This week Microsoft released the first hotfix for the Windows Server 2003 family -- MS03-020. This hotfix addresses a security issue with Internet Explorer Versions 5.01, 5.5 and 6.0. The exploitation of the named vulnerability grants the attacker the ability to run code on the victim's computer. Microsoft has assigned a rating of critical to this issue. Thus, while the vulnerability is not focused on the core elements of Windows Server 2003, it does reveal that Microsoft's new flagship network operating system still has a few kinks.
What I find most interesting about this hotfix is the propaganda around it. Microsoft claims that the presence of a hotfix for Windows Server 2003 is proof that the Trustworthy Computing initiative is working. Well, I guess in a way that is true. But only in the sense that they issued a patch quickly after discovering the problem. I also see this hotfix as a sign that the efforts behind Trustworthy Computing have not been as extensive as we were led to believe. The presence of such a basic flaw in a commonly used tool, namely Internet Explorer, shows that the code review was not as detailed or thorough as it should have been or was claimed to have been.
I'm not saying that Trustworthy Computing is a flop. But I am saying that we as a technical community should not place our hopes for security on Microsoft or on any single vendor; especially if they have a track record of releasing products with problems and spinning the information about those problems to place themselves in a better light.
About the author
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
For more information, visit these resources:
