Fair is fair

Here’s why Microsoft Corp. is a laughingstock when it comes to security: Last week, security researcher Georgi Guninski announced that he had found two more holes in Microsoft’s Office XP. Guninski actually found the holes in mid-March and notified Microsoft on March 17. After two weeks passed without Microsoft issuing a patch or work-around, Guninski went public.

What has been Microsoft’s response? A belated work-around for one of the security holes and a complaint that Guninski had gone public “before we’ve had a fair chance to investigate.”

Fair? Fair! Wait, it gets better … Microsoft’s official statement went on to say that Guninski’s report: “may put our customers at risk … Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk.”

That’s pathetic. It’s laughable. Those security holes are in Office XP because that’s how Microsoft shipped the product. The company has been shipping products for years that are badly designed and poorly tested from a security standpoint. And Microsoft refuses to stop shipping products it knows are faulty.

Microsoft is also a notorious foot-dragger when it comes to admitting security vulnerabilities and issuing patches and work-arounds. And when the company does issue a security patch, far too often the patch ends up breaking something else or worse, it opens a new security hole.

That’s what’s neither fair nor responsible. That’s what puts Microsoft’s customers needlessly at risk. Nobody else created this situation. Microsoft made this mess. And all the finger pointing is just cheating Microsoft’s customers.

Let’s cut to the chase here: So far, Microsoft’s big security initiative called “Trustworthy Computing” has been a joke. It’s produced nothing but hot air and hand waving. That’s all we’ll get unless somebody in Redmond throws some real money and real clout at making Microsoft products more secure.

How? Microsoft could start by creating SWAT teams that treat a security hole as a crisis that poses an immediate threat to customers, not just an annoying public relations embarrassment. The teams would produce a work-around to a security hole in hours or days, not weeks or months. Teams that get the resources they need to define fixes properly and test patches thoroughly and quickly.

Then Microsoft could begin finding security holes on its own, instead of waiting for those horribly “unfair” outside security researchers to do it. That means creating a new class of software testers at Microsoft testers whose goal is to break Microsoft products in any way possible, to find all the design flaws and coding errors that make the software vulnerable, whether they were in the specification or not.

Those code-busters will be pariahs among programmers and product managers. They’ll have to think and act like Microsoft’s worst enemies, attacking products from every possible angle and with every possible tool. They’ll have to keep attacking, even after products ship. Especially after products ship.

Their efforts to uncover holes and find problems will be useless unless those problems are fixed. Which means Microsoft would have to give them a boss who has enough clout to stand up to anyone in the company any product manager, any executive, any chief software architect and tell him a product has holes and must be fixed now, and damn the niceties and the shipping schedule.

Would SWAT teams or code-busters or a chief fix-it-damn-it officer solve all of Microsoft’s security problems? Probably not as with a real investment in security, Microsoft could do a lot less whining about “unfairness” and a lot fewer people would think Microsoft’s commitment to security is a joke.

Frank Hayes, Computerworld’s senior news columnist, has covered IT for more than 20 years. Contact him at frank_hayes@computerworld.com.