Now blogging at diego's weblog. See you over there!

microsoft and software quality

Murph posted a couple of comments regarding my previous entry linking to a article that said that a new study has found that three-quarters of security experts found Microsoft software to be unsafe. Murph was wondering if this was empty Microsoft bashing. His first comment said:

MS bad, everyone else good?

Don't anyone mention sendmail...

To which I replied:
No, I don't think so.

But I do think that as monopolists and having so much influence they should be more responsible with the products they put out there. They have the brainpower. They have the resources: $45 billion of them. They only seem to lack commitment, as long as they have no competition, they're ok.

And Murph added:
Its not so much that they don't have the commitment as that they've taken so long to realise that this is a serious problem and that they now have to do something about it.
This would maybe be acceptable (and I say maybe because given Microsoft's size and the resources they spend to kill competitors, I'm sure they could spend some time in security and quality) if it were true, but it's not. By Microsoft's own admission, they "didn't add security options to their software until their customers were ready to pay for it". Even their "security" is bad. Murph added to his second comment:
For example, XP has a built in personal firewall - although naturally its not enabled by default.

A better example is Windows 2003 server which turns usual MS policy on its head as by default no extras are installed and everything is locked down (really /really/ locked down - e.g. shares start out seriously read only).

Sorry, but that is not security, but rather the pretense of it. This amounts to a government saying "You are perfectly safe in this city, as long as you stay inside your house."

As an example of how they've mishandled things, take Java vs. ActiveX. Java is very secure for applets, while Microsoft made the conscious decision of letting ActiveX controls, downloaded from the Internet, execute with full privileges locally. Then they realized it was a bad idea, and they started adding "security zones" and a miriad of related options: patchwork. Why couldn't they sit down and think before releasing something?

It's the same case with Outlook, which is one of the greatest digital virus carriers of all time. It was full of holes. The solution? Patch after patch after patch. Finally, in Outlook XP, they added a new "feature" first, by default, executable files don't appear at all as attachments. Second, the automation clients that access the Outlook store require the user clicking a dialog box every ten minutes to provide authorization (default settings).

Finally, if "they were not aware, but they are now", what's this?

Final note: as I've said before, I'm not anti-Microsoft. I'm not pro-Microsoft either. I just think they should take responsibility for their immense power, and use all their money to start caring about users instead of extending their market dominance even further. (Or, hey, do both, but at least don't just care about dominance!)

Categories: technology
Posted by diego on April 2, 2003 at 1:46 PM

Copyright © Diego Doval 2002-2011.