Trouble ahead for security industry as Microsoft gets security right

Trouble ahead for security industry as Microsoft gets security right

Summary: Whether you choose to believe it or not, Microsoft appears to finally be getting its security house in order.  No, frequent patches, like yesterday's corrections to critical flaws, are not evidence that secure computing for Microsoft is an impossible task.

TOPICS: Security

Whether you choose to believe it or not, Microsoft appears to finally be getting its security house in order.  No, frequent patches, like yesterday's corrections to critical flaws, are not evidence that secure computing for Microsoft is an impossible task.  On the contrary. Microsoft, probably more than any other vendor (because of what it has been through), knows more about what it takes (technology-wise, business process-wise, timing-wise) to secure its customers than any other non-security vendor in the computer industry.  That doesn't mean that there still isn't a To-Do list with items left on it.  ID management is overflowing with enough companies and options to make your head spin. But it does mean that Microsoft, between what it's doing for existing users of its products and what it's doing in the next version of Windows (Vista), is on the right path. 

There's other evidence of Microsoft's progress. While vulnerabilities still exist and new malware that exploits them continues to turn up, it has been a long time since malware that exploited a vulnerability in Microsoft's operating systems or applications resulted in a widespread outbreak or a serious disruption on the order of something like SoBig, CodeRed, Melissa, or the infamous ILOVEYOU worm that "celebrated" its sixth anniversary last week.  As Windows' "surface area" (digital security-speak for multiple swaths of vulnerabilities) continues to shrink, malware developers will increasingly be looking elsewhere for trouble (for example,  some mobile platforms and, more recently, Mac OS X).  In its Spring 2006 Top 20 List of Security Vulnerabilities, the SANS Institute #1 listed item said:

Rapid growth in critical vulnerabilities being discovered in Mac OS/X including a zero-day vulnerability (OS/X still remains safer than Windows, but its reputation for offering a bullet-proof alternative to Windows is in tatters.)

When I think of words that foster confidence, or even hope that the situation will be corrected, "tatters" is not one of those words. 

The traditional security vendors appear to be scrambling as well.  Shortly after a recent meeting with Gene Hodges during which the then-CEO of McAfee told me that the company was going to do just fine despite Microsoft's inclusion of competing security software and services in Vista, he jumped ship.  Usually, CEOs stick around companies with a lot of upside.  More recently, when news of OS X's vulnerabilities turned up, McAfee went on the offensive and launched a Mac security product with an accompanying PR campaign that  Yankee Group analyst Andrew Jaquith lambasted as scaremongering. Desperate moves by a company that could be taking on water?  You decide. 

Meanwhile, after Fred Felman and Te Smith, a dynamic security duo that helped propel personal firewall maker Zone Labs to the stratosphere (and acquisition by Checkpoint), left Zone to join another security outfit (Tenebril), it wasn't long before both moved on.  Said Felman of the entire security business at the time, "It's beat."  Fellow Richard Stiennon who was a security analyst for Gartner before doing a short stint with spyware stomper Webroot and who is now a blogger for ZDNet (in addition to founding IT Harvest),  took umbrage at the idea that the security industry was out of gas. Sorry Richard. I'm with Felman who spent the better part of the last decade selling security products.  When someone like that says the business is beat and backs it up by leaving it, the business is beat.

Need another smoking gun? I don't think you have to look beyond Symantec which has been diversifying its portfolio over the last few years; a strategy that, judging by CEO John Thompson's more recent comments about identity management, isn't done yet.  Since the beginning of 2005, Symantec has been on the acquisition trail having acquired Veritas Software, Sygate, WholeSecurity, BindView, IM Logic and Relicore.  Some of these companies are squarely in the security space.  Others, like Veritas and Relicore are more about systems management and reliability (tangentially connected to security, but not a direct hit).  This week,

Thompson indicated his quest may not be over, citing identity management (more closely tied to security, but not the sort of security that Symantec typically covers) as a category that interests him.  Identity management? Symantec.  It will be interesting to see where Thompson takes this.  ID management, especially in the business space, is overflowing with enough companies and options to make your head spin.  Not to mention how the key operating system players like Microsoft, Sun, and Novell (which is readying the official release of a new, open source-based ID management solution known as Bandit) have offerings in the space as well.  Next on my blog to do list: What I'd do if I were CEO of Symantec.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Vulnerability.

