New alerts have analysts doubting MS security

A string of new security alerts from software maker Microsoft Corp. this week has prominent industry analysts and security experts predicting that the company's goal of making its software secure may remain elusive.

In January, Microsoft Chairman and Chief Software Architect Bill Gates outlined a new "Trustworthy Computing Initiative," promising to make security a top priority in Microsoft's software development -- trumping even functionality. Microsoft had long been criticized within the industry for software development practices that often favored functionality and convenience over security.

Despite Gates' announcement, however, the steady stream of security alerts from the Redmond, Washington-based company continues, reaching 57 so far this year, according to Microsoft's own count.

Since Wednesday, Microsoft has posted four security alerts concerning products ranging from the company's core Windows operating system to a software development kit (SDK) used to integrate Windows applications into the UNIX operating system.

Among those alerts was a warning rated 'critical' by Microsoft concerning the Windows Help feature, which provides assistance to users with questions about the operating system or specific applications. It was discovered that a flaw in an ActiveX component used by Windows HTML Help could allow a remote attacker to assume the role of a user on a Windows machine.

Another posting issued a patch for the company's SQL Server product, including fixes for four newly discovered vulnerabilities.

The company's continuing woes on the security front have industry analysts wondering aloud whether Microsoft will be able to fulfill the promise of trustworthy computing anytime soon.

Despite its good intentions, experts say, the company must still struggle with a stable of large, complicated software products and the continuing demand for new features in those products.

"Microsoft has two major issues to deal with," according to Rich Mogull, research director at Gartner Inc.'s Gartner G2.

"One is a cultural change. Innovation always took precedence over other factors at Microsoft -- getting products out quickly," Mogull said. "The other issue is that (Microsoft) has a massive code base to deal with. They have hundreds of products on the market and millions of lines of code that they produced (prior to the Trustworthy Computing Initiative)."

According to Mogull, Gartner is cautioning its customers about continuing security problems in Microsoft's products, despite the vendor's high profile emphasis on security.

Alan Paller, director of the SysAdmin, Audit, Networking and Security (SANS) Institute agreed, and offered another possible explanation for the high number of security flaws in Microsoft's products: the comparatively young age of the products.

"We've seen that the number of (security) vulnerabilities in software applications is related to two factors: the number of lines of code and the newness of the product," said Paller.

"Apache isn't better than (Microsoft's) Internet Information Server, it's just older. Older and smaller, and that means fewer new bugs," said Paller.

What is needed, says Mogull, is a transformation of the company, along the lines of the transformation that took place in the mid 1990s, when Microsoft shifted from being a desktop- to an Internet-focused business.

"Microsoft showed strong leadership before getting on board with the Internet, but this is an even bigger change. The Internet was about missing an opportunity to innovate, whereas with security it's about changing the face of the products that are out there. You can't develop as quickly, you can't release products with all the features turned on, and you have to be more responsive to security."

While Paller gives Microsoft high marks for the company's new focus on security, he's skeptical that Microsoft will be able to turn the corner on security vulnerabilities anytime soon.

"Microsoft is doing a better job than anybody except (Red Hat Inc.) at automating updates and kicking their programmers (to think about security), but they're also continuing to produce more lines of code and newer things. In five years, Microsoft's products will still have more vulnerabilities than other products."

Another needed change is for Microsoft's customers -- and those of other software vendors -- to start taking security flaws seriously, Mogull said.

"What we need is for the market to push back. We need to have businesses exert market forces and hold vendors liable for products," said Mogull.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?