matter how minor a security hole a Microsoft byproduct may have, or how few there may be, the fact that there are so many people out there using their byproducts, that the effect is multiplied many times over. One cow fart in the wind dissipates quickly, but a whole heard really, really, reeks!
Since they have such a monopoly in the software, and hardware, industries, Microsoft has a much higher level of responsibility than anyone else since so many are affected. So far, they haven’t shown this level of accountability. They really, really stink.
So MS is now a herd of cows? I smell a gateway deal coming on!
This sounds like a double standard to me. I’m sure if this was about Linux instead of Microsoft there’d be a huge number of positive comments. I for one agree, MS is improving. Compared to the terrible terrible 9x series of operating systems Windows XP is excellent.
They’ve also improved in other areas too. For instance, Word used to be buggy as hell back in the day. Wordperfect was much better. Now, the opposite is true.
Except that Linux is free and M$ products are not, so big deal… they are improving booohooohoooo! Am I paying them to improve now, how gracious!
Anything is excellent compared to the 9x series, that is not much of an improvement really. Look, it doesn’t crash! Well an operating system is not supposed to crash. Somehow all these years of M$ garbage have lowered the expectations of most users to the point which stability is seem as an achievement.
When I saw this the other day on my news ticker
I found it funny that the links surrounding this story were vulnerabilities for active directory, active X, x-box, passport, netmeeting & I think one other I missed.
True everything has bugs but this was some pretty bad timing hehe.
Exactly, if Linux had as much bugs as Windows did, I swear to God I wouldn’t complain. “Why?”, you ask. Because it’s free damnit! Now compare that to paying thousands of dollars in licensing fee for product that is drowning in security vulnerabilities, bugs and system instabilities. Yes, you’re damn right I’m going to yell! I didn’t pay for those shit!
If Windows is as insecure as the zealots say it is, how come I have been using it for more than 10 years and have never once been hit with a virus/worm? Perhaps I’m the luckiest guy on earth? Hardly.
It’s not the number of Windows users that makes the security problems so widespread; it’s the number of users who continually double click on anything that comes down the pipe. Hell, I’ve seen people get hit more than once with the same worm. All it takes is a little preventative maintenance and a little common sense, and you’re all set.
How many worms have you seen come out in the past few years that are variants of some other worm? Although I will be the first to admit that some features in Windows actually facilitate the spreading of these worms, it simply means that you have to be careful about what you do – it does NOT mean that using Windows means you’re going to get hacked no matter what. For example, if you’re walking down the street in a ‘bad’ part of town, you’re probably going to pay a little more attention to your surroundings.
Some people look at Windows on the desktop and scoff at the idea of having to run a virus scanner and the ‘overhead’ associated with it. But in my case, it’s either that or running VMWare under Linux to get the apps I need. So for me, the choice is obvious.
Windows XP is a tremendous improvement over the 9x series of Windows. XP is much more secure than the 9x series. I’ve paid for a lot of different versions of Windows products and XP shows me where my money went and I perceive it was well spent. however…
What about the Input Type Crash bug?
This bug was reported back in May, it still hasn’t been fixed.
If Windows were opensource it would have been fixed long before now.
Microsoft products are closed source, as good as they get, you will always be dependent on MS for bug fixes. And bugs are fixed on MS’s time table not yours.
I’m sure Microsoft will continue to improve their products in the years to come. But I enjoy the freedom and independence Linux gives me.
Linux is saving my customers Windozes… 🙂
Why? All the incoming mails are scanned for viri and quarantined serverside if infected. Sure, Windows is some kind of virus-sensible, but on the first place viri are most commonly spread by mail and thats the point any administrator should think about just one minute.
Come on, installing a serverside-mail-scanner is just a matter of minutes, keeping virusdefinionfiles up-to-date is just one cronjob. Just migrate it and make users life more safe…
Soon Microsoft will have laws passed making it illegal to say that Microsoft has bad security. Or that Microsoft quality is pitiful for a company of their resources. Or that Microsoft ever shipped buggy products.
