Gartner Blasts Microsoft on Security
- By Scott Bekker
Microsoft Corp.'s recall of its Internet Explorer security patch last week prompted analyst John Pescatore of Gartner
to direct more withering criticism at Redmond. Pescatore came to prominence last year for his notorious bulletin advising IT managers to consider replacing IIS Web servers with Apache due to security concerns.
The latest Pescatore missive, a Gartner FirstTake issued Wednesday, is called "Microsoft Must Plan -- Not Patch -- for Software Security."
Pescatore's bulletin is pegged to Microsoft Security Bulletin MS02-005, which includes patches for six new IE problems, three of them critical, and also rolls together all current fixes for IE. (See story).
According to the Gartner bulletin, Microsoft announced the patch on Feb. 7 but had to withdraw it until Feb. 11 due to an error in the patch.
"The problems with the latest major Internet Explorer patch shows that Microsoft has made security promises it cannot yet keep," the bulletin alleges.
The promises Gartner cites are an October 2001 vow from Microsoft senior vice president for Windows Brian Valentine that Microsoft would do "whatever is necessary to ensure the process is complete" and the Bill Gates Trustworthy Computing memo of January.
The Gartner bulletin discounts the code review Microsoft has been conducting in February, as well.
Security cannot be “tested” into software; it must be a high priority from the start — during requirements analysis and product planning," the bulletin says. "Microsoft would also do well to order its product management and marketing personnel not to hype the company’s newfound 'security focus' until they can point to some concrete results."
Scott Bekker is editor in chief of Redmond Channel Partner magazine.