When Microsoft Claims Your PC Is Now Secure, Don't Drop Your Guard
I know this isn't very likely to happen, but Microsoft really ought to consider putting a label on its boxes of Windows XP: WARNING: MICROSOFT'S TESTS HAVE DETERMINED THAT FOLLOWING OUR INSTRUCTIONS IN THE USE OF THIS PRODUCT WILL PUT YOUR COMPUTER AT SEVERE RISK.
Windows XP is Microsoft's most current operating system for folks like you and me. Recently, I spent $300 buying it to install on a PC I had just put together. I wanted to run a personal Web site, and I assumed that for my money, I was going to be getting the best security the world's biggest software company could offer.
And in a weird way, that is what happened.
Windows XP took just 20 minutes to install -- no complaints about that. My Windows installation was exactly like yours would be, with one exception. I also loaded Internet Information Services, or IIS, a separate Windows component that would allow me to use my computer as a Web server.
Then, just as Microsoft tells all its users to do, I went online and downloaded the latest Windows "patches." (In Internet Explorer, go to "Tools" and then "Windows Update.") These patches fix problems discovered since the time Windows itself was finished; it's important to keep your patches up to date, lest viruses and the like find a perch in your computer.
The fact that Windows needs patching is not, in and of itself, particularly disturbing; all modern operating systems experience occasional hiccups. Of course, most outsiders say that Windows needs patching far too often. In fact, the growing hostility to Microsoft inside big companies is mostly a result of IT staffs having to spend so much of their time installing patches to keep their Windows PCs secure.
As it turned out, I spent twice as long downloading all the requisite patches as I did installing Windows in the first place. Nonetheless, once the job was done, I had a fully patched, and thus totally secure, version of Windows.
Wouldn't it be lovely to think so?
Since I was going to be using this computer on the Web, I wondered what other security tools Microsoft might provide. On the company's Web site, I found something called Microsoft Baseline Security Analyzer, or MBSA, which scans a PC for security vulnerabilities.
I had never heard of the product and couldn't imagine why I would need it, as all my Windows patches were current. But I thought it would be cool to run, so I did.
The very surprising result: Far from being completely secure, my brand new, thoroughly modern Windows installation was in fact at "severe risk." The most serious potential problem involved three flaws in the Internet Information Services -- the sorts of things a bad guy could exploit to do his own bidding.
I consider myself reasonably well-informed about these things. I had assumed, mostly because Microsoft itself keeps repeating it, that the Windows Update page was the one place to visit to keep Windows free of security glitches. I only discovered MBSA on a lark. Had I not stumbled on it, I would still be using a version of Windows with a security hole Microsoft itself describes as "severe."
It is a bit like your auto dealer assuring you after all the factory-approved tests that your new car is in fine condition, only to have the parking-lot attendant whisper as you drive out of the lot that your brakes are about to fail.
I fixed the three problems with IIS. But then, something else very peculiar happened with MBSA. It told me that two of my other patches, involving separate parts of Windows, were out of date. Quick, it said; go back online to Windows Update to get the latest ones.
But I had just been to Windows Update, and it had just given me the all-clear signal. I returned to Windows Update, just to double check. All my patches were fine, it said again. I reran MBSA. Two of your patches are out of date, it repeated; please go to Windows Update.
Mr. Kafka, meet Mr. Gates.
The moral of the story isn't that I had an unsafe computer; the risks I was encountering were, in fact, probably small.
Instead, it is that despite innumerable speeches by Mr. Gates about how security is now Job One at Microsoft, I was able, with a plain-vanilla installation of the company's flagship product, to find, without even trying, holes both large and small in the system that had been put in place to guarantee that product's security.
It doesn't exactly inspire confidence in the company's overall abilities in this area, does it?
When I brought all this to Microsoft's attention, the company essentially copped to what I had discovered and was profuse in its mea culpas. It said a sort of super patch for Windows XP, called Service Pack 2, would be coming out this summer and would deal with many of the problems I encountered.
Then this: "The kind of experience you had is unacceptable," a representative said. "I don't think we should pretend otherwise. Security is a top priority for us, and we understand our customers are looking for fast action. We are working very hard to address that."
