'

Microsoft slammed over WinMe bug

Is it appropriate that Microsoft releases Windows Me to the consumer knowing there is a problem with it?

A top security expert has condemned Microsoft's approach to security issues a day after a bug was found in its new operating system, Windows Me..

Mathew Bevan, of KUJI Media Corporation Limited, claims Microsoft's attitude to bug-fixing is harmful to consumers who have experienced bug issues with every release of Windows. His assertions are based on the fact that Microsoft was told August 13 about a serious flaw in its WebTV for Windows application which is included in Me.

One month later Windows Me was released. The bug is still present and no patch is available.

"They claim that the patch is in final testing, but why on earth did they not make the existence of the bug public in the meantime?" says Bevan. "Microsoft always say they won't make security flaws public until they've developed a fix because otherwise the bad guys will take advantage, but God knows how many people have exploited the hole in the meantime."

The bug allows a malicious hacker to crash or reboot any PC running WinTV for Windows and initiate a Denial of Service attack.

Andrew Griffiths discovered the vulnerability in Windows 98 and emailed Microsoft the details. Analysts at Security Focus, the Web site that runs the Bugtraq mailing list later discovered that Windows ME was also vulnerable.

Although bugs in software are not uncommon, Microsoft's credibility has suffered repeated setbacks, particularly around the launch of its Windows operating systems.

A more open and consumer friendly protocol for dealing with bugs is necessary according to Bevan who reckons Microsoft could learn a lot from the Open Source community.

"Look at Linux. When someone posts that they've found a bug you often get ten responses in ten minutes, with people making temporary patches and others giving advice. One company controls the code base of Windows, so everyone is reliant on them for fixes. I think that's a bad thing".

Bevan believes that Microsoft should make changes in its procedures, and inform customers about security flaws as soon as they are found. "They should sent out an email to each affected user to warn them that there's a problem. They don't need to say what the bug is, just advise them not to use the application until a fix is developed. I believe its better to know the dangers, rather than to be left ignorant and vulnerable".

Microsoft has figured out a way to have user ID tags ignore everyday browser settings and report ID information across domains. Microsoft apparently uses this technique heavily across its sites and Bill Machrone wants to tell you all about this potential new assault on your privacy. Go to AnchorDesk UK for the news comment.

To have your say online click on TalkBack and go to the ZDNet News forum.

What do you think? Tell the Mailroom. And read what others have said.

Take me to the PC Magazine Windows Me labs test

Take me to the Windows Special