On security, should the media be harder on Microsoft than Firefox?

On security, should the media be harder on Microsoft than Firefox?

Summary: My fellow ZDNet blogger George Ou has raised an interesting question about the way the press handles security flaws in Internet Explorer (IE) versus the way it covers the same thing for Firefox.  In using just the past couple headlines for each of the browsers (from two news sources) as proof points, the evidence is very anecdotal.

SHARE:
TOPICS: Microsoft
73

My fellow ZDNet blogger George Ou has raised an interesting question about the way the press handles security flaws in Internet Explorer (IE) versus the way it covers the same thing for Firefox.  In using just the past couple headlines for each of the browsers (from two news sources) as proof points, the evidence is very anecdotal.  But I suspect that it is indeed quite projectable into the past.  As a tech journalist for 15 years, Ou's blog caused me to stop and ask myself whether there's a double standard when I write about Microsoft and if so, is that so wrong?

I think the question can actually be broken down into two questions.  First, should we expect more from Microsoft than, say, Mozilla.org?  Second if we should, then should we also be harder on Microsoft when it doesn't meet those expectations?

Should we expect more from Microsoft?  Is it fair to be more critical of the company that made the riskiest choices? And not just more than Mozilla but plenty of other companies as well. I'd argue yes, but probably not for the reasons that most would.  The most obvious reason to expect more from Microsoft is that the company -- flush with cash -- appears to have unlimited resources.  The implication is that there are no excuses.  There's no reason that Microsoft can't hire the best programmers in the entire world (with the exception of a few very principled people, everyone has a price) and there's no reason Microsoft can't hire them in whatever quantity is necessary to make these problems go away.  These too me are not reasons to expect more from Microsoft. 

So what are?

For starters, if you're a product manager in Microsoft working on any product, you may feel slighted by such double standards.  But should Microsoft really feel badly that it's being subjected to such a double standard?  Or, should a Microsoft executive feel justified in complaining about being held to a double standard?  In my recollection, this hasn't happened.  Raising the question of a double standard for double standards, I'm willing to bet that Microsoft, like most companies, applies a double standard to itself.  What company doesn't?  If I'm Bill Gates or any other manager in Microsoft, you can bet that I'm not only trying to hire the very best people, I'm also holding them to a higher standard than I hold my competition.  That sort of demanding environment -- an environment with far less tolerance for mediocrity -- is what makes some companies great.  

Back in 1992, about a year after I first start cutting my tech journalism teeth, my partner blogger Dan Farber took over the reigns as editor-in-chief of the publication I was working for (PC Week).  From the getgo, it was quite clear to me (because of the number of times he beat me up over something my team was about to publish) that he was holding us to a different standard than the rest of the industry was held to.  At times, the criticism was harsh.  But the result was that we started using the performance of other publications to benchmark our performance and to make sure that no matter what, we were coming out on top.  Were we doing more reviews? (I was the director of the testing labs.) Were the products being reviewed and the context in which they were reviewed more aligned with the target audience's information needs than were reviews at other publications?  Were we doing a better job putting those reviews in a comparative context given what else was on the market or were we reviewing each product in a bubble as though there were no alternatives (what IT buyer thinks this way?).  Like a little devil on my shoulder, the double standard caused me to think and rethink everything I did.

That's probably why you don't hear Microsoft's executives complaining too often about double standards in the press.   Given that Microsoft is holding itself to different standards, complaining about the press doing the same would itself be a double standard. 

There's another reason that we may be justified in expecting more from Microsoft.  While not all security problems with Internet Explorer are related to its underlying pipeline into Windows (ActiveX), a good many have been.  ActiveX (which has had so many names I can 't even keep track of them all) has long been a fundamental architectural choice of Microsoft's.  On the one hand, it facilitates so much functionality and reduces the friction to integration between software components within the operating system.  On the other, when you pave such superslabs for software connectivity, you simply can't trust everyone to drive according to the rules of the road.  So, if Microsoft opens the highway and then builds an application (IE) that uses it (two separate choices), and then stands by those choices as though they're company religion, does there come a point  (in terms of the price users repeatedly pay because of those choices) at which the press is more justified in the usage of more inflammatory headlines? 

In Firefox, Mozilla.org's developers made different architectural choices from those made at Microsoft.  To the extent that those choices contribute to how vulnerable Firefox users are, Mozilla.org is definitely on the hook to make sure those choices don't needlessly expose end users to those with malicious intent.  Yes.  More so than other vulnerabilities.  Even though those other vulnerabilities can ultimately be traced back to a choice -- a choice that was made by some programmer -- choosing an overall architecture that can leave end users exposed means higher stakes and, thusly,  higher standards. 

