Gates Says Windows Reliability Is Greater

mogrinz writes "According to an interview with the New York Times, Bill Gates is proud of the achievements Microsoft has made in increasing the security of Windows. As for the effects on people being attacked by SoBig.F, etc? Gates says this is "something we feel very bad about". Gates summarizes the Microsoft position very succinctly: "We're doing our very best, and that's all we can do"."

Dear Bill ...

[Ninja+Programmer]

Dear Bill,

Far and away your #1 bug is the infamous "buffer overrun" flaw. These usually mostly manifest themselves in string libraries. I know that you have at least 3 library solutions in-house (Safestr for C, CString in MFC, and basic_string in STL) but your developers don't use them otherwise these problems wouldn't happen.

I'd like to point you out to another alternative:

http://bstring.sf.net/

Which your developers may prefer. But whatever you do, why don't you simply make it a requirement that <string.h> simply be outlawed (you could easily write a tool to enforce that couldn't you?), or take some other drastic action?

Buffer overruns are certainly the most common kind of bug that isn't caught by QA (the right answer is not to try to train QA to find them -- they would require the skill of a hacker.) If you concentrate on this one bug alone, you will probably easily remove 80% of these attacks.

Works for me but I'm an expert user

[j_dot_bomb]

I have never gotten a virus with xp. Never even even had one come up in a virus scan. But, I do all the right things like use a firewall and autoupdate. I also do things no one else does like use IE security settings and turn -everything- (java, activex) for all but say 40 sites on the net. This last step is just far too much work even for expert users (esp with that stupid site may not display properly dialog for ActiveX). Further it is just beyond the typical home XP user.

Re:No?

I agree with you, but I was pleasantly surprised to find that a lot of users actually cancel Windows auto updates when they become available because they think they're viruses attacking their computer...

Again, what is needed is more education of computer users in general - Windows Update really needs paper literature devoted to it in the box as it really is that important - from the perspective that the end results can affect others. It's the same issues with anti-virus software updates - a lot of people think installing from the box is all that's necessary.

What amazes me is that some large companies have a 'no executables' download policy on their networks. This umbrella policy also stops Windows Update working correctly, leaving a lot of exposed machines. Microsoft has supplied a way for larger companies to have their own internal Windows Update server running that will get around this problem and allow updates, but in some cases, company policy seems to be more important that IT common-sense.

Patches are important, they're just as important as those product recalls for exploding monitors/laptops and monetarily can probably cause more damaged if not applied.

Re:A SoBig Achievement

[GabrielStrange]

You know... If MS was really going out of their way to try to make systems running Windows be secure...

They'd figure out some way to make it possible to run your Windows XP Pro system with a Limited (i.e. non-root) account without rendering it totally useless.

The few programs I've actually managed to get running on a Limited account still don't seem to have the access they need to SAVE THEIR SETTINGS... So they need to be reconfigured every time they load up.

And the only way I've figured out for dealing with that is to temporarily add the Limited Account to the administrators group, pull the network cable, log in with it like that, make the changes, log back out, remove it from the administrators group, reconnect network cable and run Ad-Aware and pray nothing went horribly wrong.

Which is a bit of a hassle.