"Microsoft is good on security" shock bonk

Tuesday 26 January 2010
I have listened to the IT security podcast Security Now for some time now, and on the whole I’ve considered the host, Steve Gibson, to be a fairly sensible fellow. But my faith in the guy has been shaken, big time, after he said some real crazy-assed shit in the latest show (episode 232).
Gibson and fellow host Leo Laporte were talking about how Microsoft have been making incremental improvements to the security profile of its infamous web browser Internet Explorer. IE8 is a lot more secure than IE6, they said. Which is a reasonable thing to say. But then Laporte uttered these incredible words: “”Microsoft doesn’t have the greatest track record but I don’t think they’re particularly worse than anyone else [on security].” And the alleged security expert Gibson agreed!
Now, Laporte has a bit of an excuse. He’s a tech head, not a security guy. Yes, his technical background should tell him that Microsoft is a train wreck security-wise. But he’s a Microsoft fan in general, so we shouldn’t expect too much from him. But Gibson is a security professional – his hard disk data recovery utility, Spinrite, gets a lot of plaudits (many of them on his own site), and through his company GRC he sells a bunch of other security products. And the podcast generally makes excellent listening. So how can he be so deluded about Microsoft?
Because Microsoft is a truly appalling company when it comes to the security of its products (Microsoft is appalling in a lot of other ways too, but let’s concentrate on security here). For years the Windows operating systems have been infested with spyware, viruses, trojans and other malware. It’s only since Vista that Windows has had any decent security model at all. The browser Internet Explorer has long been a joke to most security-conscious computer users, most of whom use Firefox or Google Chrome/Chromium instead. IE is probably the vector for most of the attacks that take place over the internet. So even if we disregard IE’s other shortcomings, like its disregard for open standards embraced by the rest of the industry, it fails miserably when it comes to its users’ security.
Even Patch Tuesday – Microsoft’s vaunted update cycle – is a dangerous joke. Microsoft releases its software updates on the second Tuesday of every month (“whether they need to or not”, LOL). There could be a major 0-day vulnerability in the world’s most widespread personal computer software, threatening millions of users right now – but the fix won’t be released until the second Tuesday in the month comes round. And the computer criminals know this. They can engineer their attacks to make the most of the period between one Patch Tuesday and the next. If Mozilla (for example) discover a vuln in Firefox (for example) they will release the fix as soon as they can – usually within a couple of days. Microsoft will very very rarely release a fix before Patch Tuesday. And Gibson agrees with Laporte that Microsoft are “no worse than anyone else”? Crazy…
Tell you what though, Security Now 232 is still worth a listen. I won’t list everything covered, I’ll just urge you all to check it out (download link here). My confidence in Gibson may have been shaken by his comments about Microsoft, but the fact remains that he knows a lot about his business. One thing I learned is that I’ve been pronouncing the word “kludge” incorrectly for years. “Kludge” is hacker-speak, meaning an inelegant solution to a problem. I’ve always pronounced it to rhyme with “budge”. But in the podcast Gibson and Laporte said it “klooj”. That bugged me, so I googled it. And Dictionary.com, Wikipedia, and Answers.com (as well as many more sources) all agree that “kludge” is indeed pronounced “klooj”. So Gibson and Laporte were right about that. But they are dead wrong about Microsoft.

_got=2;_goi=2;_goz=0;_gol=’Free hit counter’;_GoStatsRun();
Free hit counter
Free hit counter