On TV.com: LOST Season 6. Premiere Date. Announced.
BNET Business Network:
BNET
TechRepublic
ZDNet

November 28th, 2005

Why can't Microsoft just patch everything?

Posted by George Ou @ 1:44 am

Categories: Security

Tags:

Nearly four years ago, Microsoft’s Bill Gates ate some humble pie and declared that they must do much better with their security issues and launched the Trustworthy Computing Initiative.  One and a half years later, the company launches Windows 2003 Server with fewer vulnerabilities and extremely defensive default settings.  Another year goes by and Microsoft releases Windows XP SP2 with many new enhanced security features.  Almost 4 years after the launch of Trustworthy Computing, I found myself wondering why am I staying up till 4:00 AM to deliver an emergency set of instructions (Home and Enterprise) to my readers because Microsoft felt it unnecessary to patch a flaw six months ago that was originally low risk but mutated in to something extremely dangerous.

Technically, this is a new twist to an old vulnerability that was originally deemed "low risk" because it initially thought to only be capable of producing Denial of Service attacks.  While I have nothing but disgust for the British company that released this zero-day exploit in to the wild when people have no way of defending themselves, Microsoft is an extremely wealthy company with an army of programmers.  If smaller software companies can patch all of their bugs serious or minor, why can’t Microsoft just patch all of their vulnerabilities with their massive army of programmers and massive budget?  Had Microsoft fixed this vulnerability six months ago even though it was low risk, perhaps we could have avoided this entire incident.

Apple, Mozilla, and Oracle have all recently been plagued with significantly more vulnerabilities and flaws than Microsoft, but Microsoft seems to be the only one that leaves a few vulnerabilities unpatched here and there.  Granted that almost all of these unpatched problems are minor to moderately minor problems, but it leaves the perception that Microsoft leaves holes in their software and just doesn’t care enough to patch all their flaws.  Take this detailed comparison of Firefox versus Internet Explorer, it clearly shows Microsoft having fewer vulnerabilities this last year but has far more vulnerabilities unpatched, that’s 6 (7 if you count this latest serious vulnerability) unpatched flaws for IE 6 and 0 for Firefox.  Even though Firefox has been hit with many more vulnerabilities compared to IE, Firefox proponents can take the high road and claim victory because at least their vulnerabilities are patched.

If we look at Secunia’s database for Windows XP vulnerabilities, we see that 22% of the vulnerabilities are unpatched.  Although most of these issues are minor or moderate, the most serious one is "highly critical".  It boggles my mind how Microsoft could allow this to badly mar their vastly improved security record with Windows XP SP2, Windows 2003 server, and IIS 6.0.  With Microsoft’s delicate reputation on security, you would think that some Product Manager would be cracking some heads open somewhere in Redmond over this.  IT Managers and CIOs should be giving their Microsoft Rep an earful over this.

Here is a list of unpatched Windows XP issues:

Microsoft should respond to each and every one of these issues and what they intend to do about them.  They should give us an ETA on when they intend to fix these problems if ever.  In my opinion, Microsoft should take the high road and just fix everything and lead the software industry by example.  Most people who read my blogs know that I am anything but a Microsoft hater.  I like Microsoft technology and I spent a lot of time deploying it.  While I believe there are plenty of times that Microsoft gets treated unfairly, I think these questions are more than fair.  I await Microsoft’s answer.

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 194 Talkback(s)
passing the costs on to the end users
MS could patch these issues, but it would cost money. Instead, they pass the cost on to the end user.