But all these denials, announcements, and swarmy lovefests with politicians only serve to make it painfully obvious Microsoft has a real problem and not wanting to do anything real about it.
“Denial is the most predictable of all human responses.”
Michael, we know you hate Microsoft. You don’t have to spill out our forums with your hatred on each and every microsoft story we run. It is really getting tiring. Please restrain yourself.
and still use it, why? are you into sadomachicism?
There are alternatives out there. Buy an iMac/eMac, install Linux, heck, write your own operating system.
It seems that there are all these whiners out there but they’re unwilling to do something about their tale of woes.
Want to send a clear message to company, don’t buy their product, simple as that. Is it really that hard to comprehend?
Damn straight, although “it’s their right to bitch”. I tend to just let it slip by. I mean obviously if they are bitching about something and continue to use it then really they are bigger idiots then the people writing the code in this case Microsoft. Not saying Microsoft people are idiots but what I am saying is that no matter how badly you insult Microsoft you look like more of an idiot for still supporting their software.
Another issue I’d like to clear. If your argument is that you pirate Microsoft Software so you don’t technically buy it, your not hurting Microsoft at all, using their standards and their technology and spreading this free version of yours around does more to improve Microsoft’s hold on the market. If people use it, companies will use it and support it. That’s how it works, that’s where the money is made.
None of my criticism of Microsoft is “mindless”. There are objective facts for everything I say, here or on other sites. Your ideaology might be “pro-Microsoft” and “pro-monopoly”, but mine is not. So of course my comments are not glowing praise for Microsoft.
As far as I have seen, Microsoft has not posted one objective press release on testing/security. And by this I mean “We had XXXXXX bugs in Release X. We used these new techniques to find and fix more bugs. Release Y now has YYYYY bugs.” There is a lot of talk from Microsoft about bugs, but not alot of talk on how they are fixing them.
A Gates “memo” on security is not a measure of objective progress. Microsoft saying “we’re no worse than the other guys” is not an objective measure of progress.
You have elected to have a very “thought police” editorial policy. If you are going to support open discussion, then support it. If you don’t want open commentary, then force everyone to login and only allow pre-approved posters to comment on the news.
Outside of dissent, there are a vast number of stupid comments that are not even based on any sort of facts. How many articles do you post knowing 80% or so of the comment traffic will be “A vs. B” flamewars? Do you want me to list them?
I like your site, but the bar is only has high as you set it. Don’t get on my case for anti-Microsoft dissent when the vast bulk of comments don’t meet your own standards and you continually post topics that you know inspire flame wars and trolling.
I post news. The choice to not troll is yours, not mine. It is like saying that you can’t restrain yourself and I am the one that should not post kinds of news that would make you come out of your clothes and become angry.
Sorry, but the problem is in your court, not mine.
Michael, I’m a pretty patient guy, and everyone does have the right to an opinion, but your sanctimonious and virulent Microsoft-bashing is starting to piss me off.
Reminds me of the vegan I roomed with in college-you don’t wanna eat meat, don’t eat it. Don’t tell me what a monster I am for doing so. You don’t want to use MS products, then don’t.
You vegan roommate didn’t make you stop supporting the killing of innocent animals, because he or she didn’t have the power to do so.
But Microsoft has taken away “choice” from many segments of the high-tech world. There is no competition any more for personal computer operating systems, office suites, or browsers. That is Microsoft’s monopoly power.
Microsoft has made plenty of people ‘stop eating’ the products they don’t want those people to eat.
By this analogy, I can’t see why you complain about your roommate.
It is surprising how little humility Microsoft has. Let’s face it. Microsoft has built many low quality products. They’ve botched security countinuously. Their stability track record has been poor until relatively recently. The first step in progressing beyond that period in their company’s history is owning up to it. Flashy advertisements and forward-looking press releases are useless without this primary step.