    ZDNet has published articles for some time which have observed that, rather than battle software, malware makers have been enlisting users in compromising their own devices.

    I think that this vulnerability is likely to continue, with Microsoft having a user base with a disproportionate number of volunteer victims.

    Security software will be politely at war with users, asking for permissions in order to give opportunities for second thought and recognizing malware to take action without user intervention.

    Becoming a field more for psychologists than the technologically oriented.
    Anton Philidor
    • Social engineers

      Most of the major transgressions I've been hearing about are in the area of social engineering. For example, phishing has been a biggie and the end result, to keep users from becoming "volunteer victims" (a great observation on your behalf) has been to tighten security down so much that the software begins to interfere with a smooth user experience.

      • Celebrate Paranoia

        After 6 years of consequence free computing, Apple users are
        not quite as alarmed by the word "tatters" as you are. The hard
        boiled soldiers of Windows IT are quick to cite the Apple
        "complacency" while ZDNet contributors nod and parrot the
        party line. The pot continues to call the silverware black. At what
        point does the record figure in these grand and sweeping

        The PC security and PC repair rackets have bilked millions from
        consumers as a direct result of shoddy platform architecture and
        "consumer advocates" have given pass after pass. After 6 years
        of this nonsense iTunes is the enemy for their DRM? Anything
        wrong with this picture? With lingering paranoia and security
        nags being a Windows inheritance for some time to come, the
        good news is Windows users can ditch their third party
        protection racket for a Microsoft version of the same thing.
        Apparently the volume of Vista nags as a result of a kludgy
        permissions scheme are nothing short of rediculous. Well that's

        Windows codependancy is clearly deeply embedded. It seems the
        only way to temper the frustration of tech impotence is to role
        play. Windows platform users are all volunteer victims and their
        inability to do anything about it makes for some very strange
        Harry Bardal
  • Looking forward to Vista

    I think Apple would sell a lot more computers if they supported Windows Vista.

    Also look forward to learning up on the WinFX programming model. As always Microsoft keep innovating in the software space at such a fast pace that its hard to keep up. However its always fun and exciting learning and working on Microsoft technologies.
    • Apple does not sell PC's

      Apple is not interested in PC's or any PC software. They are happy in their niche. The moment that they start selling PC's with Windows installed they have to do battle with the cheap clone vendors and they don't produce machines at that low level of quality.
      • But they could sell....

        ...full Apple hardware running Vista (now that 'intel is inside'). If you think they are happy with a niche, you are sadly mistaken. I know the MAC faithful would never want to believe their hallowed Apple could join with the enemy (MS) but it's already headed that way. A Mac with Windows Vista on it will NOT compete with cheap clones. How the market will react (especially the Mac Faithful) remains to be seen.
        • Why trade down?

          OSX as-is is already superior to Vista if and when it comes out. Why all the delays in releasing the latest Windoze? Doesn't work? Vulnerable? Have to catch up to Apple's sperior levels of user friendliness and functionality? Simple ineptitude?

          The answer to all these questions is probably yes. But hey, let the Windoze world keep dozing. Not my problem.
          • You Must Be a Beta Tester...

            You must be a beta tester for Vista since you already *know* that OSX is already superior.

            Why do Mac lovers always have to post how much they love their Macs and how they disdain anything Microsoft? I don't pepper Mac threads with annoying little comments to make myself feel better about my consumer choice. Love your Mac, but please grow up.
          • Mac lovers distain?

            Probably for the same reason you have to make annoying little comments about them.<a href="">HOIATL</a>
          • sperior???

            Doesn't Apple have a spell checker?
            Cat Ketch
    • WinFX file system

      If you really want to see what the WinFX file systetm is just load up Linux and use the XFS system. They stole the idea from them.
      <a href="">HOIATL</a>
    • Who will pay for an OS requiring 1GB RAM and 15GB disk space?!

