Is Microsoft forgetting what it knows about security process?

With the fight over who can put a browser on Windows RT still simmering away and with Windows RT tablets only a month off, now is not the time for Microsoft to make careless mistakes with Windows 8.
Written by Mary Branscombe, Contributor

It's been an interesting week for foot-in-mouth in the tech industry, starting with Nokia suffering from the difference between TV ads and internet promotion.

With TV ads, simulated footage of what phones deliver is perfectly common, with a label so small I expect most viewers never spot it. But with internet promotion, simulated footage is automatically assumed to be an attempt at deception.

Microsoft is making a huge bet. This is the moment when the PC can either go on to be a telling part of our computing future or a technology whose time is within perhaps five years of ending

It's a shame the hugely impressive image stabilisation in the Lumia 920 Windows Phone 8 handset wasn't clearly labelled in the ad as a simulation of the difference in quality you'll get — especially when Nokia's real footage is just as impressive.

Then there's Microsoft apparently deciding not to update the version of Flash that's built into IE 10 in Windows 8 until October even though Adobe has put out a fix for Flash in all other browsers.

That decision puts Microsoft in the absurd position of having IE 9 and even Chrome users better protected against Flash attacks. The only reason for Microsoft to take over the role of distributing Flash in IE from Adobe is to give users better protection, not worse.

Ed Bott provides details of how to turn on ActiveX Filtering in IE 10, which will let you enable Flash and any other ActiveX only on the sites where you want to use it. That feature is good for performance as well as security and probably a good idea anyway. But it's not how you should have to handle Flash security in this day and age.

Process to ensure security is a priority

It's also a huge surprise. Security is a major focus for Windows 8, which has excelled in its other security improvements, and Microsoft usually has a process to ensure security is a priority. I'm assuming sanity will prevail and IT admins and BizSpark members and volume licensing subscribers evaluating Windows 8 won't continue to be vulnerable to known Flash vulnerabilities until GA in October.

But whatever decision, mistake or misunderstanding might turn out to be the explanation for this move, it's worrying for what it says about security process — which is something Microsoft has done pretty much right ever since Bill Gates hit the reset button on development after Blaster and retrained the entire company to think secure.

The Security Design Lifecycle Microsoft uses is recognised as a gold standard for software development. It's taken Windows from notoriously insecure to probably the most secure mainstream OS on the market in Windows 8. Security experts picking over the protections at the Black Hat hacker conference this year suggested that attackers would have to turn to vulnerable applications such as, say, Flash, instead of cracking the OS itself.

There's also a process for keeping it that way. To avoid new issues or regular patches distracting the core Windows team while they're hard at work on the next version of Windows — in this case, whatever Windows 9 turns out to be — once Windows hits RTM, the code is handed over to the Sustained Engineering (SE) team who deal with hotfixes, security patches and updates.

SE has patched pretty much every version of Windows between RTM and general availability, so it can't be fear of bad publicity. Besides, it would be Flash getting the bad publicity, not Windows. Frankly, I'm at a loss as to why the process wasn't ready to cover this eventuality.

I had another "I really can't believe they did that" moment recently, when it turned out that the build process for Windows 7 with Service Pack 1 had unaccountably omitted to include the browser ballot screen.

Including the browser ballot screen hadn't been necessary when SP1 was an update you applied to a system that already had Windows 7 because you'd already seen the ballot. But when it turned into a standalone OS that was going to OEMs and being put on DVDs, it needed to have the browser ballot in case it was going onto PCs that didn't already have Windows 7.

I don't see that as a sneaky attempt to protect Internet Explorer. Frankly, IE 10 is a solid and performant modern browser that can stand on its own tabs. This omission was a mistake pure and simple. Remember, between malice, malevolence and mistake, William of Occam points us to mark one human error every time. But again, it's the kind of mistake there should be a process in place to prevent — and if necessary, a process in place to check the process.

Compliance and security issues

The combination of the consent decree and the security woes of Windows XP made Microsoft careful about compliance and security issues. I know of major releases of products from software companies Microsoft has acquired that were postponed for months to fix known vulnerabilities because the Microsoft mindset was so security conscious. Now is not the time for that attitude to change.

With Windows 8 and Surface — and Windows Phone 8, Office 2013, Server 2012, Visual Studio 2012 and System Center 2012 SP1 and all the other products getting updated to go with Windows 8 — Microsoft is making a huge bet. This is the moment when the PC can either go on to be a telling part of our computing future or turn out to be a technology whose time is within perhaps five years of ending.

I'm expecting the PC to last, because I want a powerful computer that gives me choices instead of just a simplified and streamlined computing appliance

I'm expecting the PC to last, because I want a powerful computer that gives me choices instead of just a simplified and streamlined computing appliance.

I want to run Photoshop as well as Instagram. I want a word processor with macros and revision-tracking that can cope with 20,000 word documents as well as a tool for writing a quick shopping list. I want to be able to edit videos as well as watching them and I want to do it all on my choice of hardware and format — touchscreen and keyboard, please, preferably with a detachable screen.

But all that choice and power comes with a price, and not just the complexity that has driven plenty of people to an iPad for the times when simple is better. To be open enough to allow everything people want to do, the PC has to be open enough that security will always remain a potential issue because you can't assume a program doing something new is attacking the system. It might just be doing something new and clever that the user actually wants.

Making the power of the PC usable

Security, reliability and performance are key to making the power of the PC usable rather than a liability, and until the Flash update question I've believed Windows 8 has all three.

I'm still prepared to believe that, as long as Flash updates get a real solution, because I'm less worried about this single mistake — dumb as it appears to be at first glance — than the process that let it happen.

Windows 8 is both an improvement in the technology we already use and a shift to a new generation of technology, from ARM chips to touchscreens, to new hardware designs, to a new programming model.

This kind of generational technology update is something RIM has looked dangerously close to fumbling over the past couple of years and getting it right requires not just great technology but great execution as well. Execution, I always say, is something you either do or have done to you.

Microsoft had had a great year so far. Assuming these problems are dealt with in the right way, we can call them relatively minor issues that were sorted out once they were noticed. Everyone makes mistakes. What's important is how they're dealt with, which includes finding out what went wrong and making sure it doesn't happen again, which is what processes are for.

But in such a crucial year, Microsoft doesn't have room to make many mistakes if it's going to move from doing 90 percent of the job well — a target it hits on just about every product but just isn't good enough to compete with products such as the iPad and the entrenched Apple ecosystem — to the kind of surprise and delight that marks a winning release.


UPDATE: Microsoft has now confirmed to ZDNet's Ed Bott that a Flash update for IE10 addressing these vulnerabilities will be available "shortly" and that the goal is to release future Flash updates on a schedule that matches Adobe's releases "as closely as possible" rather than the usual once-a-month IE updates. This is a very welcome change of heart. It remains worrying that the processes for updating a component that you can't uninstall from IE10 were not in place before RTM but it's good to see Microsoft reacting swiftly to these concerns and addressing the issue of future updates.

Editorial standards