New security problems in core Microsoft Corp. products were discovered last week, but enterprise users say security in Microsoft products is adequate, at least for the modest roles the products often play.
Last week's bug and virus collection included the following: an Internet Explorer hole that allows scripts running in frames to make files on a client machine readable to the Web server; a Windows NT virus called WinNT.Infis that mimics a device driver and disables applications; two new strains of the Windows-only Melissa virus; and a hole in Microsoft's Java virtual machine.
Despite the constant drumbeat of such reports, only one in 12 users in a Computerworld survey of 75 information technology managers said they have had a costly security problem with Microsoft products. On the other hand, one in five said they have refused to use a Microsoft product because of security concerns.
Two-thirds of the users said they are satisfied with how fast Microsoft issues security alerts and fixes, and 93 percent said their network managers install the fixes effectively.
At Carlton Cards, the retail division of American Greetings Corp., Information Systems Vice President George Purdy said he's not only satisfied with the security of Microsoft's products but would trust them to run a potential extranet in which the company shares data and collaborates with suppliers.
"Up to this point, we have had no security problems," he said. The company's departmental servers run NT, and its desktops run Windows 98. But the company's more critical data resides on IBM AS/400s.
Many users are satisfied with Microsoft's security because they are likely giving it modest roles, said analyst Carl Howe at Forrester Research Inc. in Cambridge, Massachusetts. For the highest-end roles such as data centers, he said, NT's security isn't sufficient.
At New York Life Insurance Co. in New York, the intranet and desktops run on Microsoft software, but nothing more critical than that, said Jim Kennedy, director of computer operations. He said his satisfaction with Microsoft security is "50-50." Microsoft Office 2000 makes it easier to clamp down on Macro viruses, he said, but the constant discovery of holes in Internet Explorer is bothersome.
When asked about fixing flaws, Microsoft's answer to users has been for them to upgrade. But at last week's Gartner Group Inc.'s symposium in Lake Buena Vista, Florida, the U.S. Department of Agriculture's CIO, Anne Thompson Reed, refused that answer.
"What do we do with what we have now?" she asked. Microsoft President Steve Ballmer could only respond that the company is working to make software a service that is capable of patching itself.
After products are released, Microsoft jumps "as quickly as humanly possible" on reported bugs, said Microsoft Security Product Manager Scott Culp. The company investigates about 10,000 messages per year sent to the security@microsoft.com address.
In the case of last week's Internet Explorer hole, Culp said, the company posted an alert and a work-around within six hours of receiving the first report. As of Thursday, however, no patch had been posted.
Windows faces other barriers to improving security, said Howe. Source code is reviewed by few outside Redmond, and all Microsoft patches must be tested in far more hardware and application environments than those of Unix and mainframe vendors.