Microsoft's open book heralds short-term pain

Microsoft's decision last week to let everyone snoop through its software secrets means vulnerabilities and exploits will almost certainly climb in the short term, security researchers have said.


What researchers did agree on, however, is that Microsoft and open source code will be made stronger. "Opening up these protocols is a very positive step," said Huger. "The more eyes on [Microsoft's products], the better." He cited SQL Server as an example. "It had the most vulnerabilities last year of any commercial database, so scrutiny will do nothing but good for its security."

Storms put it differently. "By opening up, Microsoft has gained thousands of free programmers," he said.

Huger assumes, as do Storms and Reguly, that most researchers will report any vulnerabilities they find while sniffing through the documentation, and give Microsoft a chance to patch the flaws before they're disclosed. But Storms also sees another way the protocol and API docs will boost the security of Microsoft's software, and some open-source projects at the same time.

"Some of the additional security will come out of the open-source space. As Samba implements [the protocols and APIs], for example, they'll start finding bugs in how things are supposed to work, as opposed to how they really work," said Storms. Microsoft's patching those vulnerabilities not only secures its code, but also helps secure the open-source software that uses the protocols and APIs to bake in interoperability.

Open-source advocates have dismissed Microsoft's moves as all hat and no cattle. But Storms, Huger and Reguly see a much bigger upside and some real benefit for users -- especially Windows users.

"I think it will be better for everyone," said Reguly. "In the short term, advantage to the bad guys. But this will result in better open-source software and a lot of security improvements."

"Recommended For You"

Microsoft to patch Word critical security flaw next Patch Tuesday Microsoft issues major security update for Windows and IE