Microsoft gets serious about security

		Print
		Email weblog link
		Discuss
		Blog this

Preston Gralla
Mar. 10, 2004 12:52 PM
Permalink

Microsoft just announced its security bulletins for March, and there was a critical Outlook vulnerability, a problem with MSN Messenger, and trouble with Microsoft Windows Media Services in Windows 2000. Nothing truly earth-shaking.

The very ordinariness of the announcement shows that Microsoft has gotten its once-chaotic responses to security issues under control. In fact, despite criticisms lobbed at the company by many, it really has gotten religion when it comes to security. Is it perfect? No. At times, it releases ill-tested patches and updates. I, for one, have gotten into the habit of waiting a week after it releases any patch or security update, to see whether widespread problems with it are reported.

But the regularity of its monthly security announcements like this one, and its quick response to security dangers, show that Microsoft means business when it comes to security.

It's easy to criticize Microsoft in this; after all, almost all of the worms and viruses set loose affect Microsoft products. But that's not because Windows is inherently more insecure than other operating systems. Willie Sutton, the well-known bank robber, was said to have once been asked why he robbed banks. His alleged answer: "Because that's where the money is." The same thing holds true for why worm-writers and malware authors target Windows - that's where the users are. When it comes to security, Microsoft has been the victim of its own success.

So I'll be downloading the latest security patches in about a week. It'll be a mundane act, but one that reflects that despite complaints to the contrary, Microsoft has gotten serious about security.

Preston Gralla is the author of Windows Vista in a Nutshell, the Windows Vista Pocket Reference, and is the editor of WindowsDevCenter.com. He is also the author of Internet Annoyances, PC Pest Control, Windows XP Power Hound, and Windows XP Hacks, Second Edition, and co-author of Windows XP Cookbook. He has written more than 30 other books.

Do you think Microsoft has gotten serious about security? Let me know either way.
You must be logged in to the O'Reilly Network to post a comment.

Showing messages 1 through 7 of 7.

A sane article
2004-03-16 15:36:02 musnat [Reply | View]

I don't think anybody technically serious would claim that windows is less secure. On the contrary it is secure and most probably more secure than any other OS, however providing patches to home users is a big problem Microsoft has to solve. That's where I think Microsoft is lagging, of course not behind Linux, but behind the perfect desired solution.

Absolutely.
2004-03-15 16:59:17 aristotle [Reply | View]

See Outlook vulnerability bulletin and CERT advisory.

It only took MS only 10 months to reissue the bulletin in order to bump the severity from "imporant" to "critical" after they were initially informed of the matter. A phenomenally quick response.

The reason for this change was the fact that it occured to them that people with other than non-default settings were affected. Basing the severity rating of a vulnerability on the number of users potentially affected is incredibly brilliant.

It was also an amazing tactical move to invent "patch day", so patches don't get issued willy nilly (like, say, in the soonest possible timeframe) and make it hard for people to stay up to date.

Completely awe inspiring also how there is a patch freeze period when a new service pack is imminent, during which new fixes that will not make it into the service pack are held back, so that the poor stressed customers won't be confused.

Yes, Microsoft is dead serious about security. Crackers and script kiddies beware, Big Daddy Bill is coming for you.

Yes, but..
2004-03-11 08:48:14 peter_g_22 [Reply | View]

As a broadband user I have no problem applying the numerous patches and service packs to our XP machines at home, but the this wasn't the case when I went around to see a friend who's PC was "doing odd things" (he had 800 infected files, 2 viruses and a worm). As a diallup user he was keen to apply the 49 missing updates, but this would have kept his phone tied up for most of the day and his wife did actually need to use it as well.

Problem is, the updates keep getting bigger and bigger, and when the typical diallup user sees the remaining download time bar at some 4 hours are they seriously going to wait and finish the download ? XP is especially bad for this and I don't honestly know what the answer is..

Oops.
2004-03-10 16:23:37 Steve Mallett | [Reply | View]

http://news.com.com/2100-1002_3-5172179.html

Really?
2004-03-10 15:45:09 tlaurenzo [Reply | View]

Actually I would take issue with Windows being less secure than some other solutions. There are a number of reasons for this, some of which reflect poorly on Microsoft's past decisions, and others which are just a matter of having to support security-hole-ridden legacy clients and protocols until the end of time (I mean, if modern Unix's were required to support all of the r* commands for compatibility reasons, what would we be saying about security). Other problems are due to the silly way that Windows users typically run their systems as admins.

Perhaps what bothers me the most is not that the default installation is inherently insecure (I mean, other OS's install with pretty loose policies for legacy reasons... every installed a vanilla copy of Solaris?). The real problem is how tough it is for a "smart" user (or even an expert) to secure a windows system without the aid of third party tools (ie. firewalls, a/v software, etc). I mean, if I go to another OS (ie. Linux or OS X), even if it starts out with insecure defaults, I can quickly configure very restrictive firewall policies and utilize non-privileged logins to cover myself. On windows this is not so easy or configurable, and until very recently was not even possible (without 3rd party software).

Then even with IP firewalls, many users have to run Netbios in one form or another. This means that ports 137 and 139 must be opened. Unfortunately, since Netbios is a foreign network protocol tunneled over IP, virtually all services on the system are accessed through these ports. There is no effective means to say "I want to allow file sharing but disallow mmc management access" at the network level.

I know that if another OS were the primary contender for user's desktops it would be the main target, but I have to think it wouldn't be as bad for most of the alternatives. Despite how good it feels to have Microsoft addressing some of these issues, it is just going to take them a long time to undo the damage done from twenty years of lousy and capricious design decisions. A lot of other systems were designed in an environment that had to be mindful of security concerns, whereas MS technology for many years just tried to bulldoze through the problems after the fact.

Windows is less secure than most other systems. They're working to change that, but it is true.

Thank God!
2004-03-10 13:43:53 jinjelsnaps [Reply | View]

But that's not because Windows is inherently more insecure than other operating systems.

Thank God someone else said that! I've always thought the same thing, but according to any Linux / Mac zealot that's not the case...but maybe that's just them being weird.

What's your IP address?
2004-03-10 13:15:37 Steve Mallett | [Reply | View]

Just kidding.

Showing messages 1 through 7 of 7.

Return to weblogs.oreilly.com.

Weblog authors are solely responsible for the content and accuracy of their weblogs, including opinions they express, and O'Reilly Media, Inc., disclaims any and all liabililty for that content, its accuracy, and opinions it may contain.

This work is licensed under a Creative Commons License.