Three quarters of IT security experts distrust Microsoft security

Posted on 1 Apr 2003 at 16:51

A survey of IT security experts has revealed that 74 per cent have security concerns over Microsoft's products, yet 89 per cent deploy applications that are critical to their company on the platform.

Furthermore, the same percentage of distrustful experts have suffered an attack in the past year that exploited flaws in the Windows platform, yet 40 per cent say they have no intention of improving security arrangements on their Windows deployments themselves.

Stuart Okin, Chief Security Officer for Microsoft UK said: 'I'm glad that security is at the top of their priorities. It should be. Security is at the top of our agenda too. The industry has this problem to deal with as a whole.'

The survey, by Forrester Research, describes the current situation as having reached something of an impasse.

'Today's approach to Windows security isn't working - and just exhorting firms to try harder isn't the answer,' said author Laura Koetzle. 'When security incidents happen, users look for a scapegoat - and they find one in Microsoft. Meanwhile Microsoft crows about fewer security alerts being issued for Windows than Linux in 2002. And the open source community delights in branding Windows as hopelessly insecure.'

While Microsoft may claim fewer alerts, it is still producing a torrent of patches to shore up its products against the tide of potential attacks. This, says the report, is causing system administrators headaches as they are unsure whether critical systems will still function of the patch is applied, and don't have the time to adequately test each and every one. The result is that patches are applied and successful attacks, such as Nimda or SQL Slammer are taking advantage of holes that Microsoft patched up between 6 months and a year earlier.

The Bugbear virus, for example, exploits a vulnerability for which Microsoft had offered a solution some 18 months prior. Yet when the attack came, more than 2 million computers were infected.

The report urges Microsoft to create a single path for users to patch up their server systems, and offer security analyses of Windows servers configurations. Okin agrees: 'We've got to reduce the amount of different update systems to a single system, and make that tool available to ISVs as a testing environment for their applications.'

He continued: 'If you ask Scott Charney [Microsoft's Chief Security Strategist] what the number one priority is at Redmond right now, he'll tell you: patch management.'

Okin said Microsoft would be reducing the number of installers over the next few years, while some security initiatives will be seen in Windows Server 2003 out this month; demonstrations of the formerly-named Palladium secure computing platform will happen this year. However, some of the other security drives from Microsoft won't be seen in public until the next versions of the platform.

The report goes on to suggest the company should build into Visual Studio .Net stricter security rules for code created using the environment and work with other software manufacturers to certify that other software products won't fall over when patches are applied to the OS. It predicts Microsoft will 'tweak' its licensing system to favour a one Windows, one application arrangements, possibly through virtual instances of Windows.

For users, it recommends creating a tight number of configurations that are known to be secure and to set up control environments on which to test patches intended to be rolled out.

The survey also warns the Linux world not to rest on its laurels. 'Public perception of Microsoft's security will catch up with reality,' it warns. 'Linux distributors will no longer be able to supplant Windows by playing on customers' security worries.'