Is Microsoft ready for the SP2 tightrope?

commentary In a recent interview, Steve Gibson, president of Gibson Research, told me that Microsoft's forthcoming Service Pack 2 for Windows XP should probably be renamed "Security Pack 2." In fact, nearly everyone who has anything to do with IT security seems to agree that SP2 may be the most significant component yet in Microsoft's Trustworthy Computing initiative.

commentary In a recent interview, Steve Gibson, president of Gibson Research, told me that Microsoft's forthcoming Service Pack 2 for Windows XP should probably be renamed "Security Pack 2." In fact, nearly everyone who has anything to do with IT security seems to agree that SP2 may be the most significant component yet in Microsoft's Trustworthy Computing initiative. Everyone but Microsoft, that is.

Is Microsoft in a bit of a pickle when it comes to SP2, especially now that companies like Red Hat are turning up the heat on the desktop side of Linux? Or, will the company continue to be untouchable -- especially on the desktop side of the equation -- in spite of a wave of security problems that seems to never stop nagging Windows users?

It's quite remarkable how, considering the untold sums of money that businesses have spent on damage control as a result of all the attacks targeting Windows, Outlook, Office, Internet Information Server and SQL Server, that IT users have largely stuck by Microsoft and its products. Name another product or service that, over time (in the case of Microsoft, over five years), has subjected its users to such enduring risk or dissatisfaction that they haven't switched.

It didn't take long, for example, for the demand for Ford's Pinto to wither once the car established a track record for blowing up after suffering a rear-end collision. It only takes one bad experience in service or meal quality to keep most of us from returning to a restaurant. Russ Cooper, Surgeon General at TruSecure, one of the world's largest IT risk management solution providers, draws a parallel to the situation in Iraq where, "after some of its soldiers were killed in an attack, the people of Spain installed a new president who immediately withdrew Spain's troops."

According to TruSecure, which is platform agnostic and has been tracking all known vulnerabilities and their associated costs since the dawn of Melissa, the top 10 infections dating back to March 1999 all targeted users of Microsoft software. According to the company's statistics, the total cost of damages in August 2003 alone as a result of the two biggest transgressions so far -- Sobig and Blaster -- registered at US$3.5 billion.

Even if there was some magical threshold that, once crossed, triggered a shift en masse to an alternative OS, TruSecure's Cooper warned that it will only lead organisations to a false sense of security. "Microsoft is targeted because it has 95 percent of the user base," said Cooper. "If the user base shifts, so too will the attackers. And guess what? The same companies and users that were affected before will be affected again because it was their lack of attention to security that ultimately left them exposed."

Yet, despite all of our fickleness, we continue to use Microsoft technologies. Compared with the way other "decisions" are dropped like hot potatoes, demand for many of Microsoft's products has persevered through the worst of times.

About the only Microsoft product to suffer a significant market share setback has been Internet Information Server, the company's Web server. Though the trend cannot be officially attributed to security concerns, according to the most recent NetCraft Web Server Survey, Apache's gain in market share for top servers across all domains since March 2002 closely mirrors Microsoft's IIS' loss in market share since that date. Shortly before IIS' market share started falling off its peak, Gartner security analyst John Pescatore recommended that, in the name of security, companies stop using IIS altogether. It's the only time I can remember that a widely respected research outfit recommended switching products as a technique for improving security. Even so, demand for IIS remains healthy.

Pescatore, offers a simple explanation for why Microsoft has endured a situation that would have brought down most companies, including restaurants. "There's no monopoly restaurant. If there was, you'd keep going to it. Most of the viable alternatives to Microsoft's solutions are on the server side," said Pescatore "That explains why Apache has done well at IIS' expense. But on the desktop, what the government said is true: Microsoft has a monopoly. For Gartner's clients, the cost of switching is simply too prohibitive."

TruSecure's Cooper agreed: "The cost of switching exceeds the cost of recovering from an attack." While TruSecure's damage tallies tell one story, they don't tell the other: Many companies, after suffering through an attack due to lax security procedures, will often batten the hatches. While you needed to be running a Microsoft product to fall prey to any of the top ten invasions, few if any users have been stricken with all ten. Companies tend to get religious about security after the first serious transgression. Although the headlines make the situation look bad, the reality is that not every company is suffering from every infection.

