In the wake of the latest threats, Microsoft purchased full-page ads in major newspapers exhorting its customers to visit a Web site to find out how to protect their machines. The page asks users to perform three relatively easy tasks -- install an Internet firewall (which is included in Windows XP), download the latest software patches from Microsoft, and run an up-to-date anti-virus program. Steve Lipner says that these steps can protect most consumers from many of the current threats.

But some experts aren't satisfied with Microsoft's efforts. "That's called blaming the victim," says Richard Smith, the security researcher who helped lead police to the coder behind the Melissa virus. "It's like that old saying, 'An ounce of prevention is worth a pound of cure'" -- in the case of some of the latest worms, Smith says, you can tell that Microsoft didn't put much effort toward prevention.

The Blaster worm is caused by a "buffer overflow" hole in the newest versions of Windows. Such flaws are not uncommon; all OSes suffer them. But with some thorough code review, they're not very difficult to spot -- in fact, Microsoft has long touted methods it developed to search for buffer overflow problems in its software. In October 2001, Jim Allchin, the Microsoft executive in charge of Windows, told eWeek magazine that "we have gone through all code and, in an automated way, found places where there could be buffer overflow, and those have been removed in Windows XP." But as Bruce Schneier pointed out in a January 2002 essay he wrote in his monthly computer security newsletter, Windows XP was out for just a few months when Microsoft urgently announced that it had discovered a critical flaw in the OS -- a buffer overflow error that could have allowed anyone to take control of the machine running the buggy code.

"Microsoft has $40 billion in cash in the bank," says Richard Smith. "Why is it that they can't get rid of buffer overflows in key software areas that could be attacked? Imagine all this trouble for a buffer overflow error that should have been caught! They've really got the bankroll to do this, and they should have done this rather than saying that all of us in the rest of the world should waste our time updating our computers."

Smith believes Microsoft's failure to detect the overflow error in Windows is indicative of a generally lackadaisical attitude toward software flaws. Time and time again, he says, Microsoft has added features into its software that only virus writers seemed to find useful. A good example of this is the Windows Scripting Host, the service that allows Windows to run Visual Basic Scripts. In previous versions of Windows, the scripting host was turned on by default, even though most people had no use for it; indeed, the only time most computers ever ran the scripting host, says Smith, was when they were hit with viruses like Melissa or ILOVEYOU, which ran on top of WSH. "You can turn off the scripting host and most everyone's computers will work perfectly," Smith says. And that seems to be a popular choice -- on Google, the second result for "Windows Scripting Host" is a page titled, "How to disable Windows Scripting Host."

In his memo on security, Bill Gates seemed to recognize the problems created by too many unnecessary features. "In the past, we've made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We've done a terrific job at that, but all those great features won't matter unless customers trust our software," he wrote. "So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve."

There is some indication that Microsoft is already doing a bit of this. Smith notes that the latest version of Outlook, Microsoft's e-mail program, is set -- as a default -- to prevent you from loading executable attachments, the sort of files that allow for viruses like Sobig. But Smith says that he's puzzled that this was not the case for the latest version of Outlook Express, Microsoft's free e-mail program. "This shows that someone at Microsoft realized that attached executables are a bad thing -- but for some reason they didn't address it across the board." Also, if Microsoft is asking all its users to turn on firewall and auto-update software, why didn't it ship Windows with those features turned on already, Smith wonders. That's a good question -- and according to Lipner, Microsoft now plans to do so.

But beyond shipping software with certain features turned on and certain others disabled, it remains unclear to security experts whether Gates' memo calling for a new Trustworthy Computing initiative will lead to dramatically better software from Microsoft. The most cynical Microsoft-watchers, such as the people who congregate on Slashdot, already consider the letter nothing more than a cheap public relations stunt -- the monopolistic software baron attempting to pacify the media with proof that he is at least thinking about the myriad viruses, worms and other digital scourges that plague our hyper-connected world.

Bruce Schneier is just a tad less jaded than that, but you couldn't call him optimistic. "Let's hope that the Gates memo is more than a headline grab, and represents a sea change within Microsoft," he wrote in his newsletter. "If that's the case, I applaud the company's decision. It's a difficult one. Putting security ahead of features is not easy. Microsoft is going to have to say things like: 'We're going to put the entire .NET initiative on hold, probably for years, while we work the security problems out.' They're going to have to stop all development on operating system features while they go through their existing code, line by line, fixing vulnerabilities, eliminating insecure functionality, and adding security features. Security works best when it's designed into the system from the beginning, so a lot of what they've already done is going to have to be rewritten."

But Steve Lipner, of Microsoft, gave no indication that the security review called for by Gates is putting anything at the company on hold. "I believe that it is possible to build systems that are increasingly more secure and still useful and commercially viable," he said. He added that in designing the company's new server operating system -- Windows 2003 Server -- "we made a huge number of changes" in the development process to create an operating system that "is secure by design." But the whole thing was not redesigned from the ground up and most of the code was not rewritten. Still, Lipner says, the server is more secure than previous versions.

Schneier is not especially surprised that Microsoft is not halting development on its main software initiatives in order to focus on security. In combating security threats, the company's most important task is "to convince you the reporter that they're doing a good job, that they're going to fix the problems." For the company to do anything more than pursue a public relations strategy -- like, for instance, for it to actually spend time and money on no-nonsense software -- "that would be dumb," Schneier says.

That's because, according to Schneier, adding strength to your software is not a high-yield proposition: Customers don't go out of their way to pay extra for security, and, as Microsoft's track record has proved, you wouldn't lose much anyway if you shipped software that was hobbled by one or two, or two dozen, major flaws. In the typical software operating license, most software vendors, including Microsoft, disclaim any liability from bugs their software might abet. If Microsoft makes a stupid mistake in its code that makes it easy for someone to come into your home and steal everything you have, Microsoft is not legally responsible for any of your losses. "And until that changes, none of the security will get better," Schneier says.

But Microsoft denies that it has few reasons to make stronger software. "Of course we have an incentive," Lipner said. "The statement that it takes liability to provide us with an incentive to do security right is bunk. We do this because customers insist on it and we do this because it's the right thing to do for our customers. We're a business, and we're driven by what the customers demand -- and that's how this company got to be as successful as we have been."

Recent Stories