In a recent interview, Steve Gibson, president of Gibson Research, told me that Microsoft's forthcoming Service Pack 2 for Windows XP should probably be renamed "Security Pack 2". In fact, nearly everyone who has anything to do with IT security seems to agree that SP2 may be the most significant component yet in Microsoft's Trustworthy Computing initiative. Everyone but Microsoft, that is.
Is Microsoft in a bit of a pickle when it comes to SP2, especially now that companies like Red Hat are turning up the heat on the desktop side of Linux? Or, will the company continue to be untouchable -- especially on the desktop side of the equation -- in spite of a wave of security problems that seems to never stop nagging Windows users?
It's quite remarkable how, considering the untold sums of money that businesses have spent on damage control as a result of all the attacks targeting Windows, Outlook, Office, Internet Information Server and SQL Server, that IT users have largely stuck by Microsoft and its products. Name another product or service that, over time (in the case of Microsoft, over five years), has subjected its users to such enduring risk or dissatisfaction that they haven't switched.
It didn't take long, for example, for the demand for Ford's Pinto to wither once the car established a track record for blowing up after suffering a rear-end collision. It only takes one bad experience in service or meal quality to keep most of us from returning to a restaurant. Russ Cooper, Surgeon General at TruSecure, one of the world's largest IT risk management solution providers, draws a parallel to the situation in Iraq where, "after some of its soldiers were killed in an attack, the people of Spain installed a new president who immediately withdrew Spain's troops."
According to TruSecure, which is platform-agnostic and has been tracking all known vulnerabilities and their associated costs since the dawn of Melissa, the top 10 infections dating back to March 1999 all targeted users of Microsoft software. According to the company's statistics, the total cost of damages in August 2003 alone as a result of the two biggest transgressions so far -- Sobig and Blaster -- registered at $3.5bn.
Even if there was some magical threshold that, once crossed, triggered a shift en masse to an alternative OS, TruSecure's Cooper warned that it will only lead organisations to a false sense of security. "Microsoft is targeted because it has 95 percent of the user base," said Cooper. "If the user base shifts, so too will the attackers. And guess what? The same companies and users that were affected before will be affected again because it was their lack of attention to security that ultimately left them exposed."
Yet, despite all of our fickleness, we continue to use Microsoft technologies. Compared to the way other "decisions" are dropped like hot potatoes, demand for many of Microsoft's products has persevered through the worst of times.