Feeds

Microsoft's Trick or Treat

Limping towards security

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

In the gothic novel of public opinion, Microsoft is a veritable "Dr. Jekyll and Mr. Hyde." The general business community regards Microsoft as a prominent and respected corporation with a substantial product line which has literally changed the face of modern-day computing. It's stock is on the rise (presumably in reaction to the highly publicized launch of XP), and quarterly earnings over the past year have met or exceeded industry projections.

In the last quarter, roughly 85 per cent of analysts have classified MSFT as a "buy" with more than half of those putting the stock in the "strong buy" category. With several technology companies posting losses in the billions alongside employee lay-offs into the thousands, some think Microsoft is looking pretty good. Many consider it a family of Shiny Happy People who want to buy the world a Coke and keep it company.

Saying that some in the information security community have a different view would be an understatement reminiscent of DNA's structure being described as "biologically interesting."

There are substantial numbers of people out there that openly despise Microsoft with an almost religious furor, describing it as a purveyor of garbage, devoid of any security knowledge, absorbed in an horrifying monopolistic quest for world domination. To them, Microsoft is a group of Evil Troglodytes on coke who want to make the world their company.

The vast majority of us are somewhere in the middle. To embrace Microsoft technologies is to engage in a bittersweet relationship between function and form, cost and capability, and simplicity and security. The latter is what tends to bite most of us in the back pocket. In between good and evil, we find ourselves with a job to do and a limited amount of time to do it in.

So when security issues arise that threaten our networks, they divert us from our goals, potentially expose resources, and rob us of our profits. However, we have to realize that security problems are part of the deal; they are the Yin intermingled with our Local Area Yang and will exist across the board.

In an amazing coincidence of almost serendipitous timing, my last "everything has security issues" article was immediately followed by multiple security advisories for varied distros of Linux, including issues with Apache. Sun also issued multiple advisories against different versions of Solaris and SunOS.

You see, security issues are here to stay. I'm not surrendering to the machine; I'm just accepting that it will always have to be oiled.

But there is hope on the horizon for MS shops. Microsoft has taken a look at the process through Code Red colored glasses, and has seen the light. In an unprecedented initiative, the company has been rolling out security provisions one after another in an effort to illustrate its commitment to security, and quell the fears of its customers.

Beauty in the Beast

Within a very short period of time, we saw the release of HFNetChk, IISLockdown, and URLScan. Shortly thereafter, details of the new Strategic Technology Protection Program (STPP) and its "Get Secure, Stay Secure" offerings were released. While there are some to whom this news will be as exciting as a conversation with Ben Stein after a bong hit, I think it is an important step for the company, if not the entire industry.

Some say it's "too little too late" or they're "closing the barn doors after the horses have left," but I don't there is such a thing when dealing with evolving technologies. While there may be plenty of historical evidence to dispute Microsoft's concern or capacity to secure its past products, I am optimistic about the "from here, forward" directive.

While the Microsoft security team has been beating against products for some time in an effort to increase their security, I have been of the mindset that true security in the product line can only be gained from a change in the development model -- and that change must be in the form of an Executive Decree.

This is now all taking place. Brian Valentine, Senior VP of the Windows division has made some very clear promises about what is to come: The company is committing resources, unifying divisions, and creating consortiums that will even include competitors, if that is what it takes.

SP3 for Win2k, due in February, promises to yield fixes based on a complete code-level review of all sensitive processes. And Bill Gates himself has been quoted as saying that there is "no higher priority for us than closing security holes." Some might simply consider this to be lip service or corporate rhetoric, but I don't think so. Special support services are being carved out, and enterprise tools created and distributed -- all for free.

Besides, I think they know that this is something that has to be done. The success of .Net depends upon it, and Microsoft knows it.

Given the vast range of public opinion about Microsoft, Robert Louis Stevenson himself would have difficulty fully describing the persona that is The Microsoft Monster. Only time will tell whether it will be man or beast.

© 2001 SecurityFocus.com, all rights reserved.

Tim Mullen is CIO of AnchorIS, a developer of secure, enterprise-based accounting software.

Boost IT visibility and business value

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Captain Kirk sets phaser to SLAUGHTER after trying new Facebook app
William Shatner less-than-impressed by Zuck's celebrity-only app
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.