Microsoft just endured one of its worst years ever when it comes to security problems, which is really saying something. And to top things off, it ended the year with a near flood of trouble—from new viruses attacking Outlook to holes in IE 6.0 to vulnerabilities in SQL Server to a serious hole in its "most secure" operating system, Windows XP.
Whenever I bring up Microsoft security problems, someone is bound to say something like "They have the most problems because they are targeted more than anyone." There is a bit of truth in that, but the company could make life a little harder for people who are targeting it.
Instead, Microsoft—again and again—allows security to play second banana to whatever cool, new productivity feature it wants to add, no matter how much lip service it pays to improving security.
When Microsoft introduced active content in Outlook, we, along with many in the security community, said it would create a security risk. But Microsoft blew these warnings off as theoretical and, instead, touted the gains that would be made by making mail more automatically responsive. The same things were said about programming in Office documents, ActiveX in browsers and poor default configurations in IIS.
Every time, Microsoft decided to tout marginal features now and deal with the security fallout later.
Now we have a major problem in Windows XP that makes it possible for attackers to remotely take over systems. Was this a surprise?
Of course not. Every review we did brought up the potential security risks of all the remote management and automated remote features in Windows XP. But Microsoft simply responded that Windows XP is the most secure Windows operating system ever, and, hey, arent those remote features cool?
Will this change?
On the server side, Microsoft seems to be making good moves to make systems more secure by default. However, when it comes to productivity and general-use products, I think that worries about potential security risks will always be pushed aside to make way for the latest cool, new feature.
Does Microsoft sacrifice security in favor of new features? Let me know at firstname.lastname@example.org.