IDG.net: Microsoft: Bad security, or bad press?Sep 27, 1999, 21:52 (4 Talkback[s])
(Other stories by Elinor Mills Abreu)
[ This is a rewrite of the author's story in InfoWorld--about half of the content is new material--we believe all the quotes below are from the new material. - LT ed. ]
"Microsoft Corporation has been getting a lot of bad press lately over security vulnerabilities... But does this mean Microsoft software is less secure than other software? A variety of experts think so, claiming the software giant is offering more functionality at the expense of security."
" 'It's the dominant OS out there, so it's going to attract the attention. On the other hand, Windows has extremely sloppy security,' said Bruce Schneier, author of 'Applied Cryptography' and a founder and chief technology officer of Counterpane Internet Security Inc., a provider of managed security services in Minneapolis, Minnesota."
What often upsets people is that Microsoft hasn't learned from the mistakes made in older operating systems, noted Jon McCown, technical director of network security at the International Computer Security Association (ICSA) Inc. in Reston, Virginia. Categories of attack that are well understood are cropping up in Windows, he added."
"Windows is desktop software that 'was never really intended as network architecture,' said Jeff Tarter, editor and publisher of Softletter, based in Watertown, Massachusetts."
" 'Microsoft's OS was never designed with security in mind,' said Schneier. 'For Microsoft, security is always an afterthought.' One example is Microsoft's implementation of file-sharing networking services in Windows 95 and Windows 98... Microsoft made TCP/IP file sharing the default on Windows 95 and 98 without explaining the consequences of sharing files over the Internet to users who weren't savvy about network security..."
"Technical debates aside, most of the critics complained that Microsoft often treats security issues like PR problems that need to be averted and not resolved. ... For instance, the company downplayed the Jet/ODBC (open database connectivity) exploit in a Microsoft Security Bulletin over a year ago so that 'almost nobody' bothered to install the patch and users were caught off-guard when it made headlines recently..."