Microsoft is the poster boy for anger and frustration over everything from spyware to viruses to identity theft and data leakage. And with good reason. Security was probably last on its list as little as six or seven years ago when it designed software. That has all changed drastically, however, and users have felt the effects. In everything from the product lifecycle (remember when Microsoft spun out new versions every 18 months) to usability (when's the last time you used your computer without having to explicitly give permission to do something). We're feeling some pain, but do we get the benefits.
Take a quick look at today's notice. The vulnerability is actually in Explorer, the Web browser, not the OS. Even so, it only affects Windows 2000 and XP. Microsoft has shown the vulnerability to not exist in Vista, Windows 7 or Server 2008. That should make you feel slightly better about the state of Windows and the security of your data. Unfortunately, not every report is so good.
In November of last year, Microsoft confirmed the existence of the first known vulnerability in Windows 7. In short, a flaw in SMB shares (server message blocks) allowed a malicious piece of software to remotely crash your computer. Now the impact wasn't terrible, because it only crashed the machine instead of remotely controlling it, and it only works over ports that are generally blocked by a firewall, but the bottom line is about a month after release, there was a known, remotely executable vulnerability for Windows 7 in the wild. I thought we were past all this!
Microsoft leveraged its Secure Development Lifecycle (SDL) throughout the course of building Windows 7. It has paid dividends. There have been far fewer vulnerabilities and exploits reported in Windows 7 since its release. The February 9th patch release from Microsoft contained 13 security updates-tied for the most ever. Only five of them affected Windows 7 or Server 2008. Eight affected Windows XP, nine for Windows 2000. So the numbers bear it out; things are getting better, but it's not perfect yet.
The biggest risk today remains user and administrative error. Properly managed systems that get configured correctly and get updated regularly are much more secure than the alternative. By the same token, users are their own worst enemy, going to Web sites and clicking OK to warnings without reading them, which is the most dangerous behavior of all. No development lifecycle or patch management process will improve that.