Microsoft CEO Steve Ballmer addressed the Worldwide Partner meeting in New Orleans, indicating that the next front for the security initiative is on the desktop – providing more tools and….. oh, yeah – that patch management thing again – in trying to stem the tide of difficulties that the Company has faced.
During his keynote, he asked how many people had deployed SUS (Software Update Services) internally, and to customers? Getting the response, he indicated that this was the point he had been making to his internal people – that it wasn’t getting done. But, there was one more question to quantify what he thought he already knew:
“How many people really KNOW what Software Update Services 1.0 is? OK, that’s kind of what I was afraid of….”
These are the PARTNERS, folks. These are the people that train, consult, develop – if they don’t know what it is, how does anyone in Redmond truly expect that the average small to medium business (not to mention Mom and Pop shops) is going to?
I know from personal experience that SUS is a good tool. It’s not great – but I’m anxiously awaiting SUS 2.0 – due maybe Q1 2004. But, it’s a lot better than a team of techs going from machine to machine with a floppy, CD, USB storage device, what have you.
In my most humble opinion, the response in New Orleans indicates one good reason why security is a problem on Windows systems: The tools that are available are not being leveraged. Point the blame where you will, but the bottom line is Microsoft cannot patch your machine for you. That’s your job. If you think that Windows or Microsoft products in general are the only ones with problems, I suggest you take a look at a more impartial outlet – say, SANS? They published the Top 20 Vulnerabilities, 10 going to Windows / Microsoft, the other 20 going to *NIX. Oh, and just for fun – trot over to Red Hat and see how many security bulletins are posted for their Linux 9.0 – 53. Yes, that is a Fifty, with a Three added on. I’m not bashing Red Hat or Linux in general – I’m simply trying to bring things into perspective. I admit that Windows has problems – but the work continues to correct the issues – political, technical, monocultural.
Operating systems, regardless of who puts it out, are vulnerable to flaw. That’s it – simple, concise. the good thing is that there are smart people out there (and whether it’s for personal gain or not – I don’t really care) who report these flaws. Some are reported to the vendor (Microsoft, Red Hat, etc), and then findings divulged with the vendor and credit given, while others are posted directly to the public forum. Obviously, some get their tail feathers ruffled by the latter. If the outcome is a patch to fix the hole, it’s a ‘good thing(TM)’.
Humans write code, humans make errors, code has errors. Remember the movie “Westworld” (OK, not Oscar material – whatever) “Where nothing can possibly go worng” That’s your software development cycle in action – and after the product has shipped.
Microsoft MVP – Active Directory