September 05, 2002, 4:33 PM — Brian Valentine says he's not proud.
The senior vice president in charge of Microsoft Corp.'s Windows development team has reason not to be. One of his most notable works, the Windows 2000 operating system, has a security record that is nothing to boast about. In fact, it's downright dismal, many experts say.
Security bulletins warning of holes and vulnerabilities in Microsoft operating systems are a regular occurrence. Late Wednesday, the company released a bulletin warning of a flaw in its digital certificate technology that could allow attackers to steal a user's credit card information. It is the second security bulletin to be issued this month.
In August, Microsoft warned in one of eight security bulletins issued that month, that many of its customers have experienced "an increased amount of hacking," in their various Windows systems. The Redmond, Washington, company has yet to identify the root of the problem, only saying that it has noticed some major similarities between the string of hack attacks.
"As of August 2002, the PSS (Product Support Services) Security Team has not been able to determine the technique that is being used to gain access to the computer," the company wrote in its security bulletin posted on August 30.
In short, Microsoft is stumped.
It is a case in point of the problems that the company is currently facing as it struggles to release more secure code around its new generation of .Net software and win redemption from customers who have been burned by buggy products. Its latest attempt to fight the problem is embodied in a company-wide effort called the Trustworthy Computing Initiative. As that effort lumbers to show results, the company is filling in the gaps with apologies.
"I'm not proud," Valentine said, as he spoke to a crowd of developers here at the company's Windows .Net Server developer conference. "We really haven't done everything we could to protect our customers ... Our products just aren't engineered for security."
The Windows 2000 operating system has been pummeled by continual security holes, some so widespread that they have resulted in major damage to computer systems around the world. Most notable are the Code Red and Nimda worms, which exploit a vulnerability in the operating system.
Customers seem to agree that Microsoft's spotty record with security has been a detriment to their own development of computer systems. One Windows systems consultant here, who wished to remain anonymous, said that security issues with Microsoft's IIS (Internet information Server) Web server have left a bad taste in many customers' mouths.
"Some of the customers I've worked with simply won't use IIS," the systems consultant said. "That's bad for us. We're losing business because of it."