Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Blasted For Lax Security

Posted by timothy on from the they're-also-the-biggest-target-though dept.

fducky writes "Once again Microsoft is blasted for lax security. This CNN article cites experts denouncing the recent Microsoft security efforts as rating an 'F'. The recent MS-SQL worm got this most recent round of MS bashing going. Google News has more stories on the subject."

4 of 395 comments (clear)

  1. Re:will happen on linx as well by gmuslera · · Score: 4, Interesting

    But in a different way. You have Microsoft This, and Microsoft That, all tighly integrated, all sold as there is the only altenative, and all sharing the same funny idea about how safe is doing things in an unsafe way.

    With Linux you have... see... the Linux kernel, and... well that stops there. Also you have a lot of alternative apps mostly multiplataform, with a few Linux that are linux only. If MySQL have a security problem, should not be counted as "linux fault", same with ssh, apache, sendmail, bind, etc.

    But, if you want to count, don't know, mplayer security problems as it is not available under windows, well, you must also count all security problems of windows programs as windows security problems.

  2. Re:They released a patch! by funkman · · Score: 4, Interesting

    But:
    1) It was difficult to install
    2) They released a later patch which re-enabled the exploit
    3) Their own admins didn't install the patch and Microsoft itself fell victim the exploit.

    Which leads me to believe that while they can release patches for security - there is not enough ease an consistency to keep your systems "reliable". Many times a patch breaks functionality.

  3. Re:What about the SysAdmins? by legLess · · Score: 4, Interesting
    Actually, no - perhaps you should have read the article before trotting out the tired, old "Blame the sysadmins" line.

    Don't get me wrong - the sysadmins certainly have some responsibility. At the end of the day, they're paid to keep the system running. If the system isn't running, they're not doing their job. Ergo.

    However, many people smarter than me (e.g. Bruce Schneier) have pointed out that Microsoft's patch policy is completely bankrupt. From the article:
    "Microsoft was completely hosed (from Slammer). It took them two days to get out from under it," said Bruce Schneier, chief technology officer of Counterpane Internet Security, a network monitoring service provider. "It's as hypocritical as you can get."
    Another quote from the article:
    In October Microsoft released a fix for a different SQL Server problem that if installed in the expected manner would have made patched systems vulnerable again
    So here you have a vendor who:
    1. Can't keep their own systems patched, even 6 months after the fact.
    2. Issues patches that break previous patches.
    How exactly are you supposed to stay on top of this? Re-test the system for every previous vulnerability after every single patch? While in an ideal world you'd say, "Yes - roll the patch out first on a test system and make sure it fixes the current issue and breaks nothing else." you'd have to be smoking crack to think many people have the manpower or time to do this.

    The core issue here is that Microsoft has built its software with very little attention to security, and you can't make up for that with a month or two of "security consciousness." They've explicitly sacrificed security at the altar of market share, and now it's coming back to bite them (and all their customers) in the ass.
    --
    This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
  4. How the public responds by erroneus · · Score: 5, Interesting

    The internet is becoming more and more important to the average "joe." So now, "things internet" are becoming newsworthy.

    I have discussed the recent worm attack with my non-tech associates and they actually had an opinion about Microsoft. That some agreed with me and others disagreed isn't as significant as the fact that they had an opinion.

    This is a tremendous change. Think on it.

    Some people strongly disagreed on Microsoft and how evil they are. Others nodded as if to say what I mentioned made a lot of sense. (I mentioned that "bugs" in software are part of Microsoft's business model -- people have to buy newer software to repair problems with their old software, especially after Microsoft stops supplying fixes for their older stuff... "Bugs == consumer incentive to upgrade.") This, of course, is now changing rapidly. "Bugs == consumer incentive to change."

    I think with the high-profile nature of attacks which exploit weaknesses in Microsoft products is really starting to create public opinion that never truly existed before. (Prior to this, people looked on Microsoft the way we look at the air we breathe -- "is there anything else to breathe?")

    I think this is a very good thing. It more than levels the playing field in the market for server and other products. I think leveraging Linux, Apache and various SQL servers in the server market is the only way to get Linux onto the Desktop at a later date. There is no way to get Linux onto the desktop until Linux is a household word. Once that is done, Desktop Linux will be chosen not for its performance, but for it's reliability and solidity.

    I think the days are short for people who prefer to have "unstable and colorful" displays... with the amazing power of today's PC, performance isn't an issue. Stability, reliability and security will be the main concern and even if Microsoft cleans up their act, their reputation will be enough to add doubt into consumers' hearts. The public is a moody beast and once bitten doesn't come back for any reason... usually. Just look at how long it took Nixon to return.

    The death of Microsoft is at hand...