The latest flaw with a major Microsoft product shows Redmond is unlikely to have anything that approximates to secure software until 2004 at the earliest. That's the damning assessment of analysts Gartner in response to a serious, but little publicised, vulnerability with FrontPage Server Extensions that emerged last week.
The vulnerability could be used in denial-of-service attack or possibly manipulated to run arbitrary code on vulnerable servers. MS has released a patch to fix the problem, which arises in a buffer overrun flaw with the SmartHTML Interpreter component of FrontPage Server Extensions.
That's nothing particularly out of the ordinary, Gartner sagely notes, but it does provide evidence that "Microsoft has a long way to go before it can deliver on its much-publicised promise of Trustworthy Computing". Gartner Research Director Rich Fogull forecasts that, "due to legacy code and resistance to cultural change, Microsoft will not deliver necessary security improvements before 2004".
The assessment is noteworthy because it was Gartner's assessment that it was time to consider an alternative to IIS in the wake of worms like Nimda and Code Red, that caused Microsoft to formulate its Trustworthy Computing push in the first place. In fairness security is an issue for the whole industry, and Microsoft is always prime target for miscreants. That's the territory that goes with being the world's biggest software company.
News source: The Reg
View: The full story