microsoft and software quality


Murph posted a couple of comments regarding my previous entry linking to a News.com article that said that a new study has found that three-quarters of security experts found Microsoft software to be unsafe. Murph was wondering if this was empty Microsoft bashing. His first comment said:

MS bad, everyone else good?

Don't anyone mention sendmail...

To which I replied:
No, I don't think so.

But I do think that as monopolists and having so much influence they should be more responsible with the products they put out there. They have the brainpower. They have the resources: $45 billion of them. They only seem to lack commitment, as long as they have no competition, they're ok.

And Murph added:
Its not so much that they don't have the commitment as that they've taken so long to realise that this is a serious problem and that they now have to do something about it.
This would maybe be acceptable (and I say maybe because given Microsoft's size and the resources they spend to kill competitors, I'm sure they could spend some time in security and quality) if it were true, but it's not. By Microsoft's own admission, they "didn't add security options to their software until their customers were ready to pay for it". Even their "security" is bad. Murph added to his second comment:
For example, XP has a built in personal firewall - although naturally its not enabled by default.

A better example is Windows 2003 server which turns usual MS policy on its head as by default no extras are installed and everything is locked down (really /really/ locked down - e.g. shares start out seriously read only).

Sorry, but that is not security, but rather the pretense of it. This amounts to a government saying "You are perfectly safe in this city, as long as you stay inside your house."

As an example of how they've mishandled things, take Java vs. ActiveX. Java is very secure for applets, while Microsoft made the conscious decision of letting ActiveX controls, downloaded from the Internet, execute with full privileges locally. Then they realized it was a bad idea, and they started adding "security zones" and a miriad of related options: patchwork. Why couldn't they sit down and think before releasing something?

It's the same case with Outlook, which is one of the greatest digital virus carriers of all time. It was full of holes. The solution? Patch after patch after patch. Finally, in Outlook XP, they added a new "feature" first, by default, executable files don't appear at all as attachments. Second, the automation clients that access the Outlook store require the user clicking a dialog box every ten minutes to provide authorization (default settings).

Finally, if "they were not aware, but they are now", what's this?

Final note: as I've said before, I'm not anti-Microsoft. I'm not pro-Microsoft either. I just think they should take responsibility for their immense power, and use all their money to start caring about users instead of extending their market dominance even further. (Or, hey, do both, but at least don't just care about dominance!)

Categories: technology
Posted by diego on April 2 2003 at 1:46 PM
Comments (please see the comments & trackback policy).

Whilst its hard to argue with most of that (although I do get to mutter things about .NET's security being in a whole different league to that which has gone before).

What I do struggle with is the notion that they're bad /now/ because they were - without question bad (or at least naive) in the past.

And the comment on 2K3 is disingenuous, one of the criticisms repeatedly levelled against MS has been that their products are full of holes by default (and they have been) so one of the things they do is address this issue. The next bit - well we don't know yet do we?

And lest we forget, there are as many advisories for linux and related as there are for Windows so MS are clearly not the only ones we need to watch.

Posted by: Murph at April 2, 2003 3:51 PM

But you see, they haven't learned. The fact that they have to start releasing security patches for everything new they do (PocketPC, .Net, and so on) proves it.

Clearly Linux also has problems, I agree. Microsoft is certainly not the only one to blame for the sorry state of computer security. But (I promise I won't repeat this) to me the issue is that they have enough money, people, resources, and market control, to effect change. They should get the ball rolling, rather than having to be pushed along as it is the case now and has been for years. It's simply their responsibility after having conquered so many critical markets, starting with the OS market.

Posted by: Diego at April 2, 2003 4:50 PM

The MS security problems are additionally compounded by the fact that Joe HomeUser runs Windows with adminstrator priviliges (akin to running Linux as root). At least if you are a sane Unix user, a virus or malicious code will only wipe out your personaly files, and not OS files.

But, let's forget that the software-buying public has to share the blame. They are not ones to demand security, and only consider it a problem when they are bitten by the lack of it. Only recently are we starting to see backlash, and this is not because os some mass revelation than MS software lacks adequate security, but rather because said lack has caused numerous problems lately.

Posted by: Dave at April 2, 2003 7:54 PM

I disagree MS's pas tmsitakes in security and other design errors are cumulative over time because it takes a full redesign to get rid of the errors even if not doign for securiyt sake..

Its like patching a bad design of house you will continue to patch unitl the house finally falls down into ruins..not a very good plan by the way :)

and MS is supposed to be better infrokmed and professional displicined than its customers..putting the blame on cusomters is a bit naive and FUd like..

Posted by: Fred Grott at April 2, 2003 8:14 PM

Like you, I'm not anti- nor pro-microsoft, either. And, I agree with all but one of your arguments.

The post to which you refer, saying:

"from the not-really-a-surprise dept: Microsoft due to release security fix for Phone OS. One would think that after screwing up so badly in security for desktop OSes Microsoft would have learned its lesson right? I guess that this proves that the flaw is inherent in the architecture imposed by Win32/COM and now .Net. Good thing most new phones run Symbian."

That Microsoft finds and deals with a bug in their Phone OS-thing could equally well be because they have, over the years, built good routines to find bugs and issue patches, not necessarily because their software has more bugs than other Phone OS'. Just because there is no security bugfix for other phones doesn't mean that those phones are more secure or bug-free, *only* that the makers of those have not issued patches for it.

Or, in short, "Absence of evidence is not evidence of absence".

Posted by: Tomas at April 4, 2003 12:31 PM

Copyright © Diego Doval 2002-2007.
Powered by
Movable Type 3.35