Microsoft Will Never Plug All Its Security Holes Says Gartner Analyst

Farmers have long known that monoculture crops are far more vulnerable to disease than mixed crops. Now the information technology world is belatedly discovering an analogous weakness exists in that vast software monoculture we call Microsoft products.

As Neil MacDonald, a Gartner Analyst points out in an article for CNET News, not only are there many security vulnerabilities in Microsoftis products, there is no way for Microsoft to provide a fix for all of them. Worse, Microsoftis business model provides little incentive for the software behemoth to waste resources in a futile attempt to find and plug all the security leaks.

According to MacDonald:

The constant inclusion of new features in Microsoftis software, and the bundling of new technologies into Microsoftis OS and application products, have created large, monolithic applications that are impossible to debug for all security vulnerabilities. For example, by various estimates, Windows 2000 contains 30 million to 40 million lines of code, and the development team involved thousands of people.

New technologies that Microsoft is working on for its Microsoft.net initiative are only going to increase the number of security vulnerabilities in the future. For instance, MacDonald says,

Microsoftis ActiveX programming model provides no mechanism for "sandboxing" code, Its digital signature mechanism provides insufficient protection for the use of ActiveX controls on the Internet.

But perhaps the most alarming evidence presented by MacDonald is of Microsoft apparent lack of concern:

Microsoftis development process has not fundamentally changed with respect to security. Microsoft still does not make security training mandatory for its developers. Microsoft has found that being reactive to security works well; it quickly fixes newly identified bugs. This approach is easier than preventing the vulnerabilities from occurring in the first place.

Security is important to Microsoft but only to the extent that it does not inhibit the adoption of its products.

Read the entire analysis from the Gartner Group for more information. It is a very good read.