New security alerts put Microsoft under pressure

A string of new security alerts from Microsoft - four this week and 57 so far this year - has highlighted the company's challenge...

A string of new security alerts from Microsoft - four this week and 57 so far this year - has highlighted the company's challenge in making its software secure.

In January, Microsoft chairman and chief software architect Bill Gates outlined a new "Trustworthy Computing Initiative", promising to make security a top priority in Microsoft's software development.

The company has long been criticised within the industry for software development practices that seemed to put functionality and convenience over security. Gates promised to reverse this with the Trustworthy Computing Initiative.

This week Microsoft posted four security alerts concerning products ranging from the company's core Windows operating system to a software development kit (SDK) used to integrate Windows applications into the UNIX operating system.

Among those alerts was a "critical" warning by Microsoft about the Windows Help feature, which provides assistance to users with questions about the operating system or specific applications.

It was discovered that a flaw in an ActiveX component used by Windows HTML Help could allow a remote attacker to assume the role of a user on a Windows machine.

Another posting issued a patch for the company's SQL Server product, including fixes for four newly discovered vulnerabilities.

Commenting on the company's problems Rich Mogull, research director at analyst group Gartner G2, said: "Microsoft has two major issues to deal with. One is a cultural change. Innovation always took precedence over other factors at Microsoft."

"The other issue is that [Microsoft] has a massive code base to deal with. They have hundreds of products on the market and millions of lines of code that they produced [prior to the Trustworthy Computing Initiative]."

According to Mogull, Gartner is cautioning its customers about continuing security problems in Microsoft's products, despite the vendor's high profile emphasis on security.

Alan Paller, director of the SysAdmin, Audit, Networking and Security [SANS] Institute agreed, and offered another possible explanation for the high number of security flaws in Microsoft's products: the comparatively young age of the products.

"We've seen that the number of [security] vulnerabilities in software applications is related to two factors: the number of lines of code and the newness of the product," said Paller.

"Apache isn't better than [Microsoft's] Internet Information Server, it's just older and smaller, and that means fewer new bugs," said Paller.

Gartner believes Microsoft needs to repeat the transformation of the company that took place in the mid-1990s when it shifted from being a desktop to an Internet-focused business. "Microsoft showed strong leadership before getting on board with the Internet, but this is an even bigger change. The Internet was about missing an opportunity to innovate, whereas with security it's about changing the face of the products that are out there," said Mogull.

"You can't develop as quickly, you can't release products with all the features turned on, and you have to be more responsive to security."

The Gartner analyst said users had a role to play in improving software quality. "We need to have businesses exert market forces and hold vendors liable for products."

Read more on Microsoft Windows software