Security Firm Says Microsoft's Effort To Make Windows Secure Get Failing Grade

H old on to your hats, because a security company has given Microsoft a failing grade on its effort to make Windows secure. Those who do things like read newspapers, or Internet news sites, or even just surf the Internet may be shocked by that pronouncement, but thatis What ZDNet is reporting.

The report was prompted by the latest Windows exploit to cause problems on the Internet, a worm called SQL Slammer. That worm was responsible for slow-downs on the Internet this past week experienced by TMO staffers, our forum members, and reported throughout the media. We point that out, because a recent editorial from Mac baiter John C. Dvorak said that he couldnit find any examples of Internet slow-downs caused by SQL Slammer, and faulted the media for causing a scare. Better yet, he suggested that the hubbub over the worm was possibly a conspiracy to promote anti-virus products. Seriously.

In any event, according to the ZDNet, TruSecure Corp. has given Microsoft an "F" on security since the company publicly made security Job One. From ZDNet:

Computer security experts said on Thursday the recent "SQL Slammer" worm, the worst in more than a year, is evidence that Microsoftis year-old security push is not working.

"Trustworthy Computing is failing," Russ Cooper of TruSecure Corp. said of the Microsoft initiative. "I gave it a iD-minusi at the beginning of the year, and now Iid give it an iF.i"

The worm, which exploited a known vulnerability in Microsoftis SQL Server database software, spread through network connections beginning on Saturday, crashing servers and clogging the Internet.

It hit a year and one week after Microsoft Chairman Bill Gates sent a company-wide e-mail saying Microsoft would make boosting security of its software a top priority.

Microsoft placed responsibility on computer users who failed to install a patch that had been available since at least last June.

"The single largest message is: keep your system up to date with patches," Microsoft Chief Security Officer Scott Charney told Reuters.

But the philosophy of patching is fundamentally flawed and leaves people vulnerable, Cooper said. For example, Microsoft didnit follow its own advice as executives confirmed that an internal network was hit by the worm.

"Microsoft was completely hosed (from Slammer). It took them two days to get out from under it," said Bruce Schneier, chief technology officer of Counterpane Internet Security, a network monitoring service provider. "Itis as hypocritical as you can get."

[...]

"The problem is the whole patch regime has lots and lots of problems," [Richard M. Smith, a Cambridge, Massachusetts-based computer security consultant] said. "It would be much better if the software shipped from Microsoft with fewer problems to begin with."

There is much more in the full article at ZDNetis Web site.