Tuesday, January 10, 2006
Interesting article, but is it right?
Professor Adam L. Penenberg has an article in Slate which argues that Microsoft products are just as insecure today as they were when Bill Gates announced the Trustworthy Computing Initiative.
Is it really that bad?
No. The easiest example to notice is in operating systems. If you take any Microsoft operating system before XP Service Pack 2 and connect it to the net without a firewall it will be taken over within minutes. XP Service Pack 2 will survive.
Microsoft's latest software for running web sites has been downright boring from a security point of view.
I don't think it's coincidence that the latest critical Windows security problem showed up in a very old part of Windows. If that corner of Windows were human it would be old enough to vote. New code from Microsoft is better than old code for security.
What about the details of Professor Penenberg's arguments? He points out some widely damaging incidents. They happened in the first year or two after the "Trustworthy Computing Initiative". That's only to be expected. Imagine that Microsoft suddenly began shipping perfect products. The world would continue having incidents with older products for many years.
More seriously, what he says about software development at MS is just plain under-researched. For example, speaking about a common kind of security vulnerability called "buffer overflows", he says
Worse yet, he brings up Trojan Horse programs as a problem with Windows. They can happen just about anywhere. Only a few really specialized (and unusable) systems can defend against them. Everybody in the real world is at risk: don't run programs from random strangers and think you'll get away with it just because you're on a Mac.
So, where is Microsoft in their security campaign? Can you relax now if you're a Microsoft customer? Heck no. In particular you have just got to get rid of the Internet Explorer web browser.
|
Is it really that bad?
No. The easiest example to notice is in operating systems. If you take any Microsoft operating system before XP Service Pack 2 and connect it to the net without a firewall it will be taken over within minutes. XP Service Pack 2 will survive.
Microsoft's latest software for running web sites has been downright boring from a security point of view.
I don't think it's coincidence that the latest critical Windows security problem showed up in a very old part of Windows. If that corner of Windows were human it would be old enough to vote. New code from Microsoft is better than old code for security.
What about the details of Professor Penenberg's arguments? He points out some widely damaging incidents. They happened in the first year or two after the "Trustworthy Computing Initiative". That's only to be expected. Imagine that Microsoft suddenly began shipping perfect products. The world would continue having incidents with older products for many years.
More seriously, what he says about software development at MS is just plain under-researched. For example, speaking about a common kind of security vulnerability called "buffer overflows", he says
The technique has been known for decades, yet Microsoft still hasn't come up with a way to defend against itThat's wrong twice over. The programmers at Microsoft use tools to check for buffer overflow risks before they ship the products, and once the products are running in the field they're defended by a clever (but admittedly incomplete) system which tries to stop the computer from running something that's not part of an expected program.
Worse yet, he brings up Trojan Horse programs as a problem with Windows. They can happen just about anywhere. Only a few really specialized (and unusable) systems can defend against them. Everybody in the real world is at risk: don't run programs from random strangers and think you'll get away with it just because you're on a Mac.
So, where is Microsoft in their security campaign? Can you relax now if you're a Microsoft customer? Heck no. In particular you have just got to get rid of the Internet Explorer web browser.
# posted by Frederick @ 6:26 PM Email to a friend:
Haloscan: they provide trackback