Vulnerability Two-Step
As a security vendor, Microsoft stands to gain from the vulnerabilities it creates
June 16, 2006
I'm not a conspiracy theorist. But am I the only one who's disturbed by the fact that Microsoft is now making money selling security software?
During Patch Tuesday this week, Microsoft issued patches for more than a dozen Windows vulnerabilities discovered over the last month. (See Microsoft Prepares to Patch Things Up.) And those vulnerabilities were only the ones that were found prior to the patch issues: Even as I write this, several highly ethical security researchers are just now revealing information about vulnerabilities that they identified earlier in the month, but waited for patch availability to expose.
The fact is that Microsoft is the cause of most of our security problems. I know, I know, a lot of these problems are not the software giant's fault – Microsoft is a primary target for attackers because its products are so ubiquitous. But there's simply no denying that most of the major vulnerabilites in enterprises today are the result of loopholes and flaws in Windows and its applications.
That's why it seems wrong somehow that Microsoft chose this week to launch its paradoxically-named "Forefront" line of security software products, which will put the vendor squarely in competition with top players such as Symantec and McAfee. (See Microsoft Moves Security to 'Forefront'.) Bill Gates's company, which long has conceded the security market to third parties, will now be throwing its considerable weight behind antivirus, email security, and PC services products that can't help but be noticed by its largely captive audience.
So Microsoft, the creator of most of our security problems, is now selling the solutions to those problems. Do you see my conspiracy theory? It's sort of like a restaurant making money by serving rotten food, and then raking in extra profits by selling Pepto-Bismol afterward.
This sort of "conspiracy" (it's not, but I don't know what else to call it) is not unprecedented in the IT industry. For years, Cisco dragged its feet on network management and traffic optimization schemes because network complexity caused many enterprises to simply buy more bandwidth and bigger routers to ensure good performance. Before that, IBM created complex and expensive software that took lots of cycles to operate, stimulating the market for its own hardware. You could argue the ethics of these strategies, but they were hugely effective in the market.
So does Microsoft now have an incentive to create products that are more buggy than ever? As I said, I'm not a conspiracy theorist. I don't believe that Microsoft would send a memo to its Windows developers and ask them to leave in a few vulnerabilities that its security software could fix. I don't think any company that cares anything about quality could stoop that low.
— Tim Wilson, Site Editor, Dark Reading
Companies mentioned in this article:
Cisco Systems Inc. (Nasdaq: CSCO)
IBM Corp. (NYSE: IBM)
McAfee Inc. (NYSE: MFE)
Microsoft Corp. (Nasdaq: MSFT)
Symantec Corp. (Nasdaq: SYMC)
You May Also Like