Sunday, October 17, 2021

Debate Rages Over Microsoft Security Report

Industry players are hotly debating a controversial report released this week claiming that

flaws in Microsoft Corp.’s software combined with the company’s grip on the market is

causing a national security risk.

And to add more flame to the fiery debate, one of the authors was dismissed from his job

because of his involvement with the report.

”It is the combination of the two — the flaws in the software and the company’s monopoly

— that creates the magnitude of the problem described,” says Ed Black, president and CEO

of the Computer and Communication Industry Association, (CCIA) a Washington, D.C.-based

trade group often considered an “adversary” of Microsoft. ”There are several different

pieces that come together that create a perfect storm of insecurity.”

The CCIA released and backed the study, while several players in the security industry

authored the report, entitled ‘CyberInsecurity: The Cost of Monopoly’.

Daniel Geer, a

security consultant and, at the time, the chief technical officer of @Stake, a security

consulting firm, was the principal author.

A spokesperson for @Stake confirmed that Geer is no longer with the company since the

release of the report. The company released a statement saying that ”the values and

opinions of the report are not in line with @stake’s views” and that Geer is no longer

associated with the company. The spokesperson added that Microsoft did not push for or

participate in Geer’s dismissal.

”It shows that a raw nerve was hit,” says Black. ”The emperor never likes being told that

he has no clothes. Microsoft’s web of relationships is the seat of its power.”

What the report claims is that the large number of flaws in Microsoft’s popular software

combined with the fact that most companies around the world run that software is creating a

dangerous security risk.

”If you can penetrate one Windows system, you can penetrate millions of systems,” says

Black. ”We’re saying that when an entire nation, the entire industrialized world, is 96

percent dependent on a product with these flaws, there’s a serious problem… It’s a

cascading effect.”

And Black adds that the United States’ dependence on Microsoft’s software is directly

putting the country at risk.

”The infrastructure of every major industry, of the government, of our power system, are

all basically vulnerable,” he says. ”When they rely a great deal on a flawed system, they

are vulnerable.”

Chris Belthoff, a senior analyst with anti-virus company Sophos, Inc., says he agrees that

there is a risk here. Belthoff spends much of his time battling worms and viruses, like

Blaster and Sobig, that attack Microsoft Windows systems. And he says virus writers attack

those systems for two simple reasons — the flaws in the coding leave them vulnerable to

attack and Microsoft’s huge bite of market share gives them a wide and impressive target to

attack.

”Name another industry that is producing products as critical as this and there is only one

player holding on to most of the marketshare,” says Belthoff. ”And think about if those

products aren’t operating properly and so they could cripple the nation’s IT infrastructure.

”Do these people have an axe to grind?” Belthoff asks. ”Sure. Is that a legitimate axe to

be grinding? I’d say, yes it is.”

But not everyone agrees.

Dan Woolley, a long-time security player and now a vice president at Computer Associates,

which works closely with Microsoft, called the report and its charges ”bull.”

”I know what the guys are saying but it’s a little hard to swallow given that some of these

folks are into security products and are direct competitors with Microsoft,” says Woolley.

”Do they have a point? Yah. But the problem I see is if I’m a bad guy, I’m going to pick

the highest probability target I can get. That’s Microsoft. If you hit the right thing, you

can take down a lot of machines fast.”

Woolley says to claim that Microsoft is causing a national security risk is stretching

things.

”I don’t think the stuff is poorly built,” he adds. ”My contention, in general,

is that I don’t see another software manufacturer out there jumping through the hoops to try

to fix their products like Microsoft is.”

Ken Dunham of security company iDefense says he believes Microsoft is working hard on

securing its software but there’s a lot of flawed code to fix.

”Microsoft has increased usability of its software to become a software giant,” says

Dunham. ”The downside is that with all these features and functionalities added in, you get

more problems… Microsoft made this code and they need to make security a focal point. They

need to fix the code.”

Similar articles

Latest Articles