How many hours have been lost to 'routine' maintenance tasks like registry cleanup, anti... (Read the rest)
Posted by: Nathan Wallwork Posted on: 05/28/08 You are currently: a Guest | | Terms of Use
Well said  StevoCJ | 11/28/05
Speechless  D. T. Schmitz | 11/28/05
Here, Here  Sheeva | 12/01/05
List deletion  whisperycat | 11/28/05
No, read No-Axe's comments here  george_ou | 11/28/05
Spot on! And well said.  No_Ax_to_Grind | 11/28/05
On the other hand  Yagotta B. Kidding | 11/29/05
Your a little off the mark...  Cayble | 12/02/05
Microsoft support ?  Me_too | 12/03/05
You hit the nail on the head  Leria | 12/03/05
Not good enough, poorly thought out  Cayble | 12/04/05
Not good enough, poorly thought out  Cayble | 12/04/05
Not good enough, poorly thought out  Cayble | 12/04/05
Are you sure about that one George?  ju1ce | 11/28/05
Sure about what?  george_ou | 11/28/05
wow im so impressss  toxicfreak | 11/28/05
I'm an equal opportunity criticizer  george_ou | 11/28/05
Not exactly equal.  Immanuel Tranz-Mischen | 11/28/05
Take a pill  Cayble | 12/02/05
I think you just did your first article  IceTheNet@... | 11/30/05
Wait for next version  IT_User | 11/28/05
Firefox advantage is eroding, though...  escoles@... | 11/28/05
Software Entropy?  Rodney Davis | 11/28/05
I just don't feel you man FF is still growing strong  IceTheNet@... | 11/30/05
goto man!  dwest_z | 11/28/05
Try if if then else  sykandtyed | 11/30/05
But the same army of programmers....  Mihi Nomen Est | 11/29/05
An army of programmers can't fix spaghetti code.  code_flogger | 11/30/05
why wait?  plumnilly | 11/30/05
Please don't overcriticize coding techniques  clasys@... | 12/02/05
Wow  dbriere@... | 11/28/05
Message has been deleted.  dbriere@... | 11/28/05
9 women can't make a baby in 1 month  escoles@... | 11/28/05
You are assuming these bugs have nothing to do with each other...  CroneBeast | 11/28/05
You miss the point -- but wouldn't it be fair ...  escoles@... | 11/29/05
I responded to your point.  CroneBeast | 11/30/05
That assumes a single project  davev1968 | 12/01/05
But it is one project: Windows.  escoles@... | 12/02/05
Actually....  Mihi Nomen Est | 11/29/05
Microsoft's had 2 dozen years and 1000's of baby-makers  daver_z | 12/01/05
Yes it is  parkerc | 12/01/05
That applies to creation, not auditing and patching  dtfinch | 12/01/05
wrong  jrbirdman | 12/02/05
Third party apps  Arthas | 11/28/05
Does that mean they don't need to be fixed?  george_ou | 11/28/05
Evaluating the tradeoffs  jbroche18 | 11/28/05
Sorry, can't agree  Arthas | 11/28/05
Sorry, can't agree  E.M. | 11/29/05
Thank you for the feedback  jbroche18 | 11/30/05
Sometimes there is a narrow perspective  IceTheNet@... | 11/30/05
from the ground up  plumnilly | 11/30/05
Bad delay, Mr. Ou  Arthas | 11/28/05
True, but Microsoft is not explaining this  george_ou | 11/28/05
Do they have a choice?  Arthas | 11/28/05
I think you nailed it there  rapson | 11/28/05
kudos Mr Ou, however...  mdsmedia | 12/02/05
the answer is C  rshawLQ | 12/01/05
A lot of antitrust has to do with intent  Mihi Nomen Est | 11/29/05
Microsoft put in crash callers  Leria | 12/03/05
break 3rd party apps  stephen0838_z | 12/02/05
Reality check...It's a huge task...  tgreer | 11/28/05
Because  IceTheNet@... | 11/30/05
apples and oranges  mdsmedia | 12/02/05
Maybe there is a reason why they aren't  Michael Kelly | 11/28/05
You may not know the half of this  clasys@... | 12/02/05
And You know, you are so correct....  Cayble | 12/04/05
Nobody wins  Rokstar83 | 11/28/05
Great point, but bad comparison  Justin James | 11/28/05
I didn't compare a browser to OS  george_ou | 11/28/05
Thanks for clarification  Justin James | 11/28/05
Windows...  ju1ce | 11/28/05
Ageed, 100%  Justin James | 11/28/05
With experience though...  ju1ce | 11/28/05
Geometry  D. T. Schmitz | 11/28/05
Common misperception  Justin James | 11/28/05
You have obviously never been in a unix environment..  ju1ce | 11/28/05
UNIX since I was a tadpole  Justin James | 11/29/05
what linux  IceTheNet@... | 11/30/05
Actually, not.  Mihi Nomen Est | 11/29/05
I've been meaning to do something like that  george_ou | 11/28/05
From an end-user perspective...  ju1ce | 11/28/05
OS X vulnerabilities come by the dozens per month  george_ou | 11/28/05
Actually...  ju1ce | 11/28/05
You know George...  ju1ce | 11/28/05
I'll just have to show you the facts  george_ou | 11/28/05
I see your problem Ju1ce  george_ou | 11/28/05
There are NO live Viruses for the Mac: ZERO!  joeldm | 12/05/05
did you find the right thread? NT  mdsmedia | 12/03/05
did you find the right thread? NT  mdsmedia | 12/03/05
Look at the size of a patch too  shis-ka-bob | 11/29/05
Yes Mr Ou  D. T. Schmitz | 11/28/05
Actually I think its a useless test...  ju1ce | 11/28/05
You're reading Secunia wrong  george_ou | 11/28/05
dozens?  shis-ka-bob | 11/29/05
dozens?  shis-ka-bob | 11/29/05
You Leave Out an Important Distinction . . .  joeldm | 11/30/05
No exploits for Mac???  george_ou | 11/30/05
Advisories, multiple vulnerabilities, histories  maxsnorkel | 12/02/05
