This summer, I attended the Windows XP Service Pack 2 "Airlift", which was held at Microsoft's campus in Redmond (WA). MS paid for two people from the group I'm in (at my company) to fly out to the two-day event, where they had a dozen specialists in different areas (i.e. firewall, Group Policy, etc.) come in to speak and answer questions from the IT pros in attendance (over 400 of them, from large companies all over the world, but admittedly mostly here in the US).
I think we all left with a sense of doom and a knowledge of the enormous task before us: configuring, testing, deploying and supporting XP SP2. However, we also left with a much greater understanding of the seemingly impossible position Microsoft is in (perpetually, but specifically with patches and upgrades.
Some things to think about
- ANY operating system has vulnerabilities. Microsoft is a popular target because they're so successful. It's for the same reasons most of the world hates the USA, and most of the US hates the Yankees and the Dallas Cowboys. People love a winner, but only for a short time. Apparently, it's human nature to root for the underdog, be thrilled when he wins, and then take glee in cutting him down and watching him fail again. So the point is that the Microsof OS of your choice may not be any more vulnerable than OS 9/X, Linux, etc...but because there are morons who spend all their time trying to find and exploit Microsoft's vulnerabilities (while leaving the others alone), public perception is that Microsoft is incompetent.
- It cannot POSSIBLY be Microsoft's responsibility to make sure its software works with the millions of software applications that are out there. In short, if you MUST use a product from a third party vendor that does not work with the latest MS OS or SP, then don't install that latest OS or SP. Sure, you'll have an OS with security vulnerabilities, but that third party application vendor has some culpability when it comes to making their apps work on the business and personal computing platform of choice. If recent IT history has shown us anything, it's that exploits are becoming increasingly popular, and the OS vendor has no choice but to modify its code to keep up.
- End users (home and business alike) are morons. One of the Microsoft presenters relayed a story about a test someone did. Apparently a plan was devised to see how many idiot users would open a questionable e-mail attachment, despite having a virus warning right in the very message that accompanied it. Needless to say, the results were predictable; most (like 80%) recipients of the message attempted to open the attachment in spite of the warning. The amazing thing is that when nothing visible "happened", the majority of those users tried to open it a second time! (And no, they apparently weren't all Red Sox fans.
- Testing is key. If you want a more secure OS, install SP2. But don't just do it willy-nilly. Create a full backup (Ghost or the like) of your entire drive(s), as well as a separate backup of your data (files, pictures, etc.). Then install the Service Pack, and one by one, try your applications. Some may break. It's not Microsoft's fault; get an update (if one ever comes available) from the third-party vendor for your software. If you're an IT pro who's looking to deploy SP2, you likely have an idea how to plan your testing and deployment strategy...but the key is testing. If you have a business-critical (or "personal-critical") application that doesn't work with SP2, then you might consider waiting until that application DOES work with SP2 before doing a production/large-scale deployment.
- We need to hunt down and kill the bastards who write these malicious OS/code exploits. And while we're at it, we need to thank the people who FIND the vulnerabilities to begin with...but ALSO kill the "do-gooders" who make available (publicly) details on exactly what the exploit is, and how one might take advantage of it. Apparently these morons think they're doing the computing world a favor by showing the manufacturers how a vulnerability in their product can be exploited, but the fact is, more often than not, one of their moron hacker buddies takes that information and runs with it...and then suddenly we have another virus outbreak. The operating system doesn't create the virus, people do. Blaming Microsoft for virus outbreaks is like blaming gun manufacturers for homocides involving guns.
- Windows Firewall: don't enable it if you have/use and are comfortable with a third-party firewall package. Many of our clients use ZoneAlarm (specifically, Integrity Desktop from ZoneLabs), and we will not be using the lesser-featured Windows Firewall. And for people who aren't too technically-savvy: If you're using Windows (or any) Firewall, and you can't access something you need to, it's not
the firewall product's fault...in fact, the firewall is doing EXACTLY what it's intended to do. Any firewall needs to be properly configured to allow the traffic you need to, and to block traffic you want to keep out. It's a big task, and the firewall isn't going to configure itself.
- "a long history of releasing fixes that have more problems than what it is intended to fix
"??? Hmmm. Any examples? (Or are you just exaggerating?)
Kudos to Microsoft for doing its best (a huge and ambitious undertaking) to keep its products as safe as possible...and a big "F you" to hackers who try to make life miserable for the rest of us.