MSFT’s analysis of security


I was asked by @tonynewling for my take on “Vista One Year Vulnerability Report”. I finally got time to look at it and subsequent reports by the same author and I have to applaud the report’s author for cleverly clouding the report.

To his credit, he does say that he would have still done the report even if his employer’s product came out looking not so rosy. Granted that that report is over a year and a half old now (September 9, 2009), it is really passe to consider. But I am sure that MSFT would have used that report to try to make their Vista product look less vulnerable (considering how @tonynewling wanted my inputs). The author’s methodology is clever. He took the first twelve months of a product’s GA to analyse the vulnerability and patch efficiencies. He was also clever to say he was only going to compare Vista with Red Hat’s Red Hat Enterprise Linux WS 4. And this was to have been done even though Red Hat Enterprise Linux 5 had already been out for almost twelve months. He was happy to run a test of twelve months of RHEL4 GA (which was in March 2005) to Vista which I think came out in 2007 (I am not going to check and am sure someone will correct me).

If we are to look at any software product’s development methodology (open source or closed source), every study (see David Wheeler’s page), shows that by being open, you are assured that if there are vulnerabilities and defects, IT WILL BE FOUND AND FIXED. Earlier last month, an eight-year-old vulnerability in the Linux kernel was discovered and fixed. Try that for ANY MSFT product. I am not begrudging their business model. What I am begrudging is the smooth “lies” that they constantly put out – including the cleverly crafted report referenced above.

Nevermind the past. Let’s move forward and look at what is looming on the horizon. Vista will be dead soon when MSFT releases their Windows 7 sometime this year. And how do they intend to bring it to the market? How about with blatant lies? I did pose the question earlier today and hoping that someone from MSFT will respond. It is HIGHLY unlikely anyone will (right @osrin and @tonynewling?). Now I read that the same lies are done with Mac as well.

Why can’t MSFT do an honest job in selling their product? Why do they have to resort to outright lies and misrepresentations? The whole MSFT business is an intellectual vacuum and morally corrupt.

4 thoughts on “MSFT’s analysis of security

  1. um.
    “Earlier last month, an eight-year-old vulnerability in the Linux kernel was discovered and fixed. Try that for ANY MSFT product.”
    Um. They do that quite frequently. XP is eight years old (released 2001) and it is still supported, in the sense that they still release security updates for it.
    Vista will similarly be supported after 7 comes out.
    Lying about what Microsoft does is hardly the best way to combat Microsoft lying about what we do…
    (Also, please don’t refer to companies by their stock symbol. It just looks silly. It’s Microsoft, not MSFT.)

    1. Re: um.
      “Um. They do that quite frequently. XP is eight years old (released 2001) and it is still supported, in the sense that they still release security updates for it.
      Vista will similarly be supported after 7 comes out.
      Lying about what Microsoft does is hardly the best way to combat Microsoft lying about what we do…”
      Well, I don’t intend to lie about their stuff – I will be happy to be corrected. One does not have to push down one’s competitor to look good in turn.
      If you look here, their XP stuff reached end of life last year (or earlier this year, 2009). It does not state that there will be security updates for them.
      The Linux kernel issue I mentioned was from way back and it is exactly those kinds of security stuff that we see open source succeeding in.
      Contrast this with MS windows 2000 being abandoned because “the architecture to properly support TCP/IP protection does not exist on Microsoft Windows 2000 systems, making it infeasible to build the fix. To do so would require re-architecting a very significant amount of the Windows 2000 SP4 operating system, not just the affected component. The product of such a re-architecture effort would be sufficiently incompatible … that there would be no assurance that applications designed to run on Windows 2000 SP4 would continue to operate on the updated system.” (from MS09-048).
      Let’s imagine for a moment that the windows 2000 codebase was open sourced to begin with. We can only guess if it could be fixed by the interested non-MS people. We now know MS will not. Ever.
      Yes, it is a specific example of a specific situation. But the two examples, one from the Linux kernel and the other from Windows 2000, proves the point that the open source development model is a fundamentally better way for code development and more importantly, sustainability.
      The proprietary model encourages only one thing: repeated consumption of resources to feed the revenue engine. A new version from Microsoft is a revenue event. It is one which forces users (if they agree) to upgrade. Is that how we should be consuming software? Is there a better way to consume software and yet sustain the community and the ecosystem? How about something based on subscriptions?

      1. Re: um.
        XP security updates through 2014:
        http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?articleID=208800494
        http://support.microsoft.com/lifecycle/?LN=en-gb&C2=1173
        that’s even better than Redhat does. Microsoft’s website is inexcusably confusing. My netbook (f11 machine) came brand-new with XP after its support was ended. What the heck does that mean?
        The Windows 2000 example is a good one. There is support, but what does that really mean?

      2. Re: um.
        Thanks for the MS links. If you look at the links, the 2014 date is for special cases. Red Hat (note that it is two words), has all of it’s RHEL products supported for 7 years from GA and when there are special needs there is even an extended user support (EUS – http://press.redhat.com/2008/12/18/red-hat-increases-service-levels-and-reduces-costs-for-customers-with-extended-update-support/).
        Perhaps you want to return the XP that you got with your machine because there is no longer any support.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s