The Latest Round of Microsoft Security Patches
A coworker recently asked me for my perspective on the latest round of Microsoft security patches, quoting an article that accused the company of being short-sighted. This was my response:
In a sense, the success of Microsoft's existing products is it's biggest impediment to any kind of future development of secure software. The de-facto business requirements for anything new that Redmond rolls out are that the new product:
- Reproduce all existing functionality
- Be backwardly compatible
- Add new functionality to fill known gaps or trump competitive products
With these as the primary business drivers, it only makes sense to re-use as much code as possible. The reality is, security will only become truly important to Microsoft when it's absence becomes a critical liability.
Because Microsoft is such an entrenched monopoly and has the resources necessary to manipulate legislation at the federal level (just like big tobacco or the NRA), it's highly unlikely that government intervention of any kind will force the issue.
For a number of years now, business need has dictated that any company with a significant investment in publically accessible services manage its own software security via third party products and/or in-house solutions.
The uncontrolled spread of malicious code to individuals' PCs via the internet has further extended the need for these third party products and even increased the exposure of large corporations by creating the potential for massive, coordinated denial of service attacks orchestrated over IRC to zombied PCs. (Remember the day eBay and the other big sites went down?)
Let's face it, the Windows XP firewall is a freakin' joke. Third party firewalls and anti-virus products have now become a significant and necessary investment for anyone with broadband internet access - figure $40-70/year for subscriptions and upgrades for decent security.
I have a hardware firewall, NIS and Spy Sweeper on my PC at home, I update definitions and firmware religiously, and I still managed to pick up a W32 variant virus last week that my e-mail and download virus scans somehow missed. I caught it because I run scans on a regular basis, but it's not practical to assume that the average AOLer has a clue about stuff like this, or should reasonably be expected to have to care.
So, there's now some impetus forming in both the private sector and the public sector to get someone to 'do it better'.
However, I still don't believe that we're going to see a secure product come out of Redmond until someone else comes up with a secure, competitive OS and office suite that:
- Runs on the PC platform
- Runs Windows-based apps in a manner that short circuits latent Windows security flaws
- Imports/uses MS Office documents cleanly and effectively
Build a secure OS & office suite like that and people and corporations are going to line up to throw money at you. At that point, insecurity will be a critical liability to Microsoft.
In response, they'll clone the new competitor's products under a Windows flag, attempt to drive the competitor out of business based on a dual strategy of market saturation + lawsuits claiming copyright infringement (irony, anyone???) and pat themselves on the back for setting new security standards.