Microsoft Insecurity: Is There No End in Sight?

Talking to a friend today whose law firm’s network was shut down by the Nachi worm, I really began to wonder if, despite its installed base and market share, Microsoft can survive much longer as the onslaught against its vulnerabilities seems to strengthen every day. When people are developing software simply to help businesses manage Microsoft patches, you know that it’s not funny any more.
To highlight the issue, Microsoft announced two more critical updates today.
What follows is a group of articles I’ve noticed just in the last couple of days. I think that it is important to read them as a group and decide how big these issues are and the patterns that continue to arise. And, most important, to come to grips with your answers to the question: what does it take to continue to live in a Microsoft environment?
Microsoft cerebrates fifteen years of poor security” is a history of Microsoft security problems along with a explanation of some of the underlying technical issues, all of which leads to the conclusion that we will likely see more security problems.
Scott Berniato’s article on CSOonline.com called “Patch and Pray” neatly sums up the issues of trying to cope with critical updates and the quandaries IS departments have in trading off security against stability. As the intro to the article says, “It’s the dirtiest little secret in the software industry: Patching no longer works. And there’s nothing you can do about it. Except maybe patch less. Or possibly patch more.” Unfortunately, that just about sums things up.
Jaikumar Vijayan’s article in ComputerWorld called “Patching Becoming a Major Resource Drain for Companies” also addresses the issues of the costs and the difficulties of implementing patches and updates.
Robert Vamosi on Anchordesk writes about the end of viruses, suggesting that firewalls and regular upgrades are becoming vitally important.
Ironically, many Windows XP users are unaware of even the firewall built into XP, let alone more industrial strength approaches.
As I mentioned above, the sheer number of patches has created a software business niche for patch management software.
I attended a Microsoft event last year where Steve Ballmer spoke directly to security issues and pointed out that many of the viruses and other exploits are written to vulnerabilities for which patches are available. Blaster and the recent round of viruses are examples of this and patches have been available, along with warnings to install them.
Our general laissez-faire attitude to security patches (in no small sense aggravated by the hours of time required to download patches over a dial-up connection) certainly does not excuse Microsoft, but the combination of Microsoft vulnerabilities and a completely unsuccessful system of patch delivery has create a warm and friendly environment for viruses to grow and play.
Still, when we hear that Microsoft is consider ways to force updates automatically, we get very nervous, especially after earlier updates hosed a good number of computers.
Add to that the other dirty little secrets of metadata or hidden information automatically stored in documents and weaknesses in how Windows handles passwords, and it seems like we are doing enough damage to ourselves that “cyberterrorists” really don’t have to do anything.
There’s really no end to the constant drip-drip-drip of security updates because Microsoft will not release a ServicePack 2 for Windows XP (presumably collecting all fixes) until the second half of 2004. This means that there will likely be a 2 year gap from SP1 to SP2. Will that help matters? I can’t see how it would.
Expect to see even more articles like “Small Firms Ignore Security Protection,” “Geeks Grapple with Virus Invasion,” “Worm Exploits Weak Link: PC Users,” and the like.
Finally, where are law firms today? One I know is completely down today due to a virus. According to Law.com, some of the most prominent law firms in the country have been hit hard by the recent series of viruses and worms. Given the preventability of these problems and the well-known refusal of many lawyers to learn even the most basic common-sense approaches to dealing with potential email viruses, firms that are shut down by these exploits really need to take a look at what they are doing wrong and get it addressed quickly.