There is no such thing as perfect software, but there is such a thing as the well-timed response. There has been much talk recently about the latest “critical flaw” in a Microsoft product. But the company has already released patches for the potential security hole.
According to Microsoft, the flaw would have allowed hackers to break into a computer through the operating system and snoop on sensitive data. So once again the world’s media went into a feeding frenzy about how evil the Microsoft empire is. In fact, the real story is that the news of the flaw was released on a Microsoft Security Bulletin (designed to provide techies with access to critical security information) — and flaws are only released on this bulletin once a patch has already been developed.
There is no doubt that Microsoft software is not perfect. Last year CEO Steve Ballmer admitted this. He said the company had a lot of work to do in the area of security.
But it is also the consumer’s responsibility. According to Colin Erasmus, technology security manager at Microsoft South Africa, people just don’t update their software.
There are a number of ways in which security flaws are found and exploited. Often security researchers for Microsoft send the potential flaw to the development team, providing them with enough time to patch the hole. Anti-Microsoft researchers find the code, leak it to media and make a meal of it. Virus-writers find the flaws, package them in a virus and send them en masse into the consumer forum.
But why is the software not stable from the word go? And why do we have to pay extra money to ensure that our systems are secure? There is no such thing as perfect software. Unlike motor vehicles, software is not a complete product. It is created in response to the needs of consumers and, in order to be competitive, is released rapidly into the market. It can take a year of using a program to discover what its flaws are.
But according to Erasmus, it’s the consumer who needs to be educated, and Microsoft is fighting an uphill battle. Sometimes security patches are available for download almost a year before the virus-writers actually manage to write a virus — yet people don’t download them.
It isn’t always easy for consumers to obtain these patches, even if they exist. The software company does not have a South African site from which to download software.
You have to pipe into an overloaded United States site, and if you are a consumer using dial-up to download a 30MB patch, you may as well mortgage your house to Telkom.
So what is the company doing to rectify the fact that its products have security flaws? Erasmus says companies need to set up a site server in organisations to download patches overnight. These can then be installed on individual machines during the day.
Or, for single PC-users who simply cannot download large patches, a CD with all the updates of these patches will soon be available to order online, free of charge. Thereafter users will only be required to download smaller patches.