Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's Security Report Card

Posted by CowboyNeal on from the room-for-improvement dept.

Decaffeinated Jedi writes "In January 2002, Microsoft launched an initiative called 'Trustworthy Computing' aimed at building better security into its products. It's now two years later, and News.com serves up a report card evaluating Microsoft's efforts. Kevin Kean, a group manager at Microsoft's Security Response Center, points out that customers are better off now than they were before the company made the move to refocus on security issues. An analyst quoted in the article, Stephen O'Grady, agrees that he would give Microsoft 'improved marks,' but also notes that the company is not yet where it needs to be in terms of security. He goes on to suggest, however, that 'the numbers indicate that they are at least taking it seriously.' It sounds like Microsoft might have earned itself an Incomplete on this report card."

9 of 354 comments (clear)

  1. Can't get into Yale with this... by dominion · · Score: 4, Interesting

    And so we have a report card that wouldn't get you accepted to a state university, by the largest, most economically endowed entity in the world.

    I'm sorry, Microsoft, but you have to be held to higher standards, not lower. Open source is able to do better with infinitely less.

    If a bunch of hobbiests were able to colonize the moon, would we hold back any criticism of NASA?

    Or maybe we've just figured out a better way of doing things. In which case, maybe the soft spot for the dinosaurs is somewhat warranted.

    1. Re:Can't get into Yale with this... by Malor · · Score: 5, Interesting
      I don't know what planet you're from, but on EARTH, we Linux admins have been scrambling just as desperately as Microsoft admins for the last year or so.

      I've had a hypothesis for some time that the security flaw rate in Linux would decline over time and eventually approach zero, where Microsoft's would stay essentially constant. I believed this would happen because the Linux source was open and all the security holes would gradually be found and squashed, where the Microsoft source, being closed, wouldn't be as closely examined and would remain a fertile field for new exploits forever.

      Well, in 2003, my pretty little hypothesis sure wasn't looking too good. I haven't actually compared numbers, but I felt like there were just as many bad critical bugs on Linux as there were on Microsoft. From my perception, the Linux rate rose, while the Microsoft rate dropped, which is exactly opposite what I was expecting.

      I still believe that closed source is "fake" security, and that the only way to get REAL security is for everything to be open, but in terms of actual number of published exploits, both systems appear to be about equal at the moment.

      And the standards to which Microsoft needs to be held are pretty much immaterial; only Microsoft can fix that code, where anyone can, in theory, fix bugs in OSS. Personally, I think we can use them as a yardstick, but we shouldn't be flinging mud.... very many more years like 2003, and they'll be flinging lots more of it back at us.

      In 2003, OSS security sucked. I hope 2004 is better.

  2. Re:Let's be honest by littlerubberfeet · · Score: 4, Interesting

    Comon sense is a job for all of us, including Microsoft. Most vendors use common sense when they delay a product release due to security problems. Microsoft has historicaly not done that.

    I think that it is great that less critical problems are being found now then with Windows 2000, and I hope the trend continues.

    As an aside, I installed OS X on my grandmother's computer, and until now, forgot about her. Thanks for the reminder to write. Unfortunately, even that is not maintenence-free. Apple has had their own security problems of late.

    How about an honest embrace of common sense?

    --
    Sig (appended to the end of comments you post, 120 chars)
  3. Re:Let's be honest by jamwt · · Score: 3, Interesting

    Is any software really at the point where we can install it and forget about it?

    Qmail is pretty damn close.

  4. Re:Wait a minute... by AstrumPreliator · · Score: 3, Interesting
    Okay, here is the article.
    ITB: Security starts with the developer. What do you think that developers can do to harden their apps and how is Microsoft helping with tools?
    BG: You don't need perfect code to avoid security problems. There are things we're doing that are making code closer to perfect, in terms of tools and security audits and things like that. But there are two other techniques: one is called firewalling and the other is called keeping the software up to date. None of these problems (viruses and worms) happened to people who did either one of those things.

    So why are we grading Microsoft on security when it is apparently the consumers responsibility. I'm not saying I disagree with taking responsibility as a consumer, but I don't think Microsoft is adequetly doing their job.
  5. I think a fairer summary is... by darnok · · Score: 4, Interesting

    that they've discovered their security problem is much bigger than they thought it was.

    Sure they've progressed in terms of there's more known security holes fixed now than there was 1-2 years back, but there's also far more security holes that have been identified and at (seemingly) a much faster rate than 1-2 years ago.

    In other words, 2 years ago, they rated a 4/10 in terms of security. Today, I'd say they probably rate 20/50. Overall, my impression is that they've essentially stayed in place in terms of removing security holes from their products.

