Its ironic how Bill Gates internal memo emphasizing security in
Microsoft products leaked out so quickly to the press. Its also funny
that such a memo received so much attention in the first place. When you
are at the helm of the biggest software company in the world, one would
expect that product requirements such as quality and security would go
without saying.
Well, as the battle scars worn by so many MIS personnel in Microsoft
shops prove, quality has been far from the forefront in the product
designers minds. We at TMC are a Microsoft shop (for the most part) and
this has personally affected me too. Thankfully, our sites have yet to
show any sign of compromise, but Im starting to feel battle fatigue
from all the patches, upgrades, and hot fixes that Microsoft has sent my
way to apply immediately or face the consequences of
procrastination. Even more ridiculous are the patches for patches that
were designed to patch the patches, etc.
Has anyone in Redmond ever heard of regression testing?
This has gotten so bad that one would have to be crazy to install a
Microsoft patch on the first release. The potential harm can often times
be worse than the risk of operating the software with the defect.
Now, one might wonder why Microsofts software is so riddled with
flaws while other OS-es such as Linux seem to be much more stable.
I am not blithely serving up an opinion but a fact, based on my own
observations managing and programming both Microsoft and Linux
environments. Linux is the more stable operating system, displaying a
stability that Windows has never been able to achieve.
Perhaps the major difference between these two camps is a concept they
have in common: Openness. In the case of Linux, openness is exercised in
its true meaning. The source codes, the documentation, and all the
relevant information are open to the public for their inspection and even
modification. In the case of Microsoft, openness appears in a somewhat
demented form. It usually means that Microsoft applications can openly
interoperate with each other, and now, through Web services (built on
XML), Windows platforms can communicate with platforms from other vendors.
It also means that the operating system services can be accessed through
APIs, the depth and completeness of which are decided by Microsoft.
In my book, thats not openness. These are just facilities and
utilities. Unfortunately with all the bells and whistles that Microsoft
has incorporated into Windows apps, matters such as security are just
bound to have problems from time to time. And that is how hackers have
been so successful at finding holes in some of these applications (e.g.,
Outlook) and spreading their malicious handiwork through simple scripting.
Unfortunately in its ultimate wisdom and its perpetual belief that all
users are dumb, Microsoft issues patches and expects us to blindly run
them. One of these creations is the IIS lockdown tool, which in the hands
of an amateur could totally block out a Web site from the world.
Thankfully there is an undo option for this product. But the patch that
really got on my nerves was the Outlook script execution patch, which
blocks scripts from executing automation calls to Outlook. The piece was
designed to combat worms such as Melissa. Having installed that patch, I
was feeling safe and secure about worms such as the Sircam virus. Then one
day I wrote a script to automatically send e-mails through Outlook and it
kept on failing. Guess what? After wasting some time on my own code it
became evident that the same patch that was fighting worms, was now
fighting me! When I ran the script in the interactive mode it produced a
ridiculous user interface informing me of the errant program trying to use
Outlook, forcing me to manually accept the action. Worse yet, I could find
no method of disabling or uninstalling this patch.
Another story is the Exchange 5.5 e-mail server software and its
Outlook Web Access product. A recent patch that was released for a
particular vulnerability turned out to cause problems with some of the
installations prompting Microsoft to pull the patch and issue another one.
These are unfortunate incidents to say the least, especially when you
consider that Microsofts highly touted Exchange 2000, running on
Windows 2000, and integrated with Active Directory has been dubbed the
collaborative product to beat. With several advanced collaboration
features and Instant Messaging capability, Microsoft is positioning
Exchange to be the server of choice for communications applications,
including Internet telephony.
If Internet telephony is ever to gain the fickle trust of the public
and mount a serious challenge to traditional POTS, the backbones and the
servers had better be reliable and stable. Linux has proven itself to be
such a platform. Microsoft is still the Goliath to beat, but its buggy
products may eventually be its undoing, at least in the high-margin
communications server market.
Robert Vahid Hashemian provides us with a healthy dose of reality
every other month in his Reality Check column. Robert is Webmaster for
TMCnet.com your online resource for CTI, Internet telephony, and call
center solutions. He is also the author of the recently published Financial Markets For The Rest Of Us.
He can be reached at rhashemian@tmcnet.com.
[ Return
To The April 2002 Table Of Contents ] |