Although I normally take issue with Tim's articles due to what I perceive to be a strong pro-Microsoft bias in them, I thought this one was fairly balanced and accurate on the whole.

It comes as no surprise that the press (and even government agencies) would make a circus out of a story like this and get some of their facts wrong. Public attention is how both institutions (press and government) get their budgets and both often aren't experts on the subjects they publicize or are even capable of judging which experts (all with their own axe to grind) to listen to. In fact, this is really nothing different then what happens with other industries.

Frankly I have little sympathy for Microsoft in this matter. Any company that spends as much advertising money as Microsoft does trying to make itself a household name has got to expect that when it screws up it's going to be a household name as well and with all the publicity going back and forth the actual facts of the matter will tend to get lost.

Microsoft also makes itself a particular particularly juicy target in this regards due to its business practices. Not just the practice of producing and releasing a product that has these kinds of flaws in it but even more the practice of attempting to obscure the fact that such flaws exist and to shunt blame for such flaws to anyone but themselves.

I have seen Microsoft attempt to shunt blame for flaws in its products upon Security professionals for publicly disclosing such flaws, upon Administrators for failing to keep up with the maelstrom of patches for such products and upon users for being ignorant of how to configure such products. However, the bottom line is that users, administrators and security professionals did NOT produce the code in Microsoft's products, they were NOT responsible for QA'ing that code, nor did they release the product for sale and market it to the public as "bullet-proof", Microsoft did.

As an administrator in a small company, I have many other responsibilities and frankly I do not have time to keep up with all the patches in all the software products my company runs. However, if a vulnerably arises due to my failure to apply a well documented, properly announced, timely released and properly QA'd patch, I will accept responsibility for failing to apply that patch. What I WONT accepts is the software vendor attempting to shirk responsibility for producing the flaw which allowed the vulnerability in the first place. They are responsible for at least 50% of the problem.

Personally, rather then all the spin, I think Microsoft would be much better served by a frank and open admittance/discussion of the shortcomings of its products and the mistakes it has made with the IT community. As IT professionals we are all aware of the difficulties of working with large, diverse and complex systems. We are all aware of the possibility of human error creeping into such systems and we are all aware that features of our final products are often influenced by factors outside our control (marketing, business, upper management, limited resources, etc). Microsoft would make far fewer enemies in the IT community by a frank admittance of what it's product really are (with all their blemishes) then by it's stubborn and fanatical attempt to maintain the fiction of what it would like the public to believe them to be.


Chris

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/50/9670#9670