December 19, 2007, 3:23 PM — So here we are at the end of yet another year. It's always a whole lot easier
to look back than to look forward, but if there's one thing that stays with
us from year to year, it's security, or, rather the lack of it in many cases.
A year ago at this time, I was just returning from Microsoft's Redmond campus,
after getting an immersion treatment into Windows Vista security. Zillions of
dollars were spent completely re-architecting the way Windows handled security.
Dozens of experts from around the world were flown to Redmond for conferences
over Vista's five-year gestation period with the express mission of breaking
into the code and finding every last possible weakness. It would all be different
from the checkered pasts of XP, IE 6, and Office 2003 and the hundreds of security
patches issued on their behalf over the last several years.
True enough, the past torrent of updates has slowed under Vista, IE 7, and
Office 2007, but not to a rate I'd characterize as anything close to a trickle.
The second Tuesday of each month is still "patch day" and soon afterward
we get an interpretive analysis statement from Symantec. To pull just one recent
second Tuesday out of the hat, on Aug. 14, Microsoft issued nine patches, six
of which it considered "critical." Trickle? Uh, no.
Despite their necessity, which ranges from "isn't that nice" to "drop
everything and do it right now," patches (regardless of which software
vendor issues them), are not always perfect. No doubt you'll remember the near-worldwide
Skype outage of late August, which the telephony subsidiary of eBay blamed on,
yep, a patch issued by Microsoft leading to system restarts that in turn created
a flood of login requests to Skype. Whatever. "Trusted computing"
is not always completely trustworthy.
Though Microsoft gets most of the news story coverage about patches, the fact
is the company is not at all alone. It just happens to be the biggest company
with, by far, the largest installed base. And Microsoft is the company that
many users (and journalists) love to hate, fair or not. You've got to admit,
it does sell newspapers and drive Web hits.
It should not be overlooked that cute, cuddly Apple, the company that people
love to love, also issues patches, though certainly not at a pace anything close
to Microsoft's. Is that because Apple software is better-designed and built?
Maybe, but I tend to doubt that. The fact is, the Apple installed base is miniscule
compared to Microsoft's, and a smaller target simply isn't as alluring.