Microsoft's $100 million security improvement initiative has been savagely attacked by one of the world's leading authorities on Windows vulnerabilities, with claims the software behemoth's security gets worse rather than better with every OS upgrade.
TruSecure senior scientist and NT BugTraq list editor, Russ Cooper told delegates at the AusCert 2004 conference in Queensland last week that, by his statistical reckoning, most Windows users were better off sticking with older versions such as NT 4.0 and deploying security measures other than patching.
"Version over version [patches] have gotten no better. Patching is not the solution. If you are looking at a number of patches a product has [to decide whether] to upgrade, that's a big mistake," Cooper said.
In a move that visibly raised the hackles of Redmond's representatives at AusCert, Cooper also took aim at Microsoft's shareholders, saying they ought to be worried by the vendor's force of habit to derive revenue from patch-ridden upgrades rather than securing its code base.
"If you took Windows NT and put Internet Explorer (IE) 5.01 [on it] and kept it current [with upgrades, patches and service packs], you are actually more vulnerable than if you just left it be. This is a message that Microsoft shareholders don't like to hear. That if [you] upgrade to newer [versions] you are actually introducing more vulnerabilities, and if [you] just left it alone you would be fine," Cooper said.
Cooper went on to blame IE for "patch-o-mania" and sucking dry corporate kitties when it had little real impact on enterprise users.
"Browser exploitations are far and few between. Users are worried about their data being attacked, not their browser being sent to some place that does lots of pop-ups," Cooper said, adding that the vendor was stuck in a consumer mindset and continued to fail enterprise users.
"I rate the security push as poor to none - with the exception of the consumer market. XP Service Pack 2 is the best security so far…but it's for consumers. What company is going to turn on automatic updates on every one of its desktops? I don't think so," Cooper said.
Microsoft's Security Response Centre manager, Iain Mulholland appeared visibly underwhelmed by Cooper's analysis, particularly when asked about the negative advice to Microsoft shareholders.
"I didn't realise Russ had branched out into giving financial advice," Mulholland said.
An IT security manager from an Australian bank, who spoke on condition of anonymity, said "almost all" of Cooper's analysis "rang true", likening the presentation to "getting bashed around the head with a wet fish".
The IT security manager also questioned Cooper's grading of browser vulnerabilities, saying there was "plenty of heartache for those of us that have to calm down customers frightened by every IE security alert".