I recently saw something that astonished me. Right there in the front, inside cover of this months Motor Trend is a full page ad about GM’s “Road to Redemption.” In it, they admit how the company’s products over the last couple of decaces have been behind in the quality department. They talk about how internal management issues held back their progress. They admit they still have a ways to go, but assert that they’ve made great progress. Then, nearly 3/4 of the way through the article, they talk about the new products they are introducing to overcome their past. This is the kind of honesty that is so desperately needed in the business world today. It is this kind of honesty that will genuinely change the minds of consumers. I still don’t believe in GM cars (or pretty much any other American car). But thanks to this ad, I will no longer dismiss GM products off hand. GM’s honesty has convinced me to at least give their products a fair shot when it comes to researching a purchase.
We need to be smart consumers. We cannot allow a company to operate unchallanged. We cannot allow ourselves to be fooled by marketing promises or evanescent flashiness. We must demand quality, honesty, and integrity from those to whom we give our business.
Microsoft admits to selling average quality products. A very good advertisement. All companies should sell average quality products. Customers deserve average quality. Ok, Microsoft is improving their products in time. So is every other company. Apple improves their products. GM improves their products. Should customers buy average software from Microsoft just because Microsoft is improving their products? Microsoft would like for you to. Consumers do not have much of a choice of quality of Microsoft’s operating systems. Is Windows XP Home different on a Gateway compared to a Dell? Probably not.
Since Microsoft does have a major percentage of computers using their product, Microsoft should have a greater responsibilty of putting out a better product.
If Microsoft could be sued by a customer for liabilities and damages the customer has sustained because private information like credit card numbers and bank account numbers were stolen, Microsoft might actually start fixing their software. Microsoft is banking on the customer not really caring about their private information.
Why does it take so long for Microsoft to issue a fix for the holes in their software? Businesses are at the mercy of criminals until Microsoft issues a patch. The same businesses that customers intrust very important information.
A lot of people are intrusting private information, memories, and other data in the hands of Microsoft. Has Microsoft earned your trust?
The etymology of this internet lingo seems to be rather illusive (or at least it features a continuously variable definition)
Thus far it appears that the word “troll” is merely used as a last-resort psychological surpressor device to shut-off any incoming arguments form the “other side” (sort of a five year old plugging their ears when you talk or telling you to “talk to their hand”).
In human nature there are always opposing phylosophies. Therefore each side becomes the “troll” of the other.
(Eugenia is the troll of Michael and Michael is the troll of Eugenia)
When a word has such amphidromous etymological underpinnings then its true gravity is neutral (zero).
In other words, by calling someone a troll we do not really say anything. It is like calling them the “opponent” which doesn’t add value to either side (it is merely an amphidromous descriptor).
Michael had some good conceptual points in his posts.
(Eugenia may have some good practical points).
>As far as I have seen, Microsoft has not posted one objective press release on testing/security. And by this I mean “We had XXXXXX bugs in Release X. We used these new techniques to find and fix more bugs. Release Y now has YYYYY bugs.” There is a lot of talk from Microsoft about bugs, but not alot of talk on how they are fixing them.
Well, maybe you should go check what a service pack is, what the test infrastructure at MS look like(and that will blow you away), why MS stopped all new development on Win2003 for 2 months to audit the whole code, what prefix and prefast are, what driver verifier is, etc…
You might learn something, but I guess you’ll still find something to say that they suck, even though the competition doesn’t do a better job than they do.
Microsoft software has security flaws and OSS has security flaws. So does software from other proprietary vendors.
The difference is that Microsoft’s approach has been summed up by their one-time marketing mantra “making it easier”. They do make it easier for app developers, power users… and hackers. Stuff like Office macros and ActiveX controls with unfettered access to the file system, configuring users with administrator privileges by default, and adding everything and the kitchen sink to IIS. By contrast, certain companies like Sun and Netscape make (well, past tense in Netscape’s case) a real effort to put security ahead of usability in their products.
