Microsoft’s Monopoly on Security Flaws

With all the recent dot-com burnouts, a lot of young high-tech workers are wondering where they can find stable jobs. Many are shying away from startups. They want secure — make that rock-solid — positions on career paths that can be measured in generations rather than months.

Well, they need look no further than a guy in Bulgaria by the name of Georgi Guninsky. His life mission is discovering and exposing the endless parade of security flaws that pop up in Microsoft software.

How Many Bug Hunters Does it Take?

Apparently, it will take more than one bug hunter to persuade Microsoft to make its products more secure. Guninsky’s latest discovery of a security flaw in Microsoft’s software — which looks a lot like the last one — will almost certainly have the same effect on Microsoft’s inadequate security policy as all the preceding discoveries. Which is to say, not much.

Microsoft’s lack of response is not motivated by anti-Bulgarian sentiments. The company ignores all bug discoveries equally. In fairness, Microsoft regularly churns out “patches,” but some of their cures are worse than the disease. Why won’t they fix the root causes? Then again, why should they?

Unwritten Law Protects the Guilty

On Tuesday, security experts confirmed what Guninsky had already announced in a posting on his Web site: Certain configurations of Microsoft’s ubiquitous Windows operating system and its popular Internet Explorer browser are vulnerable to security holes that could allow mischief-makers to take over other computers.

The flaw exists in Windows 95/98 and is the default setting in Windows 2000. The problem affects mostly home users; most corporate systems have security firewalls that keep them safe.

Microsoft reacted by criticizing Guninsky for disclosing the problem before giving the company a chance to fix it. There is an “unwritten law,” the company claims, that requires bug chasers to give vendors the chance to fix problems before making them public.

Where is the unwritten law that protects the consumer?

Welcome, Hackers

Critics say Microsoft’s laissez faire attitude toward security is partly responsible for the Melissa and Love Bug viruses — the two most vicious and costly computer bugs ever.

Melissa cost about $80 million (US$), a trifling sum compared to the damage wreaked by the Love Bug. That virus and subsequent variations are said to have cost as much as $1 billion worldwide. The U.S. Navy, the U.S. Senate, Ford and ironically, Microsoft, were forced to shut down all or part of their e-mail systems.

Basically, Microsoft’s response to the Love Bug was to chide the victims, who should have known better than to open those “I Love You” file attachments.

Damage Control

Critics say Microsoft is in such a rush to get new products out the door — and rake profits in — that the company fails to properly test its products before releasing them to an unsuspecting public. Also, the close integration of Microsoft’s operating system and applications — a practice that is designed to keep competitors from getting a foot in the door — makes security holes more likely.

The company has established a security response center. You have to feel sorry for those guys; they must feel like interns sitting around a border town emergency room on a Saturday night.

Microsoft apparently believes it is easier to slap a few band-aids on whatever problems may arise — bringing in the PR department to stop any serious bleeding — than to schedule major surgery. Because people keep buying the company’s products, it may appear that the damage control approach works. But then again, with Microsoft monopolizing the software market, is there any real choice?

Microsoft mouths words people want to hear — saying it takes security very seriously — but the company’s assurances lack the ring of conviction. Security training is not even mandatory for Microsoft developers.

Monopolistic Thinking

Microsoft supporters say that with the software giant supplying operating systems to the vast majority of the world’s computers, it is only natural for problems to crop up on a regular basis.

That argument has some merit, but it also contains the seeds of its own destruction. If Microsoft were operating in a healthy, competitive environment, the company might be a little more motivated to fix its endless security flaws.

Maybe someone should look into breaking up the monopoly. Oh, someone has? I don’t suppose the judge speaks Bulgarian?