Even some of Gates & Co.'s harshest critics would agree. In September, 2001, tech consultancy Gartner Group told its clients to stop running Microsoft's IIS (Internet Information Systems) Web server due to security problems. Flash forward a year, and Gartner analyst John Pescatore says Microsoft has fixed most of the bugs in IIS. "I believe Microsoft actually has gotten serious about security. I've seen real evidence of real changes in how Microsoft product managers emphasise security over product features. That's the key issue," says Pescatore. He has also been impressed by what he has seen in security considerations for versions of Microsoft's .Net Server 2003, a piece of software designed to deliver services that help link Web sites and sync data between disparate systems. "For the past year and a half, I believe Microsoft deserves an A for effort, given the complexity of their software and their efforts at addressing problems. Unfortunately, they are very poor in public outreach activities," says Pete Lindstrom, research director for Spire Security, a consultancy in Malvern, Pa. Effort and progress aside, no one -- even Lipner -- claims Microsoft is even close to bug-free code. "I am not one of the many Microsoft bashers out there," says Lindstrom, "but it seems pretty clear that many people would not put Windows 2000 on their 'most secure operating system' list." And according to a report released on October 31 by British computer-security consultant mi2g, 44 percent of the known software vulnerabilities announced in 2002 affected Microsoft Windows, compared to 19 percent affecting Linux. Just one yardstick
That's proportionally less than Microsoft's share of the computing infrastructure but still high enough to warrant concern. The sizeable bug count also illustrates the limits of using Common Criteria as the sole yardstick of security. "The Common Criteria is a framework for security evaluations. It is not a level of security. It's like saying 'my child graduated' without knowing if it was from kindergarten or university. An average CIO does not know that," says Bruce Schneier, chief technology officer of Internet security-monitoring firm Counterpane Internet Security. The upshot? Hats off to Redmond for taking steps to make security a real part of its software construction process. Now, fewer bugs, please.
Have your say instantly in the Tech Update forum.
Find out what's where in the new Tech Update with our Guided Tour.
Let the editors know what you think in the Mailroom.
