« Annual portfolio re-balancing | Main | Back »
February 14, 2004
Microsoft security improving?
Gartner recently published a report claiming that Microsoft product security is improving (I'd hope so, they'd sure have to try hard to do worse than they have).
In spite of several major incidents during 2003, Gartner predicts that Microsoft's products will be as secure as the average product. I'm not sure what that means. Since Microsoft owns the majority of many industries they are in, isn't the average mostly comprised of Microsoft? So, reading between the lines, Microsoft's security practices used to be so much worse than other products, that the 10% of better-secured non-Microsoft products actually was able to offset the average of a market 90% owned by Microsoft. That's some gap between the minority and the majority.
Anyways, since Gartner published this report, things are starting to look a lot more like this is a temporary glich than a long-term improvement. Or at least, that "improved" doesn't mean much for Microsoft customers trying to secure their networks.
One week later, the same author published another report detailing yet another Microsoft vulnerability that is expected to lead to another MSBlast-type of worm. This vulnerability was identified by eEye in July 2003 and took Microsoft seven months to patch. At any time during those seven months, the miscreant community could have stumbled across that vulnerability and launched a worm that couldn't be blocked. That's improvement?
Lest you think MS04-007 is a fluke, take a look at this. eEye has notified Microsoft of no fewer than seven vulnerabilities, the least-serious of which only can exploit 91 million machines. Three can exploit every Microsoft-based machine, and all of those have been waiting for a Microsoft patch for at least two months.
And this could be just the beginning. This week Microsoft confirmed that some of the source code for Windows 2000 and Windows NT4.0 (which are presumably used extensively in Windows XP and Windows Server 2003) was leaked to the Internet (and seems to be easily found). This means that the miscreant community has even more opportunities to find vulernabilities and exploit them before they can be patched.
I am sure that Microsoft product security is improving, but it has such a long way to go until it reaches a threshold where it can be considered "secure". I'm not sure that improvement even matters, other than to give some sliver of hope to Microsoft's customers and the I.T. industry who get to deal with yet another year of exploited Microsoft vulnerabilities.
Posted by pete at February 14, 2004 06:59 PM
Trackback Pings
TrackBack URL for this entry: