Up Front: Microsoft's Security Problem--and Ours

"Your potential. Our passion." That's the slogan Microsoft has been using to tout its products. Lately, though, I've spent so much time patching its wares--and undoing damage inflicted by its "fixes"--that I'd sum up my sentiments as "Microsoft's products. My problem."

Seattle-based Contributing Editor Stuart J. Johnston, a 16-year veteran of the Microsoft beat.
Seattle-based Contributing Editor Stuart J. Johnston, a 16-year veteran of the Microsoft beat.
Judging from Stuart J. Johnston's "Patch Backlash," I'm not alone. When we heard that a Los Angeles user had taken Microsoft to court over Windows vulnerabilities, we asked PCWorld.com visitors whether they felt the company was adequately protecting its customers. The aggravation in some of their feedback boils right off the page.

Johnston began covering Microsoft when Bill Gates was a mere multimillionaire; he's been our Bugs and Fixes columnist since 2000, chronicling a parade of Redmondian glitches so interminable that he jokingly calls the company's products his "permanent employment act."

Of course, Microsoft products aren't the only ones plagued by leaks. But the company's market share--north of 90 percent in operating systems, browsers, and office suites--makes it (and its customers) the fattest target a hacker could hope for.

Often, what rankles is not so much the security problem itself as Microsoft's response. In September 2002, it unleashed Windows XP Service Pack 1, an uber-patch designed to fix leaks and other bugs--which it did. But many readers told us that installing SP1 rendered zippy PCs almost unbearably sluggish.

At first, Microsoft said it had patched the patch; later, it backpedaled and said it had no plans to do so. Months later, Johnston laments, he's still getting daily reader e-mail asking, "Is there any hope?"

I feel those users' pain--because my own notebook went from sprightly to arthritic after I installed SP1. Then there's my desktop. Not long ago, a firewall-evading piece of spyware used an Internet Explorer technology called the Browser Helper Object to lob X-rated ads onto my screen, even when IE wasn't open.

When I sought help on Microsoft.com, troubleshooting tips were scarce. I did, however, find a page in which Microsoft genially describes the BHO as "a spy we send to infiltrate the browser's land." Given that the BHO really is used by no-goodniks, the metaphor is both appropriate and unfortunate.

As Microsoft tackles the security mess in the months and years ahead, here's some advice I wish it would take to heart:

Make security the default: Historically, Microsoft has stuffed products with features that were easy for hackers to abuse. The company says that it now errs on the side of safety. At the moment, though, it's still playing catch-up: Windows XP Service Pack 2, due in mid-2004, will ratchet settings up a notch.

Give us help we can use: Microsoft, says Johnston, "has two types of security alerts. One reads like it's designed for people with a degree in computer science. The other is so dumbed-down it's worthless." Most users aren't newbies or geeks: Windows Update and other resources need more advice for the rest of us.

Build fixes that work: Auto-patching via Windows Update is a cornerstone of Microsoft's current security-assistance strategy. Yet it takes only one fix gone awry--such as the SP1 fiasco--to leave you wondering whether it's better to shut off Windows Update and take your chances.

Move beyond patches: Right now, security is an afterthought that's being meted out fix by fix. What we need is a Windows that's built for reliable computing from the ground up--which Microsoft says it will deliver in Longhorn, its next major upgrade (see our preview). But Longhorn isn't due until 2006.

As Microsoft enters new markets--from enterprise software to cell phones--it will ask millions of customers to entrust even more of their productivity to it. Earning that trust won't be a cakewalk. But step one is a no-brainer: It must fix the products it has already sold us.

Subscribe to the The Advisor Newsletter

Comments