Microsoft's $100 million security programme is a failure, its patches actually reduce security and people would do better to stick with NT4.0 and install their own security measures rather than rely on the software giant.
That is the blunt assessment of one of the world's leading authorities on Windows vulnerabilities - TruSecure senior scientist and NT BugTraq list editor, Russ Cooper.
Speaking at the AusCert 2004 conference in Queensland, Cooper also said that Microsoft's security gets worse rather than better with every Windows upgrade and that the company's focus on the consumer market was putting companies at risk. "Version over version [patches] have gotten no better. Patching is not the solution," Cooper said.
Cooper's criticism visibly raised the hackles of Microsoft's representatives at AusCert, especially when Cooper said that Microsoft shareholders ought to be worried by its habit of seeking revenue from patch-ridden upgrades rather than securing its code base.
"If you took Windows NT and put Internet Explorer 5.01 on it and kept it current, you are actually more vulnerable than if you just left it be. This is a message that Microsoft shareholders don't like to hear. That if you upgrade to newer versions you are actually introducing more vulnerabilities, and if you just left it alone you would be fine," Cooper said.
Cooper went on to blame IE for "patch-o-mania" and sucking dry corporate kitties when it had little real impact on enterprise users. "Browser exploitations are far and few between. Users are worried about their data being attacked, not their browser being sent to some place that does lots of pop-ups," Cooper said, adding that the vendor was stuck in a consumer mindset and continued to fail enterprise users.
"I rate the security push as poor to none - with the exception of the consumer market. XP Service Pack 2 is the best security so far - but it's for consumers. What company is going to turn on automatic updates on every one of its desktops? I don't think so," Cooper said.
Microsoft's Security Response Center manager, Iain Mulholland was visibly underwhelmed by Cooper's analysis, particularly when asked about the negative advice to Microsoft shareholders. "I didn't realize Russ had branched out into giving financial advice," Mulholland spat.
An IT security manager from an Australian bank, who spoke on condition of anonymity, said "almost all" of Cooper's analysis "rang true", likening the presentation to "getting bashed around the head with a wet fish". The IT security manager also questioned Cooper's grading of browser vulnerabilities, saying there was "plenty of heartache for those of us that have to calm down customers frightened by every IE security alert".
Is Cooper right? Are you sick of having to constantly install Microsoft patches? Is sticking with NT and spending your time building up your own security defences the way to go? Make your opinion known on the forum.