A year after launching its Trustworthy Computing initiative, Microsoft still suffers from a security image problem, with key executives at 75 percent of companies polled by Forrester Research saying they worry about vulnerabilities in the software firm’s products.
Cambridge, Massachusetts-based Forrester said its survey of IT experts at 35 companies with annual revenues of US$1 billion or more found that recent high-profile security problems have reinforced those fears.
“Microsoft is doing a good job [of] tackling security issues, but it needs to do more,” Forrester analyst Laura Koetzle said.
According to Forrester, 77 percent of surveyed security experts had experienced Windows security problems in the past year. In fact, many of the most costly and fastest-spreading virus and worm attacks have targeted Windows, including the Klez virus, which has been blamed for some $9 billion in damage and lost productivity.
However, the research firm also noted that in many cases, enterprises are failing to take action to avoid those problems. Microsoft issued patches an average of 305 days before attacks occurred for several recent high-profile flaws, including the SQL software vulnerability that allowed the Slammer worm to take down servers worldwide early this year.
Slowly But Surely?
Microsoft could not be reached for comment on the report. However, the company has acknowledged it will take time to make its software more secure and has focused on making each new software release less prone to hacks and attacks than the previous version.
Giga Information Group analyst Rob Enderle told the E-Commerce Times that Microsoft’s security suffers largely because of the company’s success.
“I’m not sure any other software firms have figured out security any more than Microsoft, but they don’t get targeted the same way and don’t have millions of users on the line when a crack is found,” Enderle said.
He added that next-generation Microsoft software will solve part of the problem, since it will represent the first new platform in a long time. “The code that Windows, even the newer versions, is built on, has been out there for 20 years,” he explained.
Forrester said that although Microsoft’s Trustworthy Computing initiative will produce results over time, the software giant also needs to step up efforts to work with both independent software makers and its vast audience of end users to improve overall security readiness.
For instance, Forrester found that while 89 percent of survey respondents run sensitive applications, such as systems harboring financial transactions or medical records, most fail to deploy security patches in a timely manner.
“Firms lack the time and resources to apply security patches, and they worry that implementing them will destabilize production systems,” the report said, singling out the SQL patch, made available a full six months prior to the Slammer attack, as an example.
“Microsoft must develop new, simple, consistent tools for applying patches and mitigating security platform risks,” Koetzle wrote in the report.
Meanwhile, Microsoft has signaled its intention to fight a move to force it to pay legal fees for the two states that have decided to undertake further appeals of the antitrust agreement between the software giant and the U.S. Department of Justice. The states are seeking $2.3 million in lawyer’s fee paybacks.
Microsoft said in a court filing that the states should be entitled to either sharply reduced or zero attorney’s fees since they did not sign on to the settlement, which called for the software giant to pay legal fees racked up by states that have endorsed the deal.