Microsoft: Insecure, as Always

The cost of the company's doctrine of "features first" is becoming too great.

Microsofts corporate vice president for the Windows client, Tom Button, told this months WinHEC attendees in Seattle that the company recognized its need to "nail the fundamentals." Coming in a week when Sasser infections were spreading around the world, Buttons declaration was ironic and his choice of verb unfortunate. His remarks may have triggered graphic images in the minds of frustrated users and IT managers, as they perhaps envisioned nailing the hides of the architects of Windows to the nearest available wall.

In most of the previous high-profile IT security incidents, one could argue the burden was on IT buyers to warn their users against the hazards of opening attachments, let alone downloading software of doubtful provenance. The Sasser worm—family of worms, to be more precise—has awakened a new and more incendiary anger by attacking systems without any aid from their unwitting users.

Sasser compounded the insult, moreover, by attacking through a loophole in a piece of code—the Local Security Authority Subsystem Service—thats actually supposed to be managing security functions on users machines. Worst of all, Sasser advertised the emperors nakedness by using a form of exploit—the buffer overflow—that has been discussed in theory for almost 50 years and has been known in practice since the early 1970s. So much for reviewing and fixing old code before writing new.

Buttons WinHEC speech went on to lament, with breathtaking lack of tact, the slow pace of Windows 9x users migration to Windows XP. "Most of the opportunity here," he said, "is not about selling a retail copy of Windows XP onto an old piece of hardware; its really about helping people understand the benefits of moving onto a new PC or of adding a new PC to their lives." When users of Windows 2000 and XP are frantically patching their machines, while users of the aging Windows 9x look on in sympathy but with far less need to worry, those benefits may be difficult to discern.

And when Sun is sitting in the lobby, ready to offer a flat rate of $100 per employee per year for a productivity solution that is not an ongoing security nightmare, the word for Microsofts situation may not be so much "opportunity" as "peril."

Microsoft can no longer credibly assert that minimizing user burden is more im- portant than maximizing integrity of operation. The cost of the companys doctrine of "features first" is becoming too great, and users today are far more ready to take on the burden of enabling their machines to do only whats desired: to "deny by default" rather than "enable on install."

Enterprises likewise need to demonstrate determination to take back control of their own technology base, tailoring it to their needs instead of accepting any vendors agenda. And Microsoft needs to think of its users, not its PC OEMs, as its ultimate customers.

Were interested in what you think. Send your comments to

/zimages/1/28571.gifCheck out eWEEK.coms Windows Center at for Microsoft and Windows news, views and analysis.
Be sure to add our Windows news feed to your RSS newsreader or My Yahoo page: