Feeds

Microsoft's Trick or Treat

Limping towards security

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

In the gothic novel of public opinion, Microsoft is a veritable "Dr. Jekyll and Mr. Hyde." The general business community regards Microsoft as a prominent and respected corporation with a substantial product line which has literally changed the face of modern-day computing. It's stock is on the rise (presumably in reaction to the highly publicized launch of XP), and quarterly earnings over the past year have met or exceeded industry projections.

In the last quarter, roughly 85 per cent of analysts have classified MSFT as a "buy" with more than half of those putting the stock in the "strong buy" category. With several technology companies posting losses in the billions alongside employee lay-offs into the thousands, some think Microsoft is looking pretty good. Many consider it a family of Shiny Happy People who want to buy the world a Coke and keep it company.

Saying that some in the information security community have a different view would be an understatement reminiscent of DNA's structure being described as "biologically interesting."

There are substantial numbers of people out there that openly despise Microsoft with an almost religious furor, describing it as a purveyor of garbage, devoid of any security knowledge, absorbed in an horrifying monopolistic quest for world domination. To them, Microsoft is a group of Evil Troglodytes on coke who want to make the world their company.

The vast majority of us are somewhere in the middle. To embrace Microsoft technologies is to engage in a bittersweet relationship between function and form, cost and capability, and simplicity and security. The latter is what tends to bite most of us in the back pocket. In between good and evil, we find ourselves with a job to do and a limited amount of time to do it in.

So when security issues arise that threaten our networks, they divert us from our goals, potentially expose resources, and rob us of our profits. However, we have to realize that security problems are part of the deal; they are the Yin intermingled with our Local Area Yang and will exist across the board.

In an amazing coincidence of almost serendipitous timing, my last "everything has security issues" article was immediately followed by multiple security advisories for varied distros of Linux, including issues with Apache. Sun also issued multiple advisories against different versions of Solaris and SunOS.

You see, security issues are here to stay. I'm not surrendering to the machine; I'm just accepting that it will always have to be oiled.

But there is hope on the horizon for MS shops. Microsoft has taken a look at the process through Code Red colored glasses, and has seen the light. In an unprecedented initiative, the company has been rolling out security provisions one after another in an effort to illustrate its commitment to security, and quell the fears of its customers.

Beauty in the Beast

Within a very short period of time, we saw the release of HFNetChk, IISLockdown, and URLScan. Shortly thereafter, details of the new Strategic Technology Protection Program (STPP) and its "Get Secure, Stay Secure" offerings were released. While there are some to whom this news will be as exciting as a conversation with Ben Stein after a bong hit, I think it is an important step for the company, if not the entire industry.

Some say it's "too little too late" or they're "closing the barn doors after the horses have left," but I don't there is such a thing when dealing with evolving technologies. While there may be plenty of historical evidence to dispute Microsoft's concern or capacity to secure its past products, I am optimistic about the "from here, forward" directive.

While the Microsoft security team has been beating against products for some time in an effort to increase their security, I have been of the mindset that true security in the product line can only be gained from a change in the development model -- and that change must be in the form of an Executive Decree.

This is now all taking place. Brian Valentine, Senior VP of the Windows division has made some very clear promises about what is to come: The company is committing resources, unifying divisions, and creating consortiums that will even include competitors, if that is what it takes.

SP3 for Win2k, due in February, promises to yield fixes based on a complete code-level review of all sensitive processes. And Bill Gates himself has been quoted as saying that there is "no higher priority for us than closing security holes." Some might simply consider this to be lip service or corporate rhetoric, but I don't think so. Special support services are being carved out, and enterprise tools created and distributed -- all for free.

Besides, I think they know that this is something that has to be done. The success of .Net depends upon it, and Microsoft knows it.

Given the vast range of public opinion about Microsoft, Robert Louis Stevenson himself would have difficulty fully describing the persona that is The Microsoft Monster. Only time will tell whether it will be man or beast.

© 2001 SecurityFocus.com, all rights reserved.

Tim Mullen is CIO of AnchorIS, a developer of secure, enterprise-based accounting software.

Internet Security Threat Report 2014

More from The Register

next story
Microsoft to bake Skype into IE, without plugins
Redmond thinks the Object Real-Time Communications API for WebRTC is ready to roll
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
Mozilla: Spidermonkey ATE Apple's JavaScriptCore, THRASHED Google V8
Moz man claims the win on rivals' own benchmarks
FTDI yanks chip-bricking driver from Windows Update, vows to fight on
Next driver to battle fake chips with 'non-invasive' methods
PEAK APPLE: iOS 8 is least popular Cupertino mobile OS in all of HUMAN HISTORY
'Nerd release' finally staggers past 50 per cent adoption
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Ubuntu 14.10 tries pulling a Steve Ballmer on cloudy offerings
Oi, Windows, centOS and openSUSE – behave, we're all friends here
Was ist das? Eine neue Suse Linux Enterprise? Ausgezeichnet!
Version 12 first major-number Suse release since 2009
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.