Monday, December 20, 2004

Microsoft has been under fire due to the security flaws in their products lately, especially in Internet Explorer. Enough has been said about that. However, its latest move to acquire anti-spyware software maker Giant doesn't look good on its resume. The key to secure software is prevention, and Microsoft of all people has no right to complain of a resource crunch.
They have the money and the (highly skilled) manpower to throw at this problem. Absolutely necessary is a drastic reworking of the browser - a la SP2, where they let applications break, but put security first.

Even more galling is the possibility that they may charge for this software. The reason spyware exists is because of the bad security model that Microsoft used for IE. I don't say this - CERT does. ActiveX, and the whole "zones" model is completely broken. In a recent statement, Microsoft said that spyware was the users' fault, not theirs. Yeah right.

In most cases, maybe. But I've been infected by spyware without ever clicking "OK" on anything. It was due to streaming music websites (before you think of other, more "unclean" reasons). I'm not that dumb. I used Firefox then too, but my realplayer plugins didn't work cleanly on it then. Valuable lesson learnt: NEVER use IE-only sites, unless they are your bank or something and you have no choice.

Another pet grouse to get off the chest: For those who say that all of Microsoft's problems stem from marketshare, I call their bluff with two words - Apache and Oracle. I don't even remember the last time a major Apache server or an Oracle database (both market leaders by a wide margin) was taken out by a vulnerability. Slammer, of course is fresh in everyone's mind.

Complacency is one thing open-source can do well to guard against though. It wasn't so long ago that Debian's servers were hacked into just days before a major release, rendering the whole source of Debian vulnerable to tampering. Mercenaries are exactly that - they have no respect for authority or principles, making open-source software an equally good target if the incentive's right.

No comments: