Sign up for our newsletter.

I agree to this site's Privacy Policy.


Vendors Rip Microsoft Over Alleged Security Issues

Software security vendors like to point to glitches in Microsoft products, but they don't always get much acknowledgment from Redmond.

The latest potshots are coming from Sophos, a security software company, as well as database security firm Sentrigo, plus BeyondTrust, which specializes in enterprise password protection. These vendors recently issued public challenges to Redmond concerning security in Windows and other Microsoft products.

For its part, Microsoft said through a spokesperson that it doesn't comment on the theories and opinions of vendors. Yet Redmond's growing network of executive-level bloggers have gone toe-to-toe with no less than two of these vendors in as many weeks.

Sophos' Beef With XP Mode
Sophos is one of Microsoft's most outspoken little-guy critics, even though it partners with Redmond on many security initiatives. Last week, the feud concerned Windows 7's XP Mode, which provides a virtualized Windows XP desktop running in Windows 7.

Sophos panned Windows XP Mode as a potential security disaster.

"Windows 7's planned XP compatibility mode risks undoing much of the progress that Microsoft has made on the security front in the last few years and reveals the true colors of the OS giant," said Richard Jacobs, Sophos' CTO in a July post.

The problem pointed out by Sophos' CTO (and Microsoft emphasizes it too) is that Windows XP Mode requires the maintenance of two OSes -- both Windows 7 and a virtualized Windows XP. Security patches have to be applied separately for each OS, and there's no centralized management control to simplify such patching. While Microsoft has been clear about this, Jacobs has intimated that Windows XP Mode is a security disaster in the waiting.

Jacobs touted the progress that Microsoft has made with its Security Development Lifecycle but added that "XP Mode reminds us all that security will never be Microsoft's first priority." In an August post, Jacobs added that "Microsoft as a whole needs to be much more open about [security issues] or users are going to get a rude awakening in terms of management costs, unexpected security vulnerabilities and/or performance impact."

In a return shot, Windows developer and blogger James O'Neill said that people (like Jacobs) with the title of chief technology officer should have a "better grasp of the key facts before reaching for the insulting rhetoric." Roger Halbheer, Microsoft's chief security advisor for Europe, Middle East and Africa, also questioned Jacobs on his facts.

Sentrigo Scolds Redmond on SQL Server
Sentrigo announced last week that it had discovered a "significant vulnerability" in SQL Server. The company issued a statement describing a flaw that "allows any user with administrative privileges to openly see the unencrypted passwords of other users," or the credentials presented by applications accessing the server using SQL Server authentication.

Microsoft handled the Sentrigo allegation in a low-key manner but still discounted Sentrigo's claims. Microsoft's response didn't mention Sentrigo by name.

"We checked with the security researchers who reported the issue and they confirmed that this is an information disclosure issue requiring the attacker to first have administrative control of the installation," Jonathan Ness of Redmond's MSRC Engineering team noted in a security blog. "Therefore, we do not consider this a bulletin class vulnerability."

BeyondTrust: UAC in Windows 7
BeyondTrust pointed to Windows 7's User Account Control (UAC), a much maligned security feature that was first introduced in Windows Vista. UAC has ongoing unresolved issues, even in Windows 7, the security firm claimed.

"Despite its good intentions, Vista's UAC was widely criticized due to its frequent user prompting, as well as application compatibility issues for standard users," Beyond Trust said in an e-mail statement just before Labor Day weekend. "Despite its good intentions, Vista's UAC was widely criticized due to its frequent user prompting, as well as application compatibility issues for standard users."

As far back as February, Microsoft countered the notion that the UAC function was fundamentally faulty. In addition, security researchers Rafael Rivera and Long Zheng had described an exploit that could turn off the UAC prompt, which typically notifies the user of changes about to be made to the computer. In response, Microsoft announced two planned changes to the UAC in Windows 7.

Complaints as Marketing?
Complaints serve to keep vendors in the news. They also help Windows users understand problems that Microsoft doesn't want publicized or may have missed.

Such research claims and stabs at Microsoft are "cheaper than buying advertising for products and services," according to Phil Lieberman of Lieberman Software.

"In my experience, Microsoft tends to react proportionately to the amount of ink given to an issue brought up by vendors or the press," Lieberman said. "Real or fictitious threats all get a hearing and a response. They also react in proportion to the real risks but generally pretty quietly."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Reader Comments:

Mon, Oct 26, 2009 Zbyszek - IT engineer Warsaw, Poland

Get real! Microsoft sucks. It's not secure system, so it's not the system which should be considered seriously as a proper system. And its popularity is just thanks to marketing. That's all. I hope people will wake up, will stop buying it and real systems will come in. I have enough of common people asking me why their "system" (read:MS Windows) doesn't not work properly. I have used to use Ms Windows myself but I woke up and installed real system and then I realized that it was all as if I was on drugs (i.e. their MS marketing propaganda) with it. So I started to reply to everybody annoying me their Windows: "get a real system, not a toy. Get Linux eg. Debian, Red Hat, Fedora. There's lots of it for everybody form all levels of experience in IT. And it's free! Wake up!"

Thu, Sep 10, 2009 Rick Iowa

Rip Microsoft over security? Get real. With my 40 years in various corporate IT organizations I can safely vouch for the fact that IT departmens are their own worst security risk. They don't need to ba hacked. Management freely approves requests for access to resources, including administrative rights, and our protests are not only not appreciated, they are routinely scorned and overridden. I recently checked and found over 380 logins on some 50 servers with admin privilege, and many are groups with multiple members.

Wed, Sep 9, 2009 VitaminSingh

Hmmm! So what else is new! Apparently thats how these so called CTOs earn their pay packets. A lot of cock and bull and piggy backing on the biggest guy in IT (Microsoft). Don't get me wrong! Microsoft is certainly not a holy cow, however what MS does well, it does it better than anyone else. Thanks to Microsoft's Windows OS and associated server applications a la SQL Server (eat your heart out Oracle!), 80% of the IT workface is gainfully employed across the globe. And yes! That includes you Mr. Sophos, Mr. B Trust, Mr. Kapersky, Mr. Symantec et al. So if MS goes out of business, what will you so called security guys secure? Apple Macs? Hmmmm...........

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above