In the mashup ChicagoCrime.org, Adrian Holovaty, who won second place at Mashup Camp's Best Mashup Contest, programmed the ability for end users to check the footpath that they or their kids might be taking to get to work, mass transit, or the school bus stop for crime frequency.   If one path cuts through a bad neighborhood and alleyways where crimes are more likely to take place and the other one by sheer volume of pedestrian traffic is statistically and intuitively safer, which one do you send your kids on. 

There may be some convenience in sending your kids through the dangerous neighborhood and alleyways.  Perhaps it shaves 20 minutes off the time it takes them to get to school (trust me, as a parent of three children, I can tell you that 20 minutes is a big deal in the morning).  But if you know the risks, you're also responsible for securing the route.  For example, going with them.  When was the last time you saw a bunch of six-year olds standing by themselves on the street corner (with no adults) waiting for the school bus? 

I can remember when Java first started to make the headlines.  There was a browser called HotJava that was built entirely on top of Java and back then, Java was famed for its sandbox -- a software firewall that cut-off any code running inside the Java Virtual Machine from the outside world ("outside" meaning a host operating system such as Windows).  As a result, applications that ran on Java (like HotJava) were fully secured from operating system in a way that using the Web couldn't result in harm to the host system (eg: the surreptitious loading of malware).  I'm sure the developers of HotJava will differ with this opinion; but so limiting in functionality and slow was the HotJava browser that it completely disappeared off the landscape.

Against the wishes of Sun, Microsoft introduced a Windows-specific version of the Java Virtual Machine that broke a hole through the sandbox wall thereby affording Java developers some access to the utilities in Windows. The same sort of access that Internet Explorer has.  Legally, that choice ended up costing Microsoft $1.95 billion.  But technically, Microsoft was onto something.  Over the years, the Java Virtual Machine has taken on increased degrees of connectivity to the host operating system to enable specific types of functionality that certain applications can't do without: for example local file-system access.  Not surprisingly, the more that the sandbox has been opened up to the host operating system over the years, the more Sun has ended up having to issue security fixes.  This past February, News.com's Dawn Kawamoto reported:

Sun Microsystems issued a patch Tuesday to address seven "highly critical" flaws in its Java Runtime Environment that could allow a malicious attacker to gain remote control over a user's system.... These latest flaws are found in one of the JRE's application programming interfaces, or API, which communicate between the sandbox and the rest of the system. The flaws could be exploited by attackers to gain remote access to a user's Java applications, allowing them to read and write files or execute code.

Ironically, or maybe not, Sun and Microsoft are moving closer to a central point between the extremes from which they came a long time ago (Microsoft with its largely unguarded ActiveX highways and Sun with designed-with-security-in-mind-from-the-ground-up platforms).  On one hand is Sun building whatever bidirectional pathways are necessary between various Java Runtime Environments and the platforms they're  adapted to (computers, phones, set top boxes, etc.) to deliver more functionality. On the other hand is Microsoft with Internet Explorer, which over the years has been had its screws increasingly tightened to the point that in the name of security, IE7 will not be the fully uninterrupted experience that IE once was.  The point is that security has always been at odds with functionality.  To get more function, just about all software ends up risking a bit of security.  And, no matter how methodical a company is, and despite its truest intentions, developing perfectly secure software isn't that easy.  So far no one has done it out of the gate with anything but the simplest (and often useless) products.

So, if most software is starting to gravitate to some sweet spot where the trade-off between functionality and security is relatively close, but they originated from different points that can be traced to choice and culture, is it fair to be more critical of the company that made the riskiest of those choices at the beginning? Especially since that choice is being somewhat legitimized by the direction that the company that made the most conservative choice is taking? 

Topic: Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

73 comments
Log in or register to join the discussion
  • One further reason

    Perhaps another reason to hold MS to a higher standard is that Firefox is free, and IE is something you have to buy as part of Windows.
    tic swayback
    • That depends on how youlook at it

      You don't technically BUY IE as it is part of the OS. You don't even have to use it. I think a reason to hold MS higher would be because so much software and so many other programs have IE as a requirement to use/and or install them. But I can kind of see a point there. If people were not REQUIRED to use IE so much would they?
      Shelendrea
      • The MS Help System

        Actually uses IE to render the content- lots of other apps do so also. IE is required for all these apps becuase IE actually does the rendering.