    If you think that I'm being unfair, consider how long it's taking new security holes to get fixed now versus 2 years ago - it seems to be generally longer.

    Also, consider that MS has now taken the step of bundling security updates into big bunches, to ease the pain of applying them - that they've had to resort to this is a reasonable indication (IMHO) that the quantity of security holes being *fixed* has gone up significantly.

    Finally, consider the rate at which security holes are being uncovered - it would have to start dropping off dramatically if MS was being successful in fixing their problems. That certainly doesn't seem to have happened.

  6. Re:Let's be honest by j3110 · · Score: 5, Interesting

    I have to give MS two thumbs up. They now have automatic updates pushed to clients. They also have the Server tools to cache the updates locally for networks, and push them from there so you can hold updates back if they break some internal software.

    MS is also working on more secure technologies like .Net. In the future, code written for windows will be written in .Net by default, and buffer overflows will pretty much go away.

    MS is working on code signing at every level of the system. This means no more boot viruses, no more trojans.

    MS is still lacking on speed to update. The RPC bug was on the streets long enough for exploits to be written BEFORE they got even the smallest patch out. The big worms came after they did get the patch out, but people weren't updating.

    Where does Linux stand in all of this?

    Updates are usually still handled manually with apt-get update/upgrade. RedHat has live notification, but it's still done manually for the most part, which slows down the process. There are wasy of caching apt packages for internal use by making your own apt-source, but they can be difficult to implement. You can do similar things with RedHat, but there isn't a lot of work being done in this area.

    Open Source developers still hug C and hate most anything running in any other safer languages because of performance. Despite it actually costing more man hours to manually go out and install new versions of SSH, bind, sendmail, etc. every 3 months, for some odd reason open source developers value cpu clock cycles on a machine that sits idle 99% of the time more than an actual person that can hardly find 5 minutes, and usually admins so many computers it turns into an all-nighter.

    Open Source people see code signing as a way to enact DRM and are fighting it.

    Open Source releases updates within minutes of being aware of prossible security problems, sometimes it can take an hour or a day on less critical projects, but for the most part updates are very quick.

    I see progress in MS land, but Open Source people are fighting the future, and are living in status quo. There's no reason why 99% of the daemons out there couldn't be written in Python or Java (with Kaffe even). There's no real reason to fight TCP yet.

    --
    Karma Clown
  7. Re:Let's be honest by TyrranzzX · · Score: 4, Interesting

    You forgot a few things in your honesty, as I'm sure I'll forget a few from mine.

    1: Microsoft has been convicted of antitrust violations. Hence why .net can't be used by linux programmers.

    2: Blaster.

    3: Many linux groups are still nitpicky crazy people who instead of agreeing and copromising, they bicker. Even more are lazy, or greedy, or just plain stupid.

    4: Open source people see Microsoft's code signing as a way to enact DRM, which is a polite way of saying they want total world domination. Many linux guru's like the idea of code signing, they just don't like Microsoft and they have good reasons.

    5: Linux, netware, and other operating systems are still used for servers more often than Microsoft's software. MS's software is only used on desktops because everyone knows it. I'v used KDE on suse 8.1, it works well for anyone accept power users and I see no reason for ma n' pa to spend $300 on a new copy of winxp so they can check their e-mail.

    6: Coding tools for linux exist that are open source and that work well. Not everyone is coding in C. .Net isn't unique.

    7: Linux is known for it's efficiency. On a server, efficiency > ease of use. Ms's software was designed for idiots, Linux was designed for people who know what they are doing. Linux is for the person who says "my powersupply blew out last storm, I'll replace the fuse and see if it works" whereas microsoft is for people that say "computer doesn't work = replace computer".

    I see progress in for both linux and windows. I see more mind-blowing applications coming out for linux next year and I also see the first idiot proof interfaces coming into being. I don't see microsoft living upto their security bullshit, which they've had several years to implement but haven't. You can say "they're getting better" all you want, but is their security really better than it was in 2000? I see more DRM being brought into play, and it being either accepted or rejected on an individual basis. Ultamatly, in 10 years, I see microsoft becoming a linux distibutor, weither announced or unannounced.

    --


    Candy-Coated Knowledge

  8. Same goes for Apple by Tune · · Score: 3, Interesting

    >Microsoft don't make secure products because the programmers are directed from the menegment to prefer nice Shiny GUI instead on security.

    Apple has some good programmers
    Apple management has a GUI focus

    Still Apple doesn't make conceptual security flaws like requiring root privilege for any user to perform even the most basic tasks.

    --
    Every program has two purposes -- one for which it was written and another for which it wasn't.