Summary: Windows malware, Trojans and worms on the wire blamed on poor infrastructure of IIS

"Can Microsoft help government agencies improve IT security?"

That's the question asked here (a Windows-oriented Web site), right after a Microsoft veteran managed to become the Cyber Security Czar in the United States. But Microsoft has an appalling record when it comes to security. Even on the Web, where Windows is a minority, Microsoft servers tend to get compromised. Last week we wrote about the IIS flaw which had made headlines since around Christmas. "Flaw in Microsoft’s IIS Enables Malware Execution," says this one source, whereas Microsoft's side of the story can be seen too [1, 2]. Microsoft insists that only particular configurations leave the servers vulnerable. But still, why should they be left vulnerable? The question is not how seriously vulnerable those servers are made but why they were made vulnerable in the first place. Shoddy design and coding perhaps?

Here is one of Microsoft's vital Web sites going offline for over a week!

As we reported last month, Microsoft's volume licensing websites were yanked offline for over a week while the software giant tweaked its service in a move to "improve the licensing management experience" for the firm's users.

There's also this in the news:

• Faked Microsoft Outlook alerts spreading banking Trojans



• Phony Microsoft Outlook Alerts Spread Banking Trojans



• Aggressive phishing campaign spoofing Microsoft Office Outlook Web Access

An aggressive spear phishing email campaign inviting recipients to “apply a new set of settings” to their mailboxes because of a recent “security upgrade” of their mailing service.

To be fair, phishing is not a Windows problem, but repositories in GNU/Linux usually establish a web of trust that leaves malicious intervention outside. Microsoft has a lot to learn from UNIX and Linux (UAC being a recent example). ⬆

"It puts the Linux phenomenon and the Unix phenomenon at the top of the list."

--Steve Ballmer, 2001