Microsoft's Michael Howard: Sure we have security problems, but we're fixing em

Microsoft's Michael Howard: Sure we have security problems, but we're fixing em

Summary: Microsoft Security guru Michael Howard gave a spirited defense of Jeff Jones' research and had one big message: Microsoft has admitted it has security problems. What about the rest of the industry?

SHARE:
74

Microsoft Security guru Michael Howard gave a spirited defense of Jeff Jones' research and had one big message: Microsoft has admitted it has security problems. What about the rest of the industry?

Give Howard props for passion--his post displays a lot of it.

First, he notes that Jones' vulnerability counts aren't perfect, but they're the best metric we have. From there he proceeds to deliver a few choice quotes. Among them:

  • Let's go back to Jeff's recent analysis. Cover up the Mac OS X and Linux stats for a moment so you can only see the Windows XP SP2 and Windows Vista bars. Windows Vista has had fewer security vulnerabilities than Windows XP SP2. Conventional wisdom (which is often wrong, especially when it becomes urban legend) tends to suggest that the more lines of code you have the more bugs you have. That might very well be true, and Windows Vista is certainly larger than Windows XP SP2; yet right now, we are on track for an approximately 50% reduction in vulnerabilities compared to Windows XP SP2. Think about that figure for a moment: about a 50% reduction (and that does not account for the reduction in vulnerability severity) despite the increase in code size.

  • The reason you're seeing a reduction in vulnerabilities across major Microsoft products is simple:

Microsoft recognized it needed to improve security. Bill said so (as did the rest of senior management) Our group swung into action and helped the rest of the company come up to speed on security issues. The Microsoft development processes changed to adopt the SDL

  • Referring to Ubuntu and Mac OS X Howard wrote:

How many people involved in the development of these other products have you heard say, "Wow, we have a lot of security bugs, we really should do something systematic to fix this problem." I'll be very happy to be proved wrong, but all I hear is crickets. I see no-one else in the industry standing up and saying, "Let's fix this."

I just hear emotion, excuses and dogma.

Is Howard biased? Sure he is. But he may also have a point. Funny how a message delivered without Jones' baggage is more effective.

Topics: Microsoft, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

74 comments
Log in or register to join the discussion
  • Worst in IT history

    Microsoft is the worst kid in class and should be ashamed of what they've
    accomplished. No other platform comes even close to the abysmal security in
    Windows, to even try to compare it with the alternatives is a joke and disingenuous
    indeed of you bloggers.

    The truth is that Microsoft has never been the visionary it'd like to be and almost
    missed the internet revolution entirely. They've thus built the Windows platform
    with a typical closed and safe office as the assumed environment.

    No wonder Windows is no better than this, but with cheerleaders like you, they
    don't really need to be.
    Mikael_z
    • Complete misassessment of the situation!

      When comparing vulnerabilities which is what this blog is about Microsoft is far from the worst kid in the class. There have been more patches for Linux and OSX. The truth is that the article is correct. The only one with an active program to improve the vulnerability count is Microsoft.
      ShadeTree
      • Well you are making the previous posters point....

        "The only one with an active program to improve the vulnerability count is Microsoft."

        Does that mean they are trying to increase their count :)


        NOTE: This is not a serious post.
        mrOSX
      • How about comparing consequences!

        The summed up cost of the malware plague on the windoze platform was $13.3
        billion worldwide. The word "abysmal" is a too weak word to describe it, and you call
        that secure?

        The Mac platform, for example, on the other hand has zero malware on the loose to
        worry about. The cost? $0.

        http://www.computereconomics.com/article.cfm?id=1225
        Mikael_z
        • Don't confuse not attacked with secure.

          You may leave all your doors and windows open on your house and still not have a break in. That doesn't mean your home is secure.
          ShadeTree
          • Strawman

            It doesn't matter how you try to distort it, it's still a documented fact that windoze is
            the overwhelmingly most expensive platform because of crappy security.
            Mikael_z
          • uh...

            Windows has the #1 security in operating systems. It's just the most exploited. It doesn't have the most exploits, it's just the most exploited. Get your facts straight you troll.
            evilkillerwhale@...
          • This home protected by ......

