I’m not sure that I totally agree with MS simply being the lowest hanging fruit. The numbers are there, granted, but I’m of the opinion that MS is targeted more for their shaky foundation than anything else. Vista has finally seen the implementation of some sort of privilege separation, which they’re calling User Account Control (UAC). It’s 2007! What took so long?! Every single system I, as the family geek, have been asked to “fix”, has been due entirely to the absence of privilege separation. Why should my mom be running as the administrator? There’s really no need.

In order to keep malware at bay, I tried to put this idea into play on WinXP system’s I’ve touched. However, there are still applications out there which expect to run with administrator privileges and balk if run without them. Now we’re back to that shaky foundation.

I also strongly disagree with the notion that MS releases security fixes on a timely basis. The current server DNS exploit is a decent example. The advisory was issued Apr 12, the fix is planned for May 8 (there are workarounds, I know). MS is a gargantuan organization, and I’m sure that they moved to these monthly security rollups as a consequence of the process they need to run through to get the fix QA’d for all their products, etc. Regardless of the reasons for the delay, I think a month is a long time.

Last year, I believe an IE exploit went unpatched for almost two months when MS skipped one of the monthly security releases. IMHO, that was a greater sin than the DNS issue, due to IE’s install base. I don’t remember what the specific vulnerability was and I don’t really feel like looking right now, but I remember being relieved that I wasn’t running an MS operating system.

To sum up, I think MS does hold value to someone, somewhere. Just not for me. And judging by the experience of my family and friends, it could do with a long overdue kick in the pants, security-wise. Let’s hope that’s what Vista represents.

I’m not holding my breath, though.

-sr