April 2002

BY ROBERT VAHID HASHEMIAN

Its ironic how Bill Gates internal memo emphasizing security in Microsoft products leaked out so quickly to the press. Its also funny that such a memo received so much attention in the first place. When you are at the helm of the biggest software company in the world, one would expect that product requirements such as quality and security would go without saying.

Well, as the battle scars worn by so many MIS personnel in Microsoft shops prove, quality has been far from the forefront in the product designers minds. We at TMC are a Microsoft shop (for the most part) and this has personally affected me too. Thankfully, our sites have yet to show any sign of compromise, but Im starting to feel battle fatigue from all the patches, upgrades, and hot fixes that Microsoft has sent my way to apply immediately or face the consequences of procrastination. Even more ridiculous are the patches for patches that were designed to patch the patches, etc.

Has anyone in Redmond ever heard of regression testing?

This has gotten so bad that one would have to be crazy to install a Microsoft patch on the first release. The potential harm can often times be worse than the risk of operating the software with the defect.

Now, one might wonder why Microsofts software is so riddled with flaws while other OS-es such as Linux seem to be much more stable. I am not blithely serving up an opinion but a fact, based on my own observations managing and programming both Microsoft and Linux environments. Linux is the more stable operating system, displaying a stability that Windows has never been able to achieve.

Perhaps the major difference between these two camps is a concept they have in common: Openness. In the case of Linux, openness is exercised in its true meaning. The source codes, the documentation, and all the relevant information are open to the public for their inspection and even modification. In the case of Microsoft, openness appears in a somewhat demented form. It usually means that Microsoft applications can openly interoperate with each other, and now, through Web services (built on XML), Windows platforms can communicate with platforms from other vendors. It also means that the operating system services can be accessed through APIs, the depth and completeness of which are decided by Microsoft.

In my book, thats not openness. These are just facilities and utilities. Unfortunately with all the bells and whistles that Microsoft has incorporated into Windows apps, matters such as security are just bound to have problems from time to time. And that is how hackers have been so successful at finding holes in some of these applications (e.g., Outlook) and spreading their malicious handiwork through simple scripting.

Unfortunately in its ultimate wisdom and its perpetual belief that all users are dumb, Microsoft issues patches and expects us to blindly run them. One of these creations is the IIS lockdown tool, which in the hands of an amateur could totally block out a Web site from the world. Thankfully there is an undo option for this product. But the patch that really got on my nerves was the Outlook script execution patch, which blocks scripts from executing automation calls to Outlook. The piece was designed to combat worms such as Melissa. Having installed that patch, I was feeling safe and secure about worms such as the Sircam virus. Then one day I wrote a script to automatically send e-mails through Outlook and it kept on failing. Guess what? After wasting some time on my own code it became evident that the same patch that was fighting worms, was now fighting me! When I ran the script in the interactive mode it produced a ridiculous user interface informing me of the errant program trying to use Outlook, forcing me to manually accept the action. Worse yet, I could find no method of disabling or uninstalling this patch.

Another story is the Exchange 5.5 e-mail server software and its Outlook Web Access product. A recent patch that was released for a particular vulnerability turned out to cause problems with some of the installations prompting Microsoft to pull the patch and issue another one. These are unfortunate incidents to say the least, especially when you consider that Microsofts highly touted Exchange 2000, running on Windows 2000, and integrated with Active Directory has been dubbed the collaborative product to beat. With several advanced collaboration features and Instant Messaging capability, Microsoft is positioning Exchange to be the server of choice for communications applications, including Internet telephony.

If Internet telephony is ever to gain the fickle trust of the public and mount a serious challenge to traditional POTS, the backbones and the servers had better be reliable and stable. Linux has proven itself to be such a platform. Microsoft is still the Goliath to beat, but its buggy products may eventually be its undoing, at least in the high-margin communications server market.

Robert Vahid Hashemian provides us with a healthy dose of reality every other month in his Reality Check column. Robert is Webmaster for TMCnet.com your online resource for CTI, Internet telephony, and call center solutions. He is also the author of the recently published Financial Markets For The Rest Of Us. He can be reached at rhashemian@tmcnet.com.

[ Return To The April 2002 Table Of Contents ]