        Not to mention IE is the file browser for Windows. Don't believe me? Open up IE and browse to Google or any other website, now type C: in IE's address bar and low and behold there is the contents of your C drive.

        A flaw in IE really is an OS flaw- despite protests that it is not.
        Edward Meyers
        • Processes

          That's where you're actually wrong. IE isn't the file browser for Windows. Open up task manager and then from My Computer go to C:\ you'll notice that there is NO iexplore in the processes. Now open internet explorer and type in C:\ and it'll still be there. It just has the same UI as explorer. Furthermore in IE7 that trick no longer works, it now refers the request of C:\ to explorer.
          moonchacha
          • Actually They Testified In Court

            That it is the file browser and hence could not be removed. You wouldn't think they would lie in court now would you?

            It is also a moot point as the file browser also uses IE componets even though iexplore does not show in the processes. The IE componets are embeded into the OS.
            Edward Meyers
          • That's better

            It may seem like a trivial point, but there is actually a difference between IE and the underlying HTML renderer that IE uses. IE the application can indeed be removed, but the underlying DLLs can't. It's those DLLs that are used by (among other things) Explorer and the help system.

            No argument about the security risks with such an architecture, though. It's bound to be risky when so many people think it's OK to attack systems through that weakness, simply because it can be done (and in the case of Microsoft, should be done).

            Carl Rapson
            rapson
          • Indead

            And the point is still there... The IE Componets can not be removed without effecting so much of the system that it doesn't look much like Windows anymore.

            Oh... It can be done- as was also demonstarted in court. However you loose the MS Help System, The MS File Browser (You have to get a replacement), Outlook's ability to handle HTML Emails, and a lot of third party apps are effected.

            This is just bad design.
            Edward Meyers
    • RE: One further reason

      >>...Perhaps another reason to hold MS to a
      higher standard is that Firefox is free, and IE
      is something you have to buy as part of
      Windows...<<

      I disagree. IE and specifically IE6 is the de
      facto global standard. It runs on about 90% of
      all PCs. IE6 has been with us for what?, 6 or 7
      years now? And it is still not secured? This is
      unconscionable. Firefox has been more secure
      since early beta releases, and has been very
      prompt in fixing problems as the are discovered.
      Microsoft releases fixes on a predetermined
      schedule, sometimes leaving users dependant on
      3rd party fixes. Firefox has proved to be the
      better performer, and they are an upstart open
      source organization with limited funding.
      Compare that to Microsoft with almost all of the
      money in the world (comparatively) plus 6 years
      of history with IE6 and you gotta wonder.
      richdave
  • Good arguments

    I appreciated this explanation. It helps ZDNet look less like a tabloid publication, though I have to say sometimes the headlines are misleading. I know...you have to make money somehow.
    Mark Miller
  • So a company's own higher standards justifies a double standard?

    Just because a company may have higher standards for themselves, does that justify double standards in media coverage? Just because they haven?t complained (not much they can do really), does that really mean they?re ok with it? Is it the role of the media to report the news as factually as possible or play favorites?
    georgeou
    • It is the role of the media to report news as factual...

      So if that's the case..

      IE had more security fixes this week than Firefox. :P

      So obviously the media is going to be harder.. We have a product that has been around for years and years and year by a conglamorate that has endless hordes of cash. They can even tell the media the honest truth etc...

      Then you have mozilla, been around for like 2 years, only in the past year has it released an official version and yet.. Still not as many issues. :P

      Go figure. I can see why the media would be harsher on Microsoft in many cases. If you want to be number one, you have to take the scrutiny you're going to fall under.

      You're supposed to be neutral remember George.
      ju1ce
    • So a company's own higher standards justifies a double standard?

      "Is it the role of the media to report the news as factually as
      possible or play favorites?"

      If you have to ask that question it is obvious that you do not
      watch the media these days. There are very few places to get
      unbiased news these days. And I have to say I get the impression
      you seem to be leading the charge most of the time.

      I think the author makes some valuable points. Any company
      should be taken to task for the choices they make. The fact that
      MS could have taken steps to secure the OS years ago and
      "CHOSE" not to should not be given a free pass. Any time a
      company lets the dollar signs out weigh the good of its
      customers they should be held to a higher standard. At least
      Mozilla.org tries to get a fix out as soon as possible instead of
      waiting for the normal monthly cycle and thus leaving customers
      unnecessarily vulnerable. Are you saying that MS should not be
      criticized for that choice?
      Protagonistic
    • Whatever Microsoft's standards or reactions...

