Microsoft’s security measures a failure

By : |January 31, 2003 0

SAN FRANCISCO: Computer security experts have said that the recent “SQL Slammer” worm, the worst in more than a year, is evidence that Microsoft Corp.’s year-old security push is not working.

“Trustworthy Computing is failing,” Russ Cooper of TruSecure Corp. said of the Microsoft initiative. “I gave it a ‘D-minus’ at the beginning of the year, and now I’d give it an ‘F.'”

The worm, which exploited a known vulnerability in Microsoft’s SQL Server database software, spread through network connections beginning on Saturday, crashing servers and clogging the Internet.

It hit a year and one week after Microsoft Chairman Bill Gates sent a company-wide e-mail saying Microsoft would make boosting security of its software a top priority.

Microsoft placed responsibility on computer users who failed to install a patch that had been available since at least last June.

“The single largest message is: keep your system up to date with patches,” Microsoft Chief Security Officer Scott Charney told Reuters.

But the philosophy of patching is fundamentally flawed and leaves people vulnerable, Cooper said. For example, Microsoft did not follow its own advice as executives confirmed that an internal network was hit by the worm.

“Microsoft was completely hosed (from Slammer). It took them two days to get out from under it,” said Bruce Schneier, chief technology officer of Counterpane Internet Security, a network monitoring service provider. “It’s as hypocritical as you can get.”

The solution: install patches, along with firewalls and other security software and services, as well as demand better products from Microsoft, the experts said.

© Reuters

No Comments so fars

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.