      That's slower than a turtle in a snowstorm! Sheer bloat.

      Sorry to sound like a cynic, but when the cons outweigh the pros, it's time for something else.

      MS can bash Linux for being bloated all they want, but Linux is developed by thousands of strangers. What's Microsoft's excuse? Closed-source seems closed-minded these days.
  • I would say the trouble is more for

    software vendors. Since now (finally!) Microsoft has designed (yet still not deployed... when is it due?) a properly designed OS with **GASP** security and true multi-user seperation in mind! Now the software vendors will have to write more secure and better designed applications that the user can run as a user WITHOUT the need for Administrative access to the OS / kernel layer.

    In other words they will have to start using the Unix model of application development. Although I will never use Microsoft Vista (don't like the snoopy issues and the fact I would be treated like a criminal... even if I can prove I paid for my version!) I will give Microsoft credit in that they have finally got on the correct path.

    BUT they still have to prove they got it in the field. So we shall wait and see (when is it coming out again?) what happens in the user market. Bottom line is software vendors better get cracking to correct their bad designs and implementations! While they are at it they can start to port to Linux as well! ]:)
    Linux User 147560
    • Not just Microsoft

      The success against malware will also be a function of the hardware. Intel and AMD are doing some interesting things, especially with virtualization technology and TPMs (although TPMs have issues too) to do what I call hardware-based security-assistence. Enforcement of signed code that's matched to TPMs for example could result in very clean white lists in terms of what's allowed to run locally. Virtual machines offer the ability to create the equivalent of a "customs" area in an airport to double check the visitors before they're allowed free passage across the virtual border. But, with these features comes added complexity and added complexity is always tricky to manage. Especially for users that are so easily socially engineered (just says something about the steps they're willing to take or have a clue to take in order to be safe).

      • David, I agree with you in this.

        Retaining the "simple to use" feature of Windows is going to be hard, in fact many users are going to find they need to re-think a number of things.
      • Nothing to do with hardware

        [i]Enforcement of signed code that's matched to TPMs for example could result in very clean white lists in terms of what's allowed to run locally.[/i]

        There's nothing in that that an operating system couldn't do today (and some do.) The hardware is totally unneeded unless the system administrator [b]is[/b] the threat against the system.
        Yagotta B. Kidding
    • Naw, works fine here.

      Tell me what issues you have *EXPERIENCED* instead of the silly stuff you read in comic books and I'll help you sort it out.
      • IF I have to use Windows...

        which to be honest I really don't anymore other than to stay on top of maintaining the boxes my customers use or the one my Wife uses, I will stick with Win2K for now. Regardless, Vista will never be run or even considered in my home. And since the customer base I have at the moment is NOT asking for Vista, they are satisfied where they are, I see no need to learn it at this time.

        And since Linux is making massive inroads and providing me a nice source of income, I will continue on my Linux path. I posted here to point out the biggest issue will be with software vendors that have designed their applications to be run as Administrator. They are the ones that will be having issues.

        As for the users, yes Windows users will finally have to grow up and learn to use their PC in a safe and secure manner. There will be many that will be more than irritated at not being able to do things the way they are so accustomed too. Well I Microsoft had been smarter and combined both security and ease of use as other systems are doing, and have been for a while now, and trained users to be safe from day one, Linux and Mac would not be a threat they are today, the number of security issues (read successful attacks!) would not be as high as they are today with Windows and this discussion probably would not even be happening.

        My experience with Windows is shall we say, boring annoying and restrictive. With Linux it's been a lot of fun, some restrictions but not intrusivly so and overall a very enjoyable experience. ]:)
        Linux User 147560
    • Microsoft got security right?

      I have been in the IT business for over 20 years and have heard that one some many times; it makes me sick. I am sure that M$ will screw it up again. But as you say time will tell.
      <a href="">HOIATL</a>
  • Report MS to the EC!

    Maybe these security companies should complain to the EC that MS has foreclosed on competition in the PC security business, and that it should be ordered to create a version of Vista with no security. After all, who cares what MS? customers think? It?s not as if antitrust law is about them! I just hope the EU courts give the EC a good smack in the head!
    P. Douglas