Are you serious?  george_ou | 12/02/05
"No exploits for Mac???" Exploit Smexpoit. No Viruses on Mac! NONE. ZERO!  joeldm | 12/05/05
OSX v XP Sounds Good  D. T. Schmitz | 11/28/05
Aren't they really one and the same?  olePigeon | 11/28/05
ActiveX is a unique situation  Justin James | 11/28/05
Good Comparison, Here's Why  rmetzger@... | 11/29/05
What?  parkerc | 12/01/05
It's Not IE API that worries me, but the OS exposure  rmetzger@... | 12/02/05
Good points!  HiRezL | 11/29/05
No argument there but..  mdsmedia | 12/02/05
Patch Status at Secunia  CAVWood | 11/28/05
Secunia doesn't clarify, so Microsoft should  george_ou | 11/28/05
David,you need to get out moe often.  thirstydog@... | 11/28/05
David,you need to get out more often  thirstydog@... | 11/28/05
Here's Why  Harry Bardal | 11/28/05
Ghastly lousy reasoning.  Cayble | 04/29/07
YES  Richard Flude | 11/28/05
Simple reasons follow:  michael_t | 11/28/05
A quote  Mihi Nomen Est | 11/29/05
A quote  Mihi Nomen Est | 11/29/05
Unfortunately I CAN believe the Co-incidence!  Xwindowsjunkie | 11/28/05
Message has been deleted.  realitycheck101 | 11/28/05
Yelling at the sky for being blue.  Magusrex2 | 11/29/05
Cut them some slack, George  Yagotta B. Kidding | 11/29/05
Everything is fair game  george_ou | 11/29/05
Stick to what you KNOW  bpick_z | 12/01/05
Crackpot  Cayble | 04/29/07
patching  rgomescosta | 11/29/05
Heads Up / Firefox 1.5 release TODAY!  D. T. Schmitz | 11/29/05
Best from ZDNet in, Well, Forever!!!  tbbrickster_z | 11/29/05
Font File problems  WiredGuy | 11/29/05
Doesn't matter how 'basic' something is  george_ou | 11/29/05
Dream ON, Geo.  bpick_z | 12/01/05
Quality vs. Quantity  adamsp | 11/29/05
Questions  LoCal | 11/29/05
fixing patches does make more money  murtle | 11/29/05
Everyone likes a good conspiracy theory right?...  rocka | 11/29/05
Conspiracy theory not a theory, a fact  PhilippeV | 12/01/05
Patching everything is a bad idea  hberenson | 11/29/05
Think about it.  FlatAffect | 11/29/05
Too Top Heavy.  Aaron A Baker | 11/30/05
Too Top Heavy.  Aaron A Baker | 11/30/05
Why can't Microsoft just patch everything?  Betelgeuse58 | 11/30/05
Windows is fundamentally insecure  jtoppi | 11/30/05
Why can't Microsoft just patch everything?  rhowerton@... | 11/30/05
MICROSOFT IS ATTACKED MORE THAN ANYONE!  erniem1970@... | 11/30/05
Don't Use Drugs  perelgut | 11/30/05
Excuse me?!  mediaman15 | 11/30/05
WooHoo  plumnilly | 12/01/05
Uh, it was a joke  bpick_z | 12/01/05
Do they know where the bugs are?  xxscott | 11/30/05
Why say "vastly improved"?  perelgut | 11/30/05
Paying to fix MS known errors  ashtarwolf | 11/30/05
Paying to fix MS known errors  ashtarwolf | 11/30/05
Good question, but it's not so simple!  kumla | 11/30/05
The time for this is over  mike@... | 11/30/05
Why indeed ...  Media-Ted@... | 11/30/05
Why indeed ...  Media-Ted@... | 11/30/05
Many vulnerabilities are just patched so your list is wrong!!!!  franzde | 12/01/05
Monopoly  myronkwei | 12/01/05
Monopoly  myronkwei | 12/01/05
George Ou, get a CLUE  bpick_z | 12/01/05
I would just leave IF !  jackie40d@... | 12/01/05
If You WANT to Leave MS, You CAN erase Windows . . .  joeldm | 12/01/05
Here's the link again: http://snipurl.com/jq83  joeldm | 12/01/05
Linux w/ good interface  mactolinux | 12/02/05
Dear backtomac . . . you might want to look closer . . .  joeldm | 12/02/05
Successful Exploits for the Mac?: Show me!  joeldm | 12/01/05
He can't do it, his personal MS rep would stop buying him lunch. (NT)  bpick_z | 12/01/05
Now THAT's Funny!  joeldm | 12/01/05
Patches are buggy  brian.clark@... | 12/01/05
Bad comparison  danformen@... | 12/01/05
The Cynical Answer  opiner | 12/01/05
The problem is design  tknarr | 12/01/05
Naive Approach  zephyrwind69@... | 12/01/05
Patch everything? Think aftermarket parts.  walterreads@... | 12/01/05
The longer it is unpatched, the most a bug becomes critical  PhilippeV | 12/01/05
Why cant ms just patch everything  dlemaster@... | 12/01/05
Here is a drawback to closed source systems  remop | 12/01/05
Windows PATCH or RECALL?  3nigma | 12/01/05
They have heard of them  escoles@... | 12/02/05
I have given up on Microsoft Windows  orion1@... | 12/02/05
Secunia numbers disagree with you  maxsnorkel | 12/02/05
You're Not Gonna Get Anything Out of This Ou Guy . . .  joeldm | 12/02/05
Secunia/Symantec/etc.. are just Microsoft puppets  bpick_z | 12/02/05
Just wondering...  realitycheck101 | 12/02/05
Point to be Noted  buddy498 | 12/02/05
It's All About the Money  dschmutz@... | 12/03/05
UPnP is easy to fix  Me_too | 12/03/05
UPnP is easy to fix  Me_too | 12/03/05
Psssst... there is a new IE security issue.  realitycheck101 | 12/05/05
Because as usual....  Boomslang | 12/10/05
Because as usual for them...  Boomslang | 12/10/05
Do people on the average day read stories that they need to know?  ourlightbox | 12/14/05
Well it's the Holiday, -- (not christmas), Season, and I thought...  realitycheck101 | 12/19/05
passing the costs on to the end users  Nathan Wallwork | 05/28/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

