Magid: Get It Together, Microsoft

CBS' Larry Magid Tells Microsoft To Get 'Critical' Flaws Under Control

(CBS)  In the nine years my wife and I have owned our minivan, we’ve received exactly two recall notices from Chrysler and we haven’t received a single notice on our 2001 Toyota Avalon. But, we get urgent messages from Microsoft almost every month warning of a new "critical" security flaw.

The latest bulletin, issued on Tuesday warned that an intruder "could execute code with system privileges on an affected system. The attacker could then take any action on the system, including installing programs, viewing data, changing data, deleting data, or creating new accounts with full privileges."

In other words, you’re a sitting duck.

I suppose I should be praising Microsoft for being so forthcoming with these warnings and for putting up a free "patch" to fix the problem at windowsupdate.microsoft.com. But how many fixes do we need to apply before we can be rest assured that our computers aren’t sieves for anyone who wants to peer into our private lives?

Microsoft has reportedly known about this particular flaw for about six months, thanks not to the legions of security experts on the company’s payroll, but because of the work of another company. eEye Digital Security (www.eeye.com) discovered and reported the flaw to Microsoft in July 2003, but I have no idea why it took Microsoft this long to report it to the rest of us.

It’s been more than two years since Bill Gates sent out a memo to every Microsoft employee, calling upon everyone at Microsoft to dedicate themselves to "Trustworthy Computing."

In that memo, Gates urged that "our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve." Two years later, Microsoft software is still very vulnerable.

This latest problem is being announced two weeks ahead of Bill Gates' scheduled keynote address at a major computer security conference in San Francisco on Feb. 24.

To be fair, Microsoft is working against a formidable enemy. No matter what it does to shore up security, there will always be hackers, virus writers and just plain malicious people working hard to find vulnerabilities to exploit.

Some of those exploits are motivated "just because" it’s fun to attack Microsoft systems; others are designed specifically to embarrass Microsoft; some are simply to get attention and others may have financial or even political motivations. Whatever the reason, there is no shortage of people out to find holes in Microsoft products.

In addition to the bad guys, there are also good guys, such as the security researchers at eEye and other companies who are looking for problems so that they can warn users and Microsoft.

Even the federal government’s Department of Homeland Security is in the act of trying to protect our computer infrastructure. It’s U.S.-Cert (www.us-cert.gov) Web site contains warnings about security lapses in Microsoft and other companies’ software.

I suppose we can take some solace that Microsoft has said it will make it easier in the future for people to update their machines by further automating the process of downloading and applying security fixes. Yet, I am looking for something more. I’m looking for some real innovation and leadership out of Redmond, Washington: from a company whose executives have made almost as many billions of dollars as McDonald's has made hamburgers, by supplying the world with much of its software.

Our businesses are at stake, our national security is at stake, and so is my own mental health.

---

A syndicated technology columnist for nearly two decades, Larry Magid serves as on air Technology Analyst for CBS Radio News. His technology reports can be heard several times a week on the CBS Radio Network. Magid is the author of several books including "The Little PC Book."



Got a PC question? Visit www.PCAnswer.com.