Microsoft is (Still) Not the Problem

Ahhhh - Fall is in the air and it is time to wrap up another summer! I want to start out this fine September by following up on an article I published on my main web site awhile ago. In that article, I mentioned that Microsoft was getting a lot of bad press because their products were always being attacked, and because they released so many patches. In following up and to set the stage for this article, I would just like to say that this has been a fairly interesting summer for Microsoft with the release of over thirty new patches for Windows, Internet Explorer, and Office products between June 2006 and August 2006 alone. All in all, we are up to numbered security patch MS06-051 (the 51st patch of 2006), plus several other patches that don’t fall under that numbering system. But let’s not forget that the folks at Firefox gave us at least two new releases this summer also, not to mention patches from Symantec, McAfee, and Intel (Intel/PRO Wireless Drivers). I’m not going to use today’s post as a forum to pit one browser against another or even one operating system against another. I just wanted to point out that there have been a lot of new patches all the way around, but that this high volume of new patches isn't necessarily the problem we are facing. In that previous article, I wrote that:

“Of all the people who regularly bash Microsoft for giving us an operating system with so many holes, I am probably one of the worst offenders. However, I recently had the opportunity to hear a talk by "Hacking Exposed" author Stuart McClure. He made a very interesting point - Microsoft is not the problem. There is so much talk about using the Linux operating system and alternative web browsers such as Mozilla FireFox. The point he made is that those systems also have security holes as do the Microsoft products.”

In spite of all these new patches this summer, I would like to say that I still believe that Microsoft is (still) not really the problem here. What I do see as the problem(s) are people who have too much time on their hands (the bad guys) and security unaware end users. The fact of the matter is that software code, no matter who writes it, is going to have flaws that are eventually discovered and exploited. It just so happens that Microsoft has the larger market share, so the bad guys are attacking where they know they can do the most widespread damage. So we know where the bad guys are presenting the problem – where they can do the most damage, and in doing so what will get them the most publicity.

So now let’s talk about the end user part of the equation. It’s a foregone conclusion that the software has flawed code, and always will. But let’s face it; Microsoft and other vendors find their flaws (or have the flaws reported to them), they fix the flaw and release a patch. It is now up to the end user (or the IT support structure in corporate environments) to make sure that the patches are getting applied in a timely manner. Are you setting your Automatic Updates to download and install your patches, or do you at least visit Microsoft Updates regularly to get them manually? How about your other (non-Microsoft) software – do you keep an eye on settings that will allow automatic updating for those as well? Since we’re on that subject, even if you do have your Automatic Updates set to auto/auto, when you have some down-time, why not visit the Windows Update site on your own. Check every once in awhile and make sure for yourself that you aren’t missing any critical updates. Just as you should be manually checking your antivirus and anti-malware definitions every so often to make sure your update engines are working properly and that your system is in fact getting the updates as it should be.

So what happens when a patch goes bad and breaks your computer or an application? Are you simply throwing up your hands immediately, screaming how %$#@& Microsoft is always breaking your computer? This is another example, in my opinion, where the end users are the weak links in this whole patching and updating game. Far too many people scream and curse at Microsoft when a patch goes bad on their system instead of taking a few moments to calmly find a solution to the problem. The solution, by the way, is as close as your telephone: 1-866-PCSAFETY. That is Microsoft’s hotline for solving patch related problems. If the problem is caused by a security patch, the call is free of charge. The problem may be isolated to just your particular configuration, and it may be a simple matter of uninstalling and reinstalling the patch. If enough people call with the same problem, then Microsoft knows that there is something wrong with the patch itself, and will quickly release a fix. But in order to do so, Microsoft has to know about it! They don’t read minds any better than I do – the end users that are seeing the problem have to report it so that something can be done about it.

I have been in the patching business quite awhile; I test and deploy patches that are applied to an enterprise of over 10,000 nodes, and I have yet to see consistent strings of patches that break computers. I do, however, see occasional problems come up on individual systems. I am telling you the same thing that I preach time and time again: Do some troubleshooting, find out if it is an isolated problem or a widespread problem, and call the Vendor and get the problem documented.

The other thing that I am absolutely sure has to be made clear is that the nature of the majority of the attacks in recent history rely on luring users to bad web sites or opening infected emails to expose themselves to the risk. Most of the time, you aren’t in danger of the flawed code on your computer being exploited unless you do what the attacker wants you to do to unleash the attack. The attackers have gotten too lazy to make their attacks “wormable” – and why should they? Why go to the trouble to write the type of code needed to make computers proliferate the attacks, when they can reply on security unaware users to do it for them? All those emails with attachments that you blindly pass on to all your friends, and all those emails with links that you blindly follow: did you ever once stop to think about whether or not they contain potentially harmful content? This is why, in my humble opinion that much of the blame for the proliferation of harmful code rests squarely on the shoulders of the people clicking the mouse buttons.

So to summarize – I will say it again: Given enough time, the bad guys will find and exploit flaws in anything. This problem is not limited to Microsoft. It is just that Microsoft has the largest market share and will earn the attacker the most press time. This summer, I have seen patches come out for Microsoft products, UltraVNC, Symantec antivirus, McAfee antivirus, Firefox (multiple), Intel/PRO wireless network card drivers, as well as a few other products. So don’t blame Microsoft – blame the bad guys, and blame yourself if you’re not keeping your systems patched. You can also give yourself a little of the blame if you are blindly clicking on the email “Forward” button or those links in your email when you don’t know what they are or where they came from.