Microsoft Security Foundation is Cracked

The Blaster worm has caused (and likely will continue to cause) a lot of hassles for Windows users and network administrators. Its payload was relatively benign, since it wasnt designed to destroy data or PCs, but it did destroy something—Microsofts Trustworthy Computing initiative.

Trustworthy Computing has been on its last legs for a while, pummeled again and again by exploits of holes in Microsoft products, but Blaster has delivered the final, killing blow.

Im not attacking Microsofts coding prowess or the sincerity of the Trustworthy Computing initiative. In fact, since the inception of Trustworthy Computing, the code coming from Microsoft has been, for the most part, much better and clearly designed with security in mind. But that isnt enough.

If Im building a house, it doesnt matter if I use safer building procedures for the upper floors if the foundation is old and unstable. And thats the problem here: The Windows code base that is Microsofts biggest advantage competitively is also its biggest hurdle when it comes to building secure products.

The code that has been passed on from Windows NT to Windows Server 2003 is just too old, too big and too interconnected to ever fully secure.

Theres only one way the Trustworthy Computing initiative could work, and thats to build a new operating system from the ground up, with no legacy Windows code whatsoever. But thats probably not going to happen.

Discuss this in the eWEEK forum.