Software development is a much different animal than it was 20 years ago. Today’s programs rely on interprocess communication and shared memory that often result in tens of millions of lines of code, compared with just a few kilobytes of code in decades-old programs.
As program size has increased, so has the number of security flaws. In the latest disclosure by a major vendor, Microsoft (Nasdaq: MSFT) on Wednesday announced a flaw in the SmartHTML Interpreter contained in Microsoft FrontPage Server Extensions that could allow a hacker to run malicious code or carry out a denial-of-service attack.
This alert follows a string of publicized security flaws in other Microsoft products, including Windows and Word. But analysts said that despite media hype, Microsoft is doing no worse than other leading software vendors.
“Microsoft’s flaw rate is actually much less than others, but because they are such a big company, they seem to have a lot of arrows shot at them,” Aberdeen Group security analyst Jim Hurley told the E-Commerce Times.
Spreading the Bugs
The Federal Bureau of Investigation (FBI) and the CERT Coordination Center list bugs and vulnerabilities in many vendors’ programs, including Sun, Hewlett-Packard and IBM. Open source software is also at risk. For example, Linux seems to be an increasingly popular target for hackers. The FBI’s bug tracking report lists many security flaws in the open source operating system.
“The bug list for Linux is going through the roof out there. I don’t know what’s happening right now,” Hurley said. “It may be that a lot of the hackers have decided to go after Linux.
“Other companies, like HP, will surprise you in terms of the number of bugs that are tacked against their products,” he added. “What’s even more surprising is their inability to deliver a fix … months later.”
Beyond representing an easy target, Microsoft has exacerbated its problems by shipping products without security features turned on. “Part of the problem for Microsoft over the years is that they’ve focused on convenience, convenience, convenience in integration,” Hurley noted.
Now, though, Microsoft is addressing the problem. Chairman Bill Gates has made security one of the company’s top priorities with a “Trusted Computing” initiative that addresses ongoing security needs. As part of that push, the software giant spent about US$100 million in early 2002 retraining its software developers to write secure code. But despite that effort, which delayed development of Windows products for months, flaws still exist.
“Microsoft has probably gone through a huge learning experience in terms of identifying a problem and being able to tighten the nuts down, even just internally on their own systems,” said Hurley, noting that this learning curve will continue throughout the entire industry.
Overall, though, Microsoft’s woes have less to do with the company’s security efforts and more to do with the state of software today, said Hurley, noting that security is a never-ending battle for software vendors.
Security incidents have become a pressing problem only in the last decade; before then, they were far less common. Just six incidents were reported to the CERT Coordination Center in 1988. That number leaped to 132 by 1989 and has been growing exponentially ever since.
By 1999, the number of reported incidents reached nearly 10,000 — and during the first and second quarters of 2002, CERT reported incidents skyrocketed to more than 43,000.
“The process of checking for security flaws and testing it is actually a new science,” said Hurley. “It’s not something where there’s an awful lot of expertise.”
One of Microsoft’s biggest challenges now, according to analysts, is streamlining its update procedure for customers who do not have time to deal with the constant fixes that are common in today’s software environment.
Microsoft and HP executives could not be reached for comment.