      ... to stories in the press, the reader has a reasonable expectation that a story purporting to be news will include facts presented as a narrative of events and not as components of an argument.

      Someone reading a news story should finish knowing more facts than before he started. Any addition to the story should be context, past history necessary to understanding.

      Reporters rarely are objective.
      I think that the most objective stories I've seen were by reporters who didn't have a clue about the subject which they were covering and timidly told what they heard instead of trying to bluff.
      But in a field like tech, most reporters have been on the job for a long while. The implicit tone is going to identify good and bad guys as the reporter sees them.

      So, the attitudes and actions of people at Microsoft are not relevant to the double standard, as you say.
      The relevant part is the reporters' attitudes, and those are formed in the usual human way, a combination of applied principles, peer pressure, and emotional reaction to years of days looking at a range of related issues. Call that last "experience".

      The reporter can't escape all that, comes with being human. But a sense of professional obligation should still require him to meet the obligation to have readers know more facts in a correct context at the finish than at the start.
      What's told is different from how it's told.

      Mr. Berlind is writing a blog, pre-identified opinion. He gets a pass on my forgiving definition of objectivity.

      The problem for me is that he makes a strong case for his incapacity to write news. He's judging, not just having biases, but deciding how he will treat Microsoft and accepting facts in that framework.

      Actually, though, I think that he has a different mindset for journalism, enough so that his reports are worthwhile. But there is probably often a temptation for him to explain the correct response, and that he will have to resist, even consciously.
      Anton Philidor
  • Agreed.

    A bug is a bug. An insecurity is an insecurity. And that's what should be reported. But individual security issues are not that relevant.
    It would be nice to also hear for once about what (for the user) is the best application/OS configuration to use if he wants to reduce the (factual) risk of spyware and viruses.
    nizuse
    • Agreed

      "It would be nice to also hear for once about what (for the user) is
      the best application/OS configuration to use if he wants to reduce
      the (factual) risk of spyware and viruses."

      Easy to answer, another OS. :-)
      Protagonistic
  • Another reason MS should be held to a higher standard.

    Not only did MS push through a highly insecure structure with ActiveX, but they also have made it all but impossible to use IE with ActiveX disabled. If you turn off ActiveX, IE will make you clear a popup dialog box (often multiple times for one page load/reload) whenever a page contains ActiveX.

    This is obviously done to discourage users from deciding to disable ActiveX for normal web browsing. After all, if people were to start doing this ActiveX would no longer be widely used, and Windows would loose a key area of user lock-in.
    enduser_z
    • As much as I would like to agree...

      I would have to disagree because the average consumer knows nothing about ActiveX.

      Ask any normal consumer what ActiveX is and you get that blank look like you're talking chinese.

      For people like us, we can easily say whether we like ActiveX (even with it virus like abilities) or dislike ActiveX (of which we either disable it, or use another browser that doesn't have it).

      I have always said that ActiveX has a purpose.. Intranet only, otherwise it's a virus on the internet.
      ju1ce
    • Actually...

      ...this latest patch requires the clicking for ActiveX anyway, due to the lawsuit by Eolas and Microsoft's decision not to pay the licensing fees. It's your choice whether to blame Microsoft for not "playing along" or Eolas for suing Microsoft (and no one else) in the first place.

      I believe many open-source supporters have come out against the Eolas patent, although it may vex them that they wind up siding with the demon Microsoft to do so. :)

      Carl Rapson
      rapson
      • Did they remove the popup warnings when you have it disabled?

        Or do you now just get a pop up you have to click on for every ActiveX page, whether you have it enabled or not? If they actually did remove the nuisance pop up, I would say that is a great thing (even if they did it for the wrong reason).

        I'm not sure where patents or Open Source have any thing to do with this issue, by the way.
        enduser_z
        • Not sure

          At work, my browser use mostly internal, so I don't hit web sites with ActiveX very often. At home, I tend to use Firefox. My guess would be that if ActiveX is disabled, you wouldn't see the popup messages, but I don't know for sure.

          And the patent/open source connection is this: Eolas sued Microsoft for patent infringement, and rather than pay for licensing the patent, Microsoft changed the way the browser interacts with ActiveX controls - resulting in the constant popups. Eolas has gone on record that it has no intention of suing open-source browser makers for the same infringement - presumably because there would be no money in it, but I suspect also partly because there would be a much greater backlash if someone other than Microsoft were targetted.

          Carl Rapson
          rapson