Imagine owning a car whose door, ignition, locks, and security system could be easily defeated by anyone following simple instructions posted on the Web. Anybody who knew the secret could break into the vehicle and either remove its contents or simply drive it away.

No big deal, says the car's maker. Just pop by our Web site every week or so to see if we've found any new problems. Parts are free, but it's up to you or your mechanic to take your doors and steering column apart; it should take around half an hour--six times a month.

In the car business, that company would be laughed out of existence. In the computer business, it's standard operating procedure--particularly at Microsoft. Check Microsoft's alerts, and you learn that security problems are discovered in Microsoft software an average of more than six times a month. Some of these are minor. Others are monsters, like the buffer-overflow error that allowed the truly miserable Code Red worm to attack. (See "Holey Software!" for more ugly examples and statistics.)

Windows XP's firewall is the latest in a long line of security half-measures from Microsoft. It's meant to prevent intrusions from the outside, but unlike products such as ZoneAlarm, it does nothing about Trojan horses--such as script viruses made possible by Microsoft's lax security precautions--that find their way into your PC and work from within.

The preview panes in Outlook and Outlook Express are another obvious example. You can't tell those panes to display the HTML source code in messages instead of executing it. That means you may run potentially compromising code without even formally opening a document. And Windows preserves a bogus sheen of simplicity by hiding file-type extensions by default, so risky .exe files can masquerade as harmless .txt ones.

Worse, few of Microsoft's fixes are cumulative. Instead of installing a single file that says "Secure my machine right now," you have to wade through dozens of individual files. Microsoft's Personal Security Advisor is of no use to users of Windows 95, Win 98, or Win Me. But it does inform me that I need to run 28 security "hotfixes"--and edit the Registry--to secure my Windows 2000 machine.

Other companies are hardly blameless here. Friends are cursing Cisco's DSL modems, whose software was hit by Code Red. And I still wonder what to do about my wireless 802.11 network, now that Wired Equivalency Privacy encryption has proved to be as private as a glass-enclosed shower in Times Square.

As the market leader, Microsoft should act as if it had the most to lose over lackadaisical security. But its own servers have proved vulnerable, and its Passport authentication service presents serious security and privacy hazards. Most galling: The company's highest-profile security effort--the vexing Product Activation copy-protection scheme in Windows XP and Office XP--is designed to protect its own revenues.

If there were reasonable alternatives to Microsoft products and their half-baked security, knowledgeable users would gobble them up. Until then, we're forced to make our own time-consuming repairs of defects that should never have appeared in our vehicles for computing.

• See more like this:
• p3security,
• microsoft,
• security alerts,
• personal security advisor,
• product activation,
• full disclosure,
• stephen manes