Peril in Microsoft’s Laxity
Microsoft’s announcement Tuesday that it will warn consumers about a “critical” problem in its Windows software -- more than six months after it learned about the flaw -- illuminates the danger of leaving national cyber-security largely unregulated and unwatched.
Microsoft says it waited to publicize the security flaw because it wanted to ensure that a single, downloadable update would solve any related problems. Its “patch” is now available at www.Microsoft.com /security/.
But computer security experts such as Marc Maiffet, whose company, eEye Digital Security Inc. of Aliso Viejo, discovered the flaw, deride the half-year delay between eEye’s discovery and Tuesday’s disclosure as “just totally unacceptable” because it left hundreds of millions of computer users vulnerable to hackers eager to break into their computers and steal their files, delete their data or filch their financial records.
It isn’t easy to find and fix flaws in the millions of lines of coding that make up Windows. In a Times interview Wednesday, Maiffet compared the struggle to “trying to weed 1,001 needles from a haystack.”
Moreover, Microsoft understandably doesn’t want to tip off hackers that certain lines in its coding are particularly vulnerable to abuse. There’s no excuse, however, for Microsoft’s failure to find some responsible way of promptly alerting its customers when such serious flaws are found.
A delay of this kind would, after all, expose a manufacturer of cars or other vital consumer products to potentially crippling lawsuits. Individual users of newer Microsoft operating systems such as Windows XP can and should enable their PCs to automatically fix their software with updates as soon as the company posts them. But because large companies cannot easily update computers in their internal networks, or “intranets,” Microsoft should, at the very least, promptly disclose possible software flaws to those companies’ information technology managers.
On Feb. 23, Microsoft Chairman Bill Gates is expected to face thousands of computer security experts at San Francisco’s Moscone Center and tell them that his company is doing everything possible to bolster cyber-security. They should realize, however, that Gates’ boyish charm alone will do little to protect their data.
