Trusting Microsoft: Easier said than done

Microsoft must be the most privileged commercial entity in the world -- company executives merely have to explain (not apologise) for shoddy products and everything's forgotten. The recent hullabaloo over its latest security flaw is a prime example.

The saga began in July 2003 when security research firm eEye Digital Security uncovered two critical vulnerabilities which affect unpatched versions of Windows NT, 2000, XP and Windows Server 2003.

The flaws relate to Microsoft's Windows Abstract Syntax Notation One (ASN.1), a method which enables computers to share data and is used by many Windows security processes.

eEye notified Microsoft of the issue on two occasions -- July 25 and September 25, 2003.

The ASN.1 problem is said to be one of the worst ever recorded, with deleterious effects on Windows-based systems. eEye's patience ran dry after waiting for more than six months for Microsoft to issue a patch so on February 10, 2004, it broke the silence.

"Either of these ASN vulnerabilities could allow an attacker to overwrite heap memory with arbitrary data allowing for the execution of malicious code. Both of these flaws can be detected and subsequently exploited remotely, and have the potential to cause serious damage if not immediately remediated.

"Ironically, the security-related functionality in Windows is especially adept at rendering a machine vulnerable to an attack. Since the ASN library is widely used by Windows security subsystems, the vulnerability is exposed through an array of authentication protocols. This makes these vulnerabilities more dangerous than previous flaws that spawned Nimda, Code Red and Sapphire worms," eEye said in a statement.

The $64,000 question is why it took 200 days for Microsoft to issue a critical software patch. Believe it or not, it's a question of quality over speed.

Jeff Jones, senior director of Trustworthy Computing at Microsoft explained that the time required for each step in the patching process from discovery and verification of the problem to creating and testing the fix -- can vary.

"If our goal was to get everything out in 30 days or 60 days, we could do that," Jones told CNET News.com. "But our goal is to get out a quality patch."

Excuse me but what's wrong with this picture? If other businesses were to adopt this stance, there would be utter chaos. Imagine your car dealer saying, "OK, we'll fix your faulty alarm but since we don't have the right replacement parts, we'll give you a temporary fix. But, if the alarm doesn't sound during a theft, you can't hold us responsible."

The crux of the matter is the array of deficient products peddled by Microsoft. A fair trade means getting your money's worth but unfortunately, Microsoft is an exception to this rule.

Are you happy with the quality of Microsoft's products or do I sound like a broken record? Write in to edit@zdnet.com.au and share your thoughts.