Patch Backlash

"It's like having a car where the locks don't work."

"Patches ad nauseam!"

"I would join any class-action suit against Microsoft and feel [such a lawsuit] is completely warranted."

Angry, frustrated, fed up: That's how many PCWorld.com visitors feel about the seemingly endless revelations of security holes in Windows and the cavalcade of patches Microsoft issues to fix them. How do we know? We asked.

We invited PCWorld.com visitors to tell us what they thought about Microsoft's security muddle--and whether they believed the company was meeting its obligations to the millions of people who use its products. The overwhelming majority of those who replied said that they're sick of constantly having to fix software they paid good money for. And more than a few said that Microsoft should be held accountable for the damage resulting from weaknesses in its software--a point of view that has prompted at least one angry customer to sue the company.

Lawsuit Filed

Filing in part under a new California privacy law, Los Angeles film editor Marcy Levitas Hamilton alleges that because of Windows security vulnerabilities that were exploited by last summer's SoBig worm, thieves were able to steal her Social Security number and bank details. She is seeking to represent all Windows users in her suit.

If successful, the lawsuit would achieve something unprecedented by holding Microsoft legally liable for damages linked to flaws in its products--even though the company's customers surrender this right under the terms of Microsoft's end-user license agreements.

Newport Beach, California, attorney Dana Taschner says that since he filed suit against Microsoft in late September 2003, he has received nearly 3000 phone calls and e-mail messages.
Photograph: Mark Robert Halper
"We've had [PC] software for two decades, but only now are we getting to the question of, are developers liable for their products?" says Dana Taschner, Hamilton's attorney, of Newport Beach, California. In the case of Microsoft, the question is especially critical because the company controls more than 90 percent of the market for operating systems, the lawsuit notes.

Taschner says that since he filed the suit in late September, he has received nearly 3000 calls and e-mail messages, many from users who want to join the suit.

Regardless of what happens in Hamilton's case, it's clear from our readers' responses--not to mention the barrage of headlines about security flaws since last summer's devastating Blaster and SoBig attacks--that Microsoft may have already lost this round in the court of public opinion.

"Microsoft is not even coming close to meeting its obligations to consumers," observes Jim Rochelle, a longtime PC user in Thompson Falls, Montana. "They rush products into production too quickly and do not take enough time to better ensure the security of the products they are putting out."

Microsoft's Response

Amy Carroll, director of Microsoft's Security Business Unit, attributes the apparent explosion in number and severity of virus and worm attacks at least in part to the proliferation of broadband.
Photograph: Karen Moskowitz
Microsoft officials, from cofounder and chair Bill Gates on down, have promised to fix security problems before. But attacks have only grown in number and severity, and the company appears to realize that it has a public relations mess of major proportions on its hands. Its responses thus far have ranged from a Protect Your PC awareness campaign promoting basic security measures to a recent offer of $250,000 rewards for information leading to the arrest and conviction of the creators of Blaster and SoBig.

Microsoft has also established a fund with an additional $4.5 million for use as reward money to help catch the originators of future destructive worms and viruses. And speeches by Microsoft executives routinely include ardent reaffirmations of the company's commitment to its Trustworthy Computing Initiative, an ambitious plan to improve the security and reliability of its software.

"We've talked to hundreds of customers [in order to] really understand what their issues are, [so the fact] that users are angry is not a surprise," says Amy Carroll, director of Microsoft's Security Business Unit.

She says one lesson Microsoft learned from this summer's attacks was that it can't expect users to understand how to proactively secure their PCs by changing default settings or installing patches that in many cases would have warded off invasions. As a result, Microsoft recently announced plans for a security-focused Windows XP Service Pack 2 that, among other things, will turn the built-in Internet Connection Firewall on by default, stopping many attacks before they reach users' computers. Microsoft has also said that it will make automatic updates easier to find and easier to enable from the get-go on new PCs (see "Microsoft's Patch Policy Pickle").

Why weren't such measures taken before? "Part of it goes back to features that customers were asking for," says Neil Charney, director of product management for Microsoft's Windows Client Group, who cites as an example printer sharing, which is blocked when the firewall is enabled. This constant trade-off between features that PC users want and the levels of security that they also want is a complex one, Charney says.

Carroll attributes the apparent explosion in number and severity of virus and worm attacks at least in part to the proliferation of broadband, which has made unprecedented numbers of computers accessible to intrusions. Microsoft also believes that detailed Web postings about vulnerabilities by "exploit writers" is making it easier than ever for hackers who rely on public knowledge--so-called script kiddies--to create the software that takes advantage of weaknesses.

