Quantcast
PCWorld.com is upgrading some back-end systems. Some site features, such as user registration, may be temporarily unavailable.
Subscribe to magazine

Code Red Puts Microsoft in the Hot Seat

Windows-targeting worms like Code Red may cause users to demand more reliable software.

Dan Verton, Computerworld

  • 0 Yes
  • 0 No

Washington, D.C. -- It was a scene that would be familiar to officials at Bridgestone/Firestone. An executive from Microsoft watched as a government official told a gathering of reporters that there was a serious problem with a Microsoft product.

Ronald Dick, director of the U.S. Federal Bureau of Investigation's National Infrastructure Protection Center, this week warned that the Code Red computer worm was spreading rapidly across the Internet for the third time in less than three weeks. It was taking advantage of a vulnerability discovered in the Web server software that runs on Microsoft's popular Windows 2000 and NT operating systems. The health of the Internet and e-commerce was at stake, the government warned.

Costly Not Deadly

But unlike the case with faulty tires from Firestone, Microsoft's problem wasn't life-threatening, and it didn't lead to a massive product recall. Instead, it cost businesses around the world more than $1 billion, according to some estimates, and hundreds of worker-hours to fix. That has led some users and experts to argue that it's time to demand more secure software from vendors.

"Do we have to wait until someone gets killed?" asked Jack Ring, owner of Innovation Management, an IT consulting firm, in a letter to Computerworld. "[It] must be nice to be a billionaire, but can it feel good when the billion is what others are losing by using your products?"

Because of the security issues associated with Microsoft software, "we are looking at other technologies," says a chief technology officer at a pharmaceutical supply company in the Northeast who requested anonymity. "There are other Web servers out there. Microsoft's customers have to demand better software."

Robert Odom, chief operating officer at AFAB International, a security equipment reseller, says that because of security concerns, his company has completely removed Microsoft Outlook from its systems and has removed "as much of [Internet Explorer] as we can."

Chasing Security Holes

Microsoft issued 100 security bulletins last year related to its software and 42 so far this year, according to information on its Web site. Even so, Steve Lipner, manager of Microsoft's Security Response Center and chief of the Secure Windows Initiative, says the company undertakes a massive effort to find security flaws in products "before they get out the door."

The centerpiece of the effort, Lipner says, is a program called Prefix. It scans the entire code base of the Windows operating system and all Office products for potential vulnerabilities. When one is found, Prefix identifies the "offending coding practice that caused the vulnerability," he says. It's an effort that represents a "significant investment" across the company and one that, "absolutely has commitment from the top," Lipner says.

That begs the question of how yet another flaw in Microsoft's Internet Information Services software made it out the door.

"Security and software development are human endeavors where mistakes are going to happen," Lipner says.

Reliability Required

Yet there is concern because critical services such as the Federal Aviation Administration, medical services and the electric power grid are increasingly using commercial software. And the fear, based on the Microsoft experience, is that some of this software could be unreliable and full of security holes.

It's only a matter of time before consumers and businesses start to demand more reliable and secure software, says Dave McCurdy, executive director of the Internet Security Alliance. "When health and safety concerns are raised, then there are going to be higher expectations of accountability," he says.

"People have every right to expect reliable, secure software," says Jay Nickson, a security trainer at Ronin Software Group. He adds that developers should be responsible if errors in their software result in lost profits, lost hours or bodily harm. He even suggests that it might be time for a "software users' bill of rights."

But Alan Paller, director of the SANS Institute, a security research organization, says that's a long shot. A routine check of the terms of the agreement included with every shrink-wrapped package of software from Microsoft and other developers would show that users "have no rights at all," he says.

Computerworld
For more enterprise computing news, visit Computerworld. Story copyright © 2007 Computerworld Inc. All rights reserved.

  • Recommend this story?
  • 0 Yes
    0 No
  • Great year-end deals
    for small business!

  • Get 24/7 live remote AT&T Tech Support 360* service along with select Lenovo* PCs (with Intel® Core™ 2 Duo processors) and save up to 200!

    Learn more

  • HP EliteBook* 6930p Notebook with Intel® vPro™ technology and a free HP Basic Docking Station - $641 instant savings!

    Learn more

  • *Other names and brands may be claimed as the property of others. ©2009 Intel Corporation. Intel, the Intel logo, vPro and Core trademarks of Intel Corporation in the United States and other countries. All rights reserved.

Dell End of Year Deals

People who read this also read:

  • 15 Minutes to a Secure Business Get the Secure in 15 toolkit starting with the "15 Minutes Month-at-a-Glance" calendar. McAfee will send you additional tools and tricks to stay protected around the clock.
  • A Buyer's Guide to Data Protection Implementing data protection products and processes can be daunting. Make the right decisions by exploring what is available and what makes sense for your organization. Use this simple guide to evaluate different vendor offerings.

Sponsored Links