Unsafe at any version

I’M GOING TO take care of some old business before we get too far into 2002. Last month I wrote that a Symantec representative indicated the company’s security products might deliberately ignore government-sponsored snoopware. Fortunately for all of us, the person quoted was speaking without authorization from Symantec HQ, and it appears that the company’s position, paraphrased by yours truly, is quite the opposite, “Malware is malware and we’ll warn our customers of it.” I hope this clarifies that issue.

While I was on my holiday, a flap arose over a security hole in Windows XP’s Universal Plug and Play subsystem. Even the mainstream media found room to cover it. And while Tim Mullen’s New Year’s Eve contribution to Security Focus was right on the money about the overreaction, I was glad that I cancelled my plan to load Windows XP on my notebook.

It’s not so much a matter of being concerned about XP’s security as I feel like it’s déjà vu all over again. In the last three years I’ve sat through briefings on Windows 2000, XP, and .Net Server, and every time heard how Microsoft is stressing security like never before, how every known attack is thrown at the beta code, yadda, yadda, yadda.

But then Microsoft releases Windows XP, and as soon as I install it on a lab machine, Windows Update goes out and tells me there was already a patch a few weeks before release. OK, patches happen. But I’m writing this column in the tenth week after the XP release, and already I count three critical patches: the Universal Plug and Play patch from December and two patches for Internet Exploiter 6, one that handles a cookie problem, the other an HTML header vulnerability.

I don’t know about you, but if I bought a brand-new car and had to bring it back to the dealer every three weeks because the door locks didn’t work, I’d be pretty ticked. Sure, downloading the patch from Windows Update and rebooting the system are trivial compared to a long sit in a dealer’s waiting room. But I really have to wonder if Microsoft has gotten too big to write secure code.

I’m certain Microsoft’s developers are trying to do so, but the results show otherwise. I couldn’t keep the grin off my face when a Microsoftie was bending my ear about how secure Windows XP was going to be. The next time I hear the spiel, which will be for Windows .Net Server, I’m not sure whether I’ll laugh out loud or just roll my eyes. All I know is, Microsoft’s claims of security ring more hollow with each press tour.

Doesn’t this mean that I can’t ever be fair to Microsoft? Not hardly. After all, I’m being paid to have an opinion. All it means is that Microsoft’s spokespeople have to work harder every year to convince me — and more importantly, you — that the company got it right this time.