CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Internet

Commentary: Microsoft lacks motivation to change security

Gartner analyst Neil MacDonald says the addition of many new security technologies does not mean that Windows 2000 is fundamentally a more secure product.

By Neil MacDonald, Gartner Analyst

Every week, some headline seems to call attention to a security vulnerability in a Microsoft product. Because Microsoft's products are so widely used, they will be the targets of more attacks, so more vulnerabilities will come to light.

Nevertheless, Gartner believes this analysis is superficial. The situation is far more complex, and other factors come into play, including

• Microsoft's business model

• Bundling and "feature creep"

• Microsoft's development process

• ActiveX

• Tight integration of Microsoft's operating system (OS) and applications

Microsoft's business model requires perpetual change. This approach creates an environment in which each new version of its OS and application software has little public exposure before it gets released into the mainstream.

The constant inclusion of new features in Microsoft's software, and the

See news story:
Bug hunter spies holes in Windows, IE 5.x
bundling of new technologies into Microsoft's OS and application products, have created large, monolithic applications that are impossible to debug for all security vulnerabilities. For example, by various estimates, Windows 2000 contains 30 million to 40 million lines of code, and the development team involved thousands of people.

The addition of many new security technologies, however, does not mean that Windows 2000 is fundamentally a more secure product.

Microsoft's development process has not fundamentally changed with respect to security. Microsoft still does not make security training mandatory for its developers. Microsoft has found that being reactive to security works well; it quickly fixes newly identified bugs. This approach is easier than preventing the vulnerabilities from occurring in the first place.

For Microsoft, the top priority is getting products out the door, and the marketing department can diffuse any security problems once a product has shipped.

Microsoft's ActiveX programming model provides no mechanism for "sandboxing" code, Its digital signature mechanism provides insufficient protection for the use of ActiveX controls on the Internet.

The tight integration of Microsoft's OS and applications has created an environment conducive to malicious code. The highly publicized "I Love You" worm showed how malicious code can take advantage of this integration.

Likewise with the more recent exploits involving ActiveX. In most cases, Windows loads ActiveX controls without user intervention. These pieces of code can do whatever the computer user has rights to do on the machine.

Worse, Microsoft Office documents are treated as ActiveX controls and can load without intervention. A recent exploit documented by the SANS Institute illustrates just how serious exploits can be that involve a combination of Windows, Internet Explorer, ActiveX and Office.

Despite the headlines that these security exploits bring, consumers and enterprises have not changed their purchasing patterns in favor of more secure products. They have not voted for better security with their pocketbooks. Accordingly, Microsoft's approach to security is pragmatic.

Security is important to Microsoft but only to the extent that it does not inhibit the adoption of its products. Thus, Gartner expects that such headlines will continue to appear.

(For related commentary on outsourcing Internet security, see TechRepublic.com--free registration required.)

Entire contents, Copyright © 2000 Gartner Group, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.