Security Firm Says Microsoft's Effort To Make Windows Secure Get Failing Grade

by , 12:00 PM EST, January 31st, 2003

Hold on to your hats, because a security company has given Microsoft a failing grade on its effort to make Windows secure. Those who do things like read newspapers, or Internet news sites, or even just surf the Internet may be shocked by that pronouncement, but that's What ZDNet is reporting.

The report was prompted by the latest Windows exploit to cause problems on the Internet, a worm called SQL Slammer. That worm was responsible for slow-downs on the Internet this past week experienced by TMO staffers, our forum members, and reported throughout the media. We point that out, because a recent editorial from Mac baiter John C. Dvorak said that he couldn't find any examples of Internet slow-downs caused by SQL Slammer, and faulted the media for causing a scare. Better yet, he suggested that the hubbub over the worm was possibly a conspiracy to promote anti-virus products. Seriously.

In any event, according to the ZDNet, TruSecure Corp. has given Microsoft an "F" on security since the company publicly made security Job One. From ZDNet:

Computer security experts said on Thursday the recent "SQL Slammer" worm, the worst in more than a year, is evidence that Microsoft's year-old security push is not working.

"Trustworthy Computing is failing," Russ Cooper of TruSecure Corp. said of the Microsoft initiative. "I gave it a 'D-minus' at the beginning of the year, and now I'd give it an 'F.'"

The worm, which exploited a known vulnerability in Microsoft's SQL Server database software, spread through network connections beginning on Saturday, crashing servers and clogging the Internet.

It hit a year and one week after Microsoft Chairman Bill Gates sent a company-wide e-mail saying Microsoft would make boosting security of its software a top priority.

Microsoft placed responsibility on computer users who failed to install a patch that had been available since at least last June.

"The single largest message is: keep your system up to date with patches," Microsoft Chief Security Officer Scott Charney told Reuters.

But the philosophy of patching is fundamentally flawed and leaves people vulnerable, Cooper said. For example, Microsoft didn't follow its own advice as executives confirmed that an internal network was hit by the worm.

"Microsoft was completely hosed (from Slammer). It took them two days to get out from under it," said Bruce Schneier, chief technology officer of Counterpane Internet Security, a network monitoring service provider. "It's as hypocritical as you can get."

[...]

"The problem is the whole patch regime has lots and lots of problems," [Richard M. Smith, a Cambridge, Massachusetts-based computer security consultant] said. "It would be much better if the software shipped from Microsoft with fewer problems to begin with."

There is much more in the full article at ZDNet's Web site.

The Mac Observer Spin:

Color us just as shocked as you are. One might think that a company that has paid only lip service to security for more than two decades could miraculously turn things around in only a year.

For those keeping score at home, please note the liberal amounts of sarcasm that drench today's coverage on this topic. Indeed, the only thing that we truly find mystifying about this whole topic is that the lemmings keep lining up to buy Microsoft's Windows offerings.

ZDNet Article