Sunday, December 2, 2007

Former Microsoft Security Strategist Says Microsoft Does Not Report All Security Issues

Respected security strategist, Window Snyder, presently Head of Security Strategy at Microsoft and formerly senior security strategist at Microsoft and security lead and signoff on Microsoft Windows XP Service Pack 2 and Windows Server 2003, has mentioned that Microsoft does not publicly report security issues found internally. Rebutting the study comparing IE security to Firefox by one of the directors of security at Microsoft she stated in her blog that:
"One of the goals of the bug counting report is to demonstrate that Microsoft fixed fewer bugs for IE than Mozilla did for Firefox. Unfortunately for Microsoft (and for anyone trying to use this report as analysis of useful metrics) he does not count all the security issues...... He counts only the public issues, because that is all Microsoft will tell us about......... the set of issues that are available for public comparison is limited to the set of vulnerabilities that are reported externally AND fixed in security updates.

This is a small subset of all the vulnerabilities, because the vulnerabilities that are found through the QA process ..... are fixed in service packs and major updates"

This, coming from a former Microsoft Security Strategist is a big deal and confirmation that all the studies coming out from Microsoft comparing the security of their products with their competitors is just hogwash.
She also says that Microsoft is worried that if they publicly release X updates , 
the world will focus on those X updates not that they are now fixed and no longer
 a risk.  
This actually leads to some questions for our mainstream technology media. Why is actually counting bugs important? I am no supporter of Microsoft, but why are they villified at every opportunity for fixing bugs? Fixing bugs is essential, and all vendors do it. Perhaps if our attitude to bug counts change, Microsoft will become more open in this regard. OK, Microsoft are prats, but to some extent, the media, in search of a good story, (and nothing sells like bashing a giant) are also to blame.


td said...

that was very much enlightening sir. need to learn more from you. td.