In the six years since Microsoft stopped pelting us with security fixes willy-nilly and implemented a monthly bulletin format, home and enterprise customers have been entombed by fixes for a soul-crushing 745 vulnerabilities, nearly half rated as "critical" by Redmond.
So laments Jaikumar Vijayan, writing in the Security Smart section of Network World.
The number of announced flaws in the last two years is double what it was in 2004 & 2005, which would seem to suggest that Microsoft's Trustworthy Computing initiative has done more to repair a leaky ship in motion than to build a seaworthy vessel in the first place. That flies in the face of the highly-publicized security mission, which promised a more secure computing environment out of the box.
Who remembers when Redmond shut down development in an effort to educate their architects and developers in the ancient practice of secure coding? I do. Made for some late software launches, as I recall, honking off people with certain licensing agreements, but it was an easier pill to swallow if the result was a modicum of protection from the forces of evil.
And there are some barely-used bridges in Washington state available for pocket change, too.
It's a perfect storm - Microsoft has created a monster in the form of feature-laden, highly-usable ubiqitous software offerings, which has led them to two parallel issues: Any security hardening will inevitably break the free-flow of usability consumers have come to expect, and maintaining depth in feature sets (and securing them) invariably leads to an increase in coding complexity that makes trusted computing all the more daunting a task.
When Vista first launched, one of the more trumpeted security features - UAC - also became one of the most hated. Microsoft attempted to add a thin layer of security into the computing experience, and it was obvious that they also tried to match it to existing usability and customer experience paradigms. It didn't work, because it was a jolting interruption of the seamless Windows pillow-ride that Microsoft had been marketing to us for years.
Linux and UNIX users don't whine much when prompted for admin credentials or root anytime they try to do anything that messes with the core operating system because it's basically been there from the beginning. Plus, it makes sense - a simple step to validate that some chunk of malware isn't trying to make an unauthorized system change. It's a small price to pay for avoiding the horrors of malicious code.
Redmond has essentially hoisted themselves on their own petard. It's like a parent that feeds their child a steady diet of junk food and sugar, and when the kid turns out a tad portly, the dinner plate is suddenly filled with quinoa and Brussels sprouts. What's a chunky lad to do?
This quandry is soon to be faced by the Apple crowd, too. As Macs begin to pick up market share, users will begin to be targeted by the bad guys as they are identified as a target-rich environment. With roughly 10% of computers sold, it's still not as attractive to craft exploits for Mac code as it is for the dominant Windows environment that garners more than 80% of the pie, especially given the ongoing security struggle the 745 vulnerabilities represents.
As Microsoft hopes and prays that XP users shut down forever and the world becomes populated with Vista and Windows 7 users biding time until they convert to Windows 8, their only salvation will be their ability to move users to a more secure environment one tiny step at a time.
The great unknown is whether people are willing to walk that path, and as John Hodgman learns in the newest Mac vs. PC commercials, there's a lot to be said for making a clean break to a new OS if there's going to be pain involved anyway.
Image via Wikimedia Commons
No comments:
Post a Comment
Please tell me what you think.