Gartner Blasts Microsoft on Security

Microsoft Corp.'s recall of its Internet Explorer security patch last week prompted analyst John Pescatore of Gartner to direct more withering criticism at Redmond. Pescatore came to prominence last year for his notorious bulletin advising IT managers to consider replacing IIS Web servers with Apache due to security concerns.

The latest Pescatore missive, a Gartner FirstTake issued Wednesday, is called "Microsoft Must Plan -- Not Patch -- for Software Security."

Pescatore's bulletin is pegged to Microsoft Security Bulletin MS02-005, which includes patches for six new IE problems, three of them critical, and also rolls together all current fixes for IE. (See story).

According to the Gartner bulletin, Microsoft announced the patch on Feb. 7 but had to withdraw it until Feb. 11 due to an error in the patch.

"The problems with the latest major Internet Explorer patch shows that Microsoft has made security promises it cannot yet keep," the bulletin alleges.

The promises Gartner cites are an October 2001 vow from Microsoft senior vice president for Windows Brian Valentine that Microsoft would do "whatever is necessary to ensure the process is complete" and the Bill Gates Trustworthy Computing memo of January.

The Gartner bulletin discounts the code review Microsoft has been conducting in February, as well.

Security cannot be “tested” into software; it must be a high priority from the start — during requirements analysis and product planning," the bulletin says. "Microsoft would also do well to order its product management and marketing personnel not to hype the company’s newfound 'security focus' until they can point to some concrete results."

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

  • Microsoft Shifts 2020 Events To Be Online Only

    Microsoft is shifting its big events this year to be online only, including Ignite 2020.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.