不要轻信微软的安全承诺
我知道这事发生的可能性不大,但是微软(Microsoft)真的应该考虑在Windows XP的包装盒上贴上一个标签:“警告:微软的测试表明按照本产品使用说明书操作将令你的电脑面临严重风险。”
Windows XP是时下普通人最常用的一个微软操作系统。最近,我花费了300美元购买了这个软件并将之安装在我自己组装的个人电脑中。我打算搞一个个人网站,当时我以为花了这么多钱,我将会获得这个世界最大软件公司所提供的最佳安全保证。
然而,不可思议的事情发生了。
Windows XP的安装只用了20分钟--对此我毫无怨言。我的Windows安装与所有人的一样,没有任何特别之处。我还装载了Windows的单独组件Internet Information Services(IIS),以好让我将电脑作为网页伺服器使用。
接下来,按照微软的操作手册,我上网下载了Windows的最新补丁(在IE中,点击“工具”,然后选择“Windows Update”)。这些补丁解决自Windows完成之日起发现的种种问题;下载最新的补丁至关重要,以免让病毒在你的电脑找到可乘之机。
Windows需要补丁这件事情本身并不让人感到特别心烦;当今所有的操作系统都会偶尔遇到一些问题。当然,大多数外行人称Windows需要下载补丁的频率过高。事实上,大公司对微软越来越深的敌意主要是因为IT员工不得不花费大量时间安装补丁以确保Windows电脑的安全。
我下载全部补丁的时间是安装Windows时间的两倍。尽管如此,在下载完毕后,我便拥有了一个经过全面修补、万无一失的Windows版本。
这难道不是一个可爱的想法吗?
因为我打算将电脑作为网页伺服器,所以我想知道微软还可以提供什么样的安全工具。在该公司的网站上,我发现了一个名为Microsoft Baseline Security Analyzer(MBSA)的软件,它可以扫描个人电脑寻找安全薄弱环节。
我以前从未听说过这个产品,也不能想像我将来会用得著它,因为我的Windows已经全面修补了。但我想运行这个软件可能会很酷,因此我就这么做了。
结果令人大吃一惊:我全新的、完全现代的Windows不仅没有提供十足安全,反而面临“严重风险”。最严重的潜在问题涉及IIS的三个缺陷--居心叵测的人可以利用这些缺陷为所欲为。
我自认自己对这方面还算比较了解。我曾经认为--主要是因为微软自己反复强调--Windows Update能消除Windows的安全漏洞。我只是在无意中发现了MBSA。如果我没有这次“偶遇”,我仍然在使用一个微软自己称为有著“严重”安全漏洞的Windows。
这有点像汽车经销商在汽车经过所有工厂测试后对你保证,你的新车状况良好,而当你驾驶新车驶出停车场时,停车场服务员喃喃自语道,你的刹车将会失灵。
我解决了IIS的那三个问题。但是随后,MBSA发生了一个极为古怪的事情。它告诉我,牵涉到Windows不同部分的另外两个补丁文件已经过期,并提示尽快到Windows Update获得最新版本。
但是我刚访问完Windows Update,而且还得到了一个全部下载完毕的提示。我返回Windows Update再度进行了一番检查,我下载的所有补丁都没有问题。我重新启动MBSA。“你的两个补丁文件已经过期,请访问Windows Update。”同样的提示再度出现。
这真是卡夫卡(Kafka)撞上了盖茨(Gates)。
这篇文章的主旨不是我有一个不安全的电脑;实际上我遇到的风险可能很小。
相反,尽管盖茨先生无数次表示安全是微软的第一要务,但在对该公司旗舰产品按标准程序进行安装以后,我在不刻意的情况下发现了用来确保该产品安全的系统存在著或大或小的漏洞。
这无助于提高对微软在这一领域总体能力的信心,难道不是吗?
当我把所有这些问题向微软反映时,该公司承认了我所发现的问题,并一再表示这是它的责任。微软称,一个名为Service Pack 2的Windows XP超级补丁将于今年夏季问世,该补丁将能解决我所遇到的诸多问题。
微软的一位代表说,“你的这种遭遇是不可接受的。我认为我们不应该假装没有问题。安全是我们的首要考虑。我们理解我们的客户希望能很快有解决措施。我们正竭力解决这一问题。”
