Fifteen months after the launch of its much-vaunted Trustworthy Computing campaign, Microsoft security still has a black eye, its critics charge, although the company correctly argues that the results of its security initiative aren't immediately obvious. "We understand that achieving the goals of Trustworthy Computing will not be an easy task and that it will take several years, perhaps a decade or more, before systems are trusted the way we envision," a Microsoft spokesperson said this week. "We are working to address existing security concerns, including patch management. This is only the beginning, and we are confident that customers will continue to see additional progress over time."
Another issue is administrator responsibility. Microsoft had previously patched most of the worst vulnerabilities that attackers exploited in recent years. As the report notes, "Too few firms are taking responsibility for securing their Windows systems"; instead, they blame Microsoft for their woes. The recent SQL Slammer worm is a classic example. The company had issued several fixes for the vulnerability the worm used, and if SQL Server administrators had kept their systems up-to-date, the worm wouldn't have been so devastating. The report states that Microsoft released patches for the last nine "high-profile Windows security holes" an average of 305 days before any attack took place, but administrators often didn't install the updates. In other words, most security snafus are avoidable.
But, as any Windows administrator can tell you, Microsoft's convoluted patch-management system is in dire need of an update--each product the company releases seems to follow its own update regimen. Recent advances in the company's Windows Update and Auto Update software should merge into Microsoft's other products soon and give the company a centralized and automated way to keep all its software updated. In the meantime, administrators are forced to wrestle with the myriad ways they receive bug notifications, install updates, and keep systems running smoothly. And the fact that many patches require system reboots doesn't help.
Looking forward, Windows Server 2003 will be the first big test for Microsoft's security initiative, as the OS will be the first major product the company has shipped since it embraced Trustworthy Computing. However, analysts say that Windows 2003 uptake is expected to be slow for a variety of reasons, including the war with Iraq, the continually stumbling economy, and an impression that the product is just a minor upgrade to Windows 2000. The Yankee Group says that only 12 percent of current Windows Server users plan to upgrade to Windows 2003 this year, down from the 30 percent who upgraded to Win2K Server within the first 12 months of its release.
One of the biggest reasons to upgrade to Windows 2003, however, is better security. Whether selling an upgrade based on its security prowess compared to the previous release is a good idea is debatable, but the first several months of general availability might be telling for Windows 2003. If customers embrace the product and it withstands months of uptime with little or no security vulnerabilities, Microsoft will have gone a long way toward repairing its reputation. But if Windows 2003 suffers the same sort of security embarrassment that Windows XP did with its high-profile (yet low-impact) Universal Plug and Play (UPnP) vulnerability, customers might view the product as more of the same. And more of the same isn't the message that Microsoft is trying to convey.