Meanwhile, Microsoft says it has already begun to respond to users' angst, pointing to a recent update called Update Rollup 1, which basically serves as an interim cumulative patch to the core of Windows XP before it releases SP2. The company has also begun issuing monthly summaries of new security patches so that users can find the information more easily.

User Rage

Wilbur Pan, a pediatric oncologist at the Cancer Institute of New Jersey in New Brunswick, switched his personal work computer over from Microsoft Windows to Linux.
Photograph: John Abbott
Many people wonder why Microsoft has been taking so long to get its security act together. In early 2002 the company declared that it was halting software development for a month so that its developer teams could focus on one issue--security. Two years later, with no visible improvement, that unfulfilled promise leaves many users doubly frustrated. And many fume that Microsoft's security bulletins are so technical as to be incomprehensible to nongeeks, while its consumer alerts are too overly simplified to be useful to anyone.

"[The company has] all of these computer geniuses who should be able to figure out that there are flaws when they are developing the software," says Rita Baker of Trenton, Missouri. "We, the customers, should not have to spend so much time getting updates and being subjected to viruses, worms, and especially hackers," she adds.

In the meantime, other users have simply run out of patience and jumped ship to other operating systems. Wilbur Pan, a pediatric oncologist at the Cancer Institute of New Jersey in New Brunswick, is among them.

"We got hit hard by the rash of viruses that came along back in August--both in the medical school system and in the university hospital system," Pan says. Ultimately, he switched his personal work system over to Linux. "The lack of accountability is one reason I switched away from using Microsoft products."

Other consumers are taking the constant updating in stride, doing what Microsoft and Internet security firms recommend: keeping up with patches, staying on top of antivirus software updates, and running an Internet firewall to block assorted invasions from the Web, among other things.

"I have always used antivirus [software], and I tend to check frequently for updates," comments T. E. Burch in Northern California. "I've also got Internet security programs on my computers," she continues.

But repairing vulnerabilities with patches can create problems in and of itself: In some instances Windows XP SP1 slowed or crashed PCs (see "Bugs and Fixes: A Big Microsoft Mess--Patches Gone Bad").

Giving Credit

"The real problem is... user ineptitude and ignorance," observes Jonathan Ofori-Amoah, a technical analyst at a large Chicago investment firm. "Microsoft cannot and should not be blamed for that.
Photograph: Michael Girard
Still, Microsoft's efforts haven't gone totally unappreciated by the readers who responded to our questions.

Rich Levin, host of the radio show PC Talk in Philadelphia and coauthor of the KISS Guide to Microsoft Windows, argues that people should give Microsoft some credit. "Microsoft pioneered the use of automated update services, and they have aggressively issued security patches as holes are discovered, in most cases," he says. "They could do better by 'fessing up to all threats immediately, but in most cases, their responsiveness ranks in the top 10 percent of major software vendors."

Levin and others say that while Microsoft may be at fault for developing flawed software, users must also take some responsibility for the safety of their own systems.

"The real problem is...user ineptitude and ignorance," observes Jonathan Ofori-Amoah, a technical analyst at a large investment firm in Chicago. "I do not truly expect that users be fully knowledgeable about their computers, but a little more education may help. Microsoft cannot and should not be blamed for that," he concludes.

Microsoft officials point out that software is extremely complex to write, and that even within a specific family of security holes it can be difficult to find and fix every one. The company has long-term plans to make its products more secure, Carroll adds.

Included in those plans is Microsoft's Next Generation Secure Computing Base, which will be a part of Longhorn. Formerly known by the code name Palladium, NGSCB technology is designed to provide security functions that take advantage of new hardware and software changes in PCs. But with 600 million computers already in use around the world, many of them older machines, "there is no silver bullet," Microsoft Chief Executive Officer Steve Ballmer cautioned in a recent speech.

Battle-weary users don't expect the protect-patch-and-update routine to end anytime soon. As a resigned-sounding Fred Tivin, a retired research chemist and head of a math tutoring service in Cincinnati, puts it: "These hot fixes are not maintenance like changing the oil in my car. I would go on, but I have to check my Microsoft Critical Updates for Windows, Media Player, Office XP, and Internet Explorer and then run my Pest Patrol, Ad-aware, and Spybot programs and update my Norton AntiVirus, Moosoft Cleaner, and Anti-Trojan data files...and oh, yes...check to see if there are any upgrades to my ZoneAlarm firewall."

1 2 Page 1
Shop Tech Products at Amazon