[ISN] Do you trust Microsoft?

From: InfoSec News (isnat_private)
Date: Tue Apr 01 2003 - 01:48:55 PST

  • Next message: InfoSec News: "[ISN] Honeynet Scan of the Month for April released"

    http://news.com.com/2100-1002-994878.html
    
    By Reuters 
    March 31, 2003
    
    Three-fourths of computer software security experts at major companies
    surveyed by Forrester Research do not think Microsoft's products are
    secure, the technology research company said Monday.
    
    While 77 percent of respondents in the information technology field
    said security was a top concern when using Windows, 89 percent still
    use the software for sensitive applications, Cambridge,
    Massachusetts-based Forrester said in a report titled "Can Microsoft
    Be Secure?"
    
    The survey polled 35 software security experts at companies with at
    least $1 billion in revenue.
    
    Forrester analyst Laura Koetzle said that "too few firms are taking
    responsibility for securing their Windows systems."
    
    Koetzle said that 40 percent of firms were not planning to make
    security improvements themselves and that only 59 percent of those who
    suffered security attacks have made changes to the way they use
    Microsoft software.
    
    Microsoft, the world's largest software maker, launched a company-wide
    initiative more than a year ago to make its software more secure and
    trustworthy in the face of attacks that targeted the vulnerability and
    wide reach of its software.
    
    "We understand that achieving the goals of Trustworthy Computing will
    not be an easy task and that it will take several years, perhaps a
    decade or more before systems are trusted the way we envision," a
    Microsoft spokesman said in an e-mailed response to the report.
    
    "We are working to address existing security concerns, including patch
    management...This is only the beginning and we are confident that
    customers will continue to see additional progress over time."
    
    In the most dramatic incidents, such as the Nimda and SQL Slammer
    worms that exploited holes in Microsoft software, patches were
    available from the Redmond, Wash.-based company well before the
    attacks happened. In many cases, however, the patches were not
    implemented by system administrators and engineers.
    
    Koetzle noted that while Microsoft's patches for the last nine
    high-profile Windows security holes predated such attacks by an
    average of 305 days, too few customers applied the fixes because
    "administrators lacked both the confidence that a patch won't bring
    down a production system and the tools and time to validate
    Microsoft's avalanche of patches."
    
    Microsoft argues that it is doing a better job of informing customers
    about security holes in its software, but many customers are
    questioning the amount of work needed to implement additional patches
    and fixes to Microsoft's software.
    
    When the SQL Slammer worm, which slowed Web traffic worldwide and shut
    down automatic teller machines across the United States, hit in
    January, Microsoft had already provided a security patch that the worm
    targeted in July of 2002. But because the patch was difficult to
    install, Microsoft scrambled to create an installation program that
    would make it easier for companies to implement the patch.
    
    "Microsoft must develop new simple, consistent tools for applying
    patches and mitigating security platform risks," Koetzle said. She
    added that IT professionals should work more closely with Microsoft
    and companies that write software for Windows to make sure computer
    systems are more secure, instead of blaming Microsoft for security
    breaches.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Apr 01 2003 - 04:33:12 PST