Top Rated

    Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
    The more you simplify, the more you save
    When you transition from your existing Red Hat environment to SUSE Linux Enterprise from Novell, you can recognize dramatic cost savings, perhaps as much 50%
    Learn more >>
    The best support in the Linux business
    If Linux is going to power your mission-critical applications, you'd better have the best support known to business. Novell was rated the top provider of Linux technical support.
    Learn more >>
    Save time with automated shipping solutions
    The Business Essentials Guide provides you useful tools and templates to help grow your business and save you time with automated shipping solutions.
    Visit the UPS Business Essentials Guide
    Keep Up With The Latest In Document Management with The DocuMentor.
    Doc delivers the scoop on today's enterprise content management, printer maintenance, and all other issues related to document management. It's the DocuMentor Blog.
    Learn more >>
    Microsoft Dynamics CRM Online - Free Six-Month Trial for Eligible Organizations
    Microsoft Dynamics CRM Online provides fast online access, simple contact management and better sales performance for a low monthly cost - the best value on the market today.
    Learn more about the free, six-month trial offer>>
    Reduce risk. Reduce complexity. Increase reliability.
    A simplified IT environment isn't just less complex. It's also more reliable. Standardize on a single Linux platform with SUSE Linux Enterprise from Novell, and get the world's most interoperable Linux
    Learn more >>
    advertisement

    Archives

    ZDNet Blogs

    White Papers, Webcasts, and Downloads