From a recent ZDNet Computer Security Newsletter :
It seems like Microsoft is determined to stuff a BASIC interpreter into every piece of software it writes, even when it makes little sense to do so. No one in their right mind would want to allow people to run programs attached to e-mail messages, but VBScript does just that when you click an e-mail attachment in Outlook or Outlook Express.
It's possible that this idea made sense at one time–before the threat of viruses and worms became so high. But now VBA [ Visual Basic for Applications ] is simply an unwise feature to have, and using it isn't worth the risk. Average users don't benefit from VBA ; it only exposes them to undesired threats.
As soon as the world became obsessed with the idea that writing software was simple, a lot of people who really had no business writing software suddenly became programmers.
Don't bet that the so-called professional programmers at Microsoft are going to make their software any better in the near future. The kids writing exploits are beating the pants off the pros daily, and they'll continue to frustrate Microsoft--and the rest of the world--until Microsoft changes its design philosophy.
From Reuters :
LOS ANGELES/SEATTLE, Oct 2 (Reuters) - Microsoft Corp. (NasdaqNM:MSFT - News) faces a proposed class-action lawsuit in California based on the claim that its market-dominant software is vulnerable to viruses capable of triggering "massive, cascading failures" in global computer networks.
The lawsuit, filed on Tuesday in Los Angeles Superior Court, also claims that Microsoft's security warnings are too complex to be understood by the general public and serve instead to tip off "fast-moving" hackers on how to exploit flaws in its operating system.
From CRN :
A panel of leading security experts Wednesday blasted Microsoft for vulnerabilities in its software, and warned that reliance on the Redmond, Wash.-based developer's software is a danger to both enterprises and national security.
The group, which debuted its report at the first day of a two-day conference hosted by the Computer & Communications Industry Association (CCIA), was headed by Dan Geer, the chief technology officer of @Stake, a security consulting firm.
"As fast as the world's computing infrastructure is growing, vulnerability to attack is growing faster still," said Geer.
"Microsoft's attempts to tightly integrate myriad applications with its operating system have significantly contributed to excessive complexity and vulnerability. This deterioration of security compounds when nearly all computers rely on a single operating system subject to the same vulnerabilities the world over," Geer added.
Dan Greer was fired the next day : @Stake gets a lot of business from Microsoft.