I get a kick out of reading about Microsoft getting in trouble with the DoJ and being called a monopoly and watching their latest products crash and burn with their infamous BSOD. I love all the fire drills us UNIX admins get whenever another microsoft virus spreads. They spread through mail, web and now your database systems.
If this is not reason enough to rid the company of Microsoft software I don’t know what is. On the other hand I didn’t have a problem keeping my job through these rough times. So I can see where Michael is coming from.
But please, don’t let me stop you, go on defending Microsoft’s fine security track record. I like reading about these things.
Your argument has so many logical flaws its not even funny.
If Windows is as insecure as the zealots say it is, how come I have been using it for more than 10 years and have never once been hit with a virus/worm?
Personal example. Unless you back the anecdote with evidence indicating that your experience is representative of the experiences of most people, its meaningless. I’ve been using Windows for more than a decade, but I haven’t been hit by a virus or worm either. However, I’ve had a FreeBSD box hacked. What does that mean? Nothing.
It’s not the number of Windows users that makes the security problems so widespread; it’s the number of users who continually double click on anything that comes down the pipe.
The whole idea of a secure system is that the user can’t make it insecure. By your logic, Win95 was a secure system.
Hell, I’ve seen people get hit more than once with the same worm. All it takes is a little preventative maintenance and a little common sense, and you’re all set.
Most users have neither. It should be the job of the OS to allow them to hurt themselves as little as possible. I’m the last person to favor protecting careless people. However, a compromised machine is a machine that can cause security problems even for people who are careful. It is because of that the OS itself should be as secure as possible.
Although I will be the first to admit that some features in Windows actually facilitate the spreading of these worms, it simply means that you have to be careful about what you do –
Insecure systems can be made usable by being extremely careful. That’s a given. Unsafe cars can be made usable by driving very slowly. But you shouldn’t drive unsafe cars, and you shouldn’t use insecure sytsems.
it does NOT mean that using Windows means you’re going to get hacked no matter what.
Nobody is claiming that.
For example, if you’re walking down the street in a ‘bad’ part of town, you’re probably going to pay a little more attention to your surroundings.
So what you’re saying is that using Windows is like walking through the bad part of town?
But in my case, it’s either that or running VMWare under Linux to get the apps I need. So for me, the choice is obvious.
Well we’re not talking about application support here, are we? And nobody is claiming that you shouldn’t use Windows. People are saying that Windows is insecure, and people should be aware of it and take active steps to change it. A big part of this is giving your business to Microsoft’s competitors whenever possible. Another part of this can be lobbying Microsoft for changes, or simply being very careful as you suggest.
You seem to be stuck in a time warp. It would be good if you heeded Eugenia’s plee, but I get the feeling you are too proud to adjust your future behaviour accordingly. No matter, I can just ignore any posts from people named Michael.
“There is no competition any more for personal computer operating systems, office suites, or browsers. That is Microsoft’s monopoly power.”
Sure there is, I’m running all those types of software, and the only one produced by Microsoft is Windows XP. Not sure why you think there is no competition…
>>The difference is that Microsoft’s approach has been summed up by their one-time marketing mantra “making it easier”.
This can’t be stressed enough for the small-business market. IIS isn’t popular because of its metabase, security, or scriptability — all horrible. It is popular because it is preinstalled and has a GUI.
Microsoft knows their patch model is not on par with unix and won’t be until the release after Longhorn.
There is no value in attacking these problems with anything more than words for microsoft as malware has already trained users to reboot anything at the first sign of trouble.
At the same time, comparing anything to the 9x series is ridiculous. 9x is a single-user OS with GUI-driven design in every nook and crany that wasn’t simply a hold-over from the dos legacy. Surprise — when you try to have multiple users on it attached to a network if trips and falls all over itself.
“But the new version is better than ever and easier to use! I hardly every reboot my XP machine! They’ve finally gotten it right!”
I am completely non-plussed by this advertising mantra.