A Dubious Christmas Gift for Microsoft

An article by John Markoff which appeared in the December 25, 2006 edition of The New York Times said it all with the title “Flaws Are Detected in Microsoft’s Vista ” but didn’t leave it at that. Here is an excerpt from the beginning of the article:

Microsoft is facing an early crisis of confidence in the quality of its Windows Vista operating system as computer security researchers and hackers have begun to find potentially serious flaws in the system that was released to corporate customers late last month.

On Dec. 15, a Russian programmer posted a description of a flaw that makes it possible to increase a user’s privileges on all of the company’s recent operating systems, including Vista. And over the weekend a Silicon Valley computer security firm said it had notified Microsoft that it had also found that flaw, as well as five other vulnerabilities, including one serious error in the software code underlying the company’s new Internet Explorer 7 browser.

The browser flaw is particularly troubling because it potentially means that Web users could become infected with malicious software simply by visiting a booby-trapped site. That would make it possible for an attacker to inject rogue software into the Vista-based computer, according to executives at Determina, a company based in Redwood City, Calif., that sells software intended to protect against operating system and other vulnerabilities.

I have been advising my clients and Pennsylvania Bar Association members to sit tight before buying Vista. Experience dictates that only the ultimate test of being released into the wilds of the internet will reveal and eventually result in a fix of the flaws in the software.

Finding and fixing flaws in the software is not an indictment of Microsoft, folks. It’s just a reality of the process. As someone who went through the time and expense of learning to program computers in the years before the PC was invented, I can tell you that there just isn’t such a thing as error-proof code. It takes many millions of lines of code, including hundreds of thousands of coded sub-routines, to accomplish the functionality of an operating system. I don’t care how many Twinkie-eating, Pepsi-swilling programmers hopped up on caffeine and sugar pour over the code line by line . . . there will be holes and errors when it is released.

Fixing software is a complicated process. First the “obvious” flaws are found.

Flaws come in two flavors. Those which are just “holes” in the code, and are subject to exploit. That’s what the above-referenced article is about. There will be some which, to the outside trained eye, just pop out. And then there will be some which will require quite a bit of “noodling” to discover.

The other type of flaws are those which are “transactional” and arise from a combination of events. Those things which arise frequently, like in every million transactions, will become quickly obvious. Then a “patch” must be created. That means finding the actual error(s) in the code — like looking for a needle in a haystack — and writing a correction which doesn’t inadvertently create a problem elsewhere.

Then after a while you get to the rarer flaws, those which only crop up once in 5 or 10 million unique sequences of events. Those are a lot harder to locate in the code. Think of trying to find a single needle in a few acres of haystacks. And then when you find it, the process of correcting the problem without negatively impacting the remaining logic becomes even more challenging. From experience I can tell you that often it’s like trying to bite into an overstuffed hoagie. . . hard not to wind up with a mess squeezing out elsewhere.

When one adds to the mix the fact that Microsoft is undoubtedly the biggest bulls-eye target in the marketplace, and that criminals have a huge economic motive to take aim at it, (and aren’t reluctant to invest the resources to do so), it stands to reason that even the smallest of flaws will be detected and exploited. Ok, don’t misunderstand. I’m not a Microsoft groupie or Bill Gates fan. But I know that there is not a single piece of perfect unexploitable software in existence. It’s just that the economic justification for going after most of it isn’t worth it to the criminal element.

Here’s another excerpt from the article which touches on the economic incentives:

Last week, the chief technology officer of Trend Micro, a computer security firm in Tokyo, told several computer news Web sites that he had discovered an offer on an underground computer discussion forum to sell information about a security flaw in Windows Vista for $50,000. Over the weekend a spokesman for Trend Micro said that the company had not obtained the information, and as a result could not confirm the authenticity of the offer.

Many computer security companies say that there is a lively underground market for information that would permit attackers to break in to systems via the Internet.

And that’s just the tip of the iceberg, folks. The real economic incentive lies in the resulting ability to steal confidential information, spy on company activities, and secretly enslave large armies of PCs.

Ok, so when should you buy Vista? If you’re the typical U.S. law firm, with 15 or fewer attorneys, and no real in-house IT staff, you wait until the first or second revision is released. And then you will know that the most obvious flaws have been detected and patched. And now you will also know, hopefully, that there will be additional patches, and that there will always be new flaws to be discovered and fixed. So you will also always need to keep up with third-party add-ons for protection from viruses, spyware and scumware. It’s just the nature of the beast.

Stay tuned. I’ll be sure to tell you when I feel it’s safe to put your toes in the Vista waters.


To return to the main page of the blog, click here. To return to the blog Index, click here.

Other Links to this Post

  1. Law Practice Management » Blog Archive » Why Not Vista Right Now? — February 11, 2007 @ 7:10 pm

WordPress Themes