Windows Not Trustworthy

On Sept. 10, microsoft announced yet another serious flaw in its Windows software that renders its customers vulnerable to Internet attacks.

On Sept. 10, Microsoft announced yet another serious flaw in its Windows software that renders its customers vulnerable to Internet attacks. The company told its customers to immediately apply a patch or risk hackers seizing complete control over their computers. Frightening as it is, this latest security flaw is only one of many that have appeared since Microsoft launched its corporatewide Trustworthy Computing initiative last year. As Microsoft continues its march toward trustworthy computing, more people are finding themselves on the losing side of the relationship.

Bill Gates sent a memo to staff and customers laying out Microsofts mission to make Windows software more trustworthy. But the time, money and people required to apply security patch after patch after patch show that Redmond still has a long row to hoe before the problem is fixed—if in fact it can be fixed.

Its ironic that LovSan, the Internet worm that infected and crashed home and office computers running Windows, contains computer code that includes a phrase that tells Bill Gates to stop making money and repair his companys software.

Its even more ironic that technical specialists at companies spent hours installing a patch, only to learn that the worm ultimately makes infected machines attack Microsofts patch update page.

The continuing parade of security patches is leading many customers to the conclusion that they cant trust Microsoft to give them secure software. Windows Server 2003, software aimed at big corporate customers and part of Microsofts line of Trustworthy Computing products, already has a major flaw that seriously compromises computer systems and affects most versions of Windows. Even the Server 2003 patch Microsoft issued was buggy.

Microsoft has sent out hundreds of security bulletins since the late 1990s—in fact, there were 72 patches in 2002 alone. This rate of patches continues in 2003.

It would cost about $3,300 per corporate server to test and deploy all 72 of the patches Microsoft issued in 2002. For a company managing 100 servers, thats more than $300,000.

Large businesses that are Microsoft shops—and most of them are—run as many as a thousand servers in each Microsoft server group, and a company can have multiple groups. That adds up to serious money.

To earn the trust of computer users and corporate customers everywhere, Microsoft has to do more than declare a strategy. Trustworthy computing? Just ask the millions of people who are downloading the latest Windows security patch.

Bob Cancilla is managing director and founder of Ignite/400, a 6,500-member IBM AS/400 user group.

Discuss this in the eWEEK forum.

Free Spectrum is a forum for the IT community. Send your comments to