            "<i>You may leave all your doors and windows open on your house and still not have a break in. That doesn't mean your home is secure.</i>"<br><br>
            When it comes to theft, just like home burglars they tend to go after the unprotected places first because the chance of success is much higher ( e.g. the path of least resistance.)....<br><br>Yes, for purely random attacks those making malware just to be malicious will go after the majority. <br><br>The thing to ask is of targeted machines where theft of information was the goal who was successfully compromised the most often? Look at what departments of the government were the first to switch to Linux...NSA and the Department Of Defense. Hmmmm...could that be because of security?<br> Security is likely why many governments with-in the US and abroad are moving away from Windows. :<br>http://www.linux.org/info/linux_govt.html
            devlin_X
          • The US government

            is compromised by incompetence far more often than by vendor choice.

            I wouldn't trust them to secure my dog's house.

            Is today an orange or red day? ;-)
            rtk
          • Sure they are.

            We sell thousands of computers to the department of defense every month with Windows 2000 preloaded. You had better check your assertions.
            ShadeTree
        • correction

          the cost: triple or quadruple the cost for the same hardware.
          JamesDoyle
        • Unfortunately, that's not a good metric either.

          The only way you could really compare is if you had another OS with a comparable number of installations. The people who write malware, crimeware (whatever you want to call it) are not kids. This malware is there business, and if you're going to put the effort into writing this software, you want to target the one that can make the most money. Windows has 90-95% of the market...you'd have to be a complete idiot to target Linux (with maybe 1% of the desktops) or the Mac (maybe 5%...maybe).

          If the criminals are only successful in infection 5% of the windows machines they encounter, that's almost as many wins as infecting EVERY Mac. If they compromise 1-2% of the windows machines, that's more than ALL of the linux desktops.

          With linux, however, the biggest problem is that most people that run linux desktops are far more computer literate than the average Mac or Windows user. There are plenty of people that run windows without any AV software and have no problems....but in the hands of someone who picked up a computer at walmart, you'll find a machine that's riddled with viruses, adware, bots and so on.....why? because some people don't have any concept of safe computing.....I kinda think these people download every attachment that comes in the mail.

          These people would find a way to compromise any OS they were on....that's just the way it is.
          notsofast
        • O.O

          LEOPARD HAD MORE EXPLOITS FOUND ON DAY 1 THAN ANY WINDOWS.

          You know how much 13.3 billion dollars is to companies that make trillions? Put it this way:
          you use Linux: you make 0 dollars. You find 100,000 dollars worth of exploits, and your house is repossessed.

          You use OS X: No one loves artists, except movie studios. You make 50,000 dollars, but have to deal with Michael Moore. Net value? -5 dollars.

          You use Windows: you sell for every major system in the world, including pcs, cash registers, home users, cell phones, pdas, and music players. You make 300,000,000,000 dollars, and are Bill Gates. Windows makes for Mac products because IT CAN. Mac's programmers are still trying to make AppleScript not suck eggs, and Linux users are trying to find a driver for their 8 year old printer, and power for the LEDs on their tin foil hats.

          Linux has it's uses, Mac has it's uses, Windows has it's uses. For most people, Windows is BY FAR the best choice, and therefore you should just realize that places like computereconomics.com can use any results they want. I can say this minute it cost 300,000,000,000,000 dollars in exploits on the English language last year for Apple. They lost that much for not making their system in Swahili. Yup. My statistics? Random site #7, found while googling "Why Apple sucks"
          evilkillerwhale@...
      • Message has been deleted.

        bmerc
        • By any count, ....

          ... Microsoft is still not the worst.
          ShadeTree
          • Well show me an OS that has ovre 200,000...

            Virus ???? Then we can talk about who is worse.
            mrOSX
    • The good old days weren't

      [i]The truth is that Microsoft has never been the visionary it'd like to be and almost missed the internet revolution entirely. They've thus built the Windows platform with a typical closed and safe office as the assumed environment.[/i]

      MS was never safe, even before the Internet. I well remember MS_DOS viruses making their way around offices with nothing but Sneakernet as the the vehicle.
      Yagotta B. Kidding
      • You aint kidding!

        Yagotta B. Kidding? No you don't!
        Ole Man
    • Time to move on

      There's no point in badgering MS over their past behavior. If you have a comment to make on the CURRENT state of security within MS, that's fine.
      ParrotHeadFL
      • Well, maybe, no

        The past is generally the key to the future.

        Please note that you can break Vista in a number of new and improved ways as well as using a few "old standard" ways as well. As the guy said in essence, "we're trying to fix it." That's a good thing, but it doesn't wipe away the historical foundations of the security problems Windows (and Windows apps) have.
        zkiwi