Even more evidence of Microsoft's resilience was contained in Pescatore's discussion of how almost none of Gartner's clients are trying out Linux or Mac on the desktop for security reasons. "The Mac is a known quantity," said Pescatore. "Most companies have a few Macs and if they felt that they could switch desktops to solve their security problems, they'd switch to the Mac. That's because they could continue to run Microsoft Office, which runs on the Mac, while avoiding most of the security problems." For this reason, Pescatore said, any movement to Linux desktops will be cost-driven rather than security-driven, and it will take years before Linux stands a chance of catching Apple on the desktop. His prediction doesn't bode well for the open source operating system's chances of putting a dent in Windows.

With SP2 around the bend, Microsoft's seemingly unbreakable grip on the desktop begs the question of whether there's any threshold that, once crossed, could ignite an exodus from Windows. Although SP2 is being hailed as a major stake in the ground for Microsoft from a security perspective, Microsoft can still afford some post-SP2 transgressions without suffering any major setbacks. This could explain why the company is being so careful not to over promise when it comes to SP2. Recall that prior to Windows XP shipping in October 2001, Microsoft was hailing the operating system as a significant step forward on the security front. Yet, the security patches, including one that plugged a serious Universal Plug and Play vulnerability, began flowing within weeks and caused doubts about whether Microsoft could rein in its security problems.

Two and a half years later, two things are certain. First, there will be follow-up security patches to SP2. This is unavoidable and, to the extent that no operating system is without such patches, Microsoft should not be regarded as incompetent as a result of such patches. Second, there will be a post-SP2 outbreak of one sort or another and, technically speaking, it will be like most other successful hacks: It will take advantage of a known vulnerability and afflict systems that have failed to apply SP2 or a subsequent patch. As a result, Microsoft will get a fair amount of unjustified "this-is-proof-that-your-trustworthy-computing-initiative-isn't-working" grief.

Greg Sullivan, a lead product manger for Microsoft Windows, is well aware of Microsoft's dilemma. Referring to the never ending cycle of vulnerability discovery, followed by patch publication, sub-100 percent deployment, and "successful" incursion, Sullivan noted that "there are no silver bullets. The cat and mouse game will never end. It's the nature of the business."

Ironically, according to Pescatore, instead of encouraging a defection to desktop Linux or Mac, a lack of confidence in Windows XP will, for many organisations, prolong an already overdue migration from Windows 2000. Furthermore, according to Pescatore, as the IT world maps out its architectural shift to a Web services orientation where the desktop plays an increasingly diminished role (giving way to mobile devices like BlackBerries), confidence in other Microsoft products, especially ones like PocketPC that Microsoft has plans for in the Web services ecosystem, could be undermined.

Microsoft is caught between a rock and a hard place. Its customers are looking for soothing words from the company that its Trustworthy Computing Initiative is making great progress. Yet, Microsoft must be careful about over-billing any single fruit of that labour (such as SP2). Only disappointment can follow. Microsoft's Sullivan is aware of the challenge. "At the same time we're telling users how important a particular upgrade or patch is and why, we can't ever leave them with the impression that we're done," said Sullivan. "In an effort to get fixes installed on a more widespread and timely basis, we have to do a better job of communicating and we have to make deployment easier. We also want customers to know that we're in the [security] game on a permanent basis."

If the recent Sasser outbreak is any indication of whether Microsoft is getting better at the security game, things could be looking up for the company and Windows users. In the three weeks since the patch became available, it has been downloaded from Microsoft's site over 200 million times -- a record, according to Sullivan.

Unfortunately, no matter what Microsoft does, it cannot escape the ghosts of technologies past, even when it's making that sort of progress. Microsoft, therefore, will tout many of the great security features in SP2 (and they are great). But don't expect it to be making any promises. The technology will have to speak for itself and, hopefully, most of us will be able to tell when the technology is talking, and when it's a ghost.