It's your fault. Yeah you, Mr or Ms Corporate IT Person. Microsoft says it's your fault, and the fault of your users, that there are so many security problems with Microsoft software. Oh, sure, there are security holes in Microsoft products. But Microsoft does patch them -- eventually. And unless corporate IT does a better job of promptly applying those patches, as well as training users in safe computing practices -- well, there's only so much Microsoft can do.
Earlier this month a high-level Microsoft manager named Jonathan Perera was making the 'it's-your-fault-too' pitch at the Infosecurity Europe conference in London. At exactly the same time, security companies were reporting a new round of attacks on Microsoft products, including IIS and Exchange Server, based on yet another Microsoft buffer overflow vulnerability.
Microsoft had issued a patch for that security hole just two weeks earlier. But the hole is in every version of Windows NT and XP Pro that has shipped since Windows NT 4.0 in 1996.
In other words, it took Microsoft almost eight years to find and fix this hole -- a hole that exists only because of Microsoft product development policies that in another profession would be called malpractice. But now we're told it's corporate IT's fault too, because in two weeks we haven't patched the 12.5 million servers and 200 million client PCs affected. (That's the current Windows NT, Server and XP Professional installed base, according to IDC.)
Why haven't we patched them? Everybody knows the answer: because of the cost. There's such a continuous stream of patches from Microsoft that we can't afford to apply every patch immediately.
Why doesn't Microsoft get it right the first time -- or the second time, or the third -- so all those patches won't be necessary?
Microsoft would rather wait until hundreds of millions of copies are in use -- so we're the ones who pay for applying those patches.
But how much is it? Let's say it costs $US80 for the average IT shop to apply this most recent patch to each affected Windows server. That includes all the costs of testing, resolving conflicts and deploying -- in other words, $80 is a spectacularly lowball estimate.
But it still means a total cost to corporate IT of $1 billion.
And that's just for the servers. You want to patch all the NT Workstation and XP Pro PCs? Even at an average cost of $5 each -- another lowball estimate given that it'll take around 10 hours in a company of 120 PCs and that's another $1 billion.
Think Microsoft's programmers could've found this bug before shipping the software for a lot less than $2 billion? Betcha they could have.