Microsoft has always walked what I think is a perilous path on security. Put simply, Microsoft often improves the security of its most recent products only, and then sells that as a benefit of upgrading. It's kind of insidious when you realize that the message here, put a bit differently, is that the old version we sold you last year is now less secure ... So it's time to upgrade!
Obviously, there are architectural reasons for some of this differentiation. Windows Vista, for example, includes low-level changes that affect various security features, like Internet Explorer (IE) Protected Mode, Address Space Layout Randomization (ASLR), and User Account Control (UAC), features that would be difficult if not impossible to implement identically on previous Windows versions. Time marches on.
Another truism of this evolution is that, to the average user, what we think of as Windows extends well beyond the realm of what Microsoft includes in the box, so to speak, with its OS. I can't even count the number of emails I've gotten from readers wondering which version of Windows includes Microsoft Word, or slightly less alarmingly, whether you specifically need Office XP if you're running Windows XP.
Looked at in a different way, when something goes wrong in Windows, even when it's not necessarily the fault of Windows, or even the fault of Microsoft, it is of course Windows and Microsoft that users blame. Microsoft has worked with its partners over the years to create automated systems in Windows aimed at determining which software is the most problematic, and the results of these systems provide the software giant with the tools it needs to prioritize bug fixes, both within and outside of Windows.
This past week, Microsoft announced a new initiative that extends this line of thinking to security. After all, when a users' PC is exploited, they will invariably blame Windows--and, yes, Microsoft--even if the user or a third party application is at fault. Somewhat fittingly, Microsoft announced this initiative at the Black Hat conference, a Las Vegas security carnival at which security professionals, government types, and underworld hackers mix and mingle in a demilitarized zone (DMZ) of sorts.
"It's becoming ever more apparent \[that\] no company can tackle this issue of security alone," Microsoft's Andrew Cushman notes in a post to the company's Security Response Center blog. "Collaboration across borders, and across segments, is imperative to help improve the broader security ecosystem." More specifically, Microsoft is formalizing the process for alerting developers when their Windows applications are found to have security problems. Through its new Microsoft Vulnerability Research (MSVR) program, the software giant will work with its many partners to "identify, resolve and mitigate vulnerabilities," wherever they may occur. It expects the collaboration to be two-way.
To be fair, Microsoft has engaged in this kind of work for some time, but it's never really publicized it until now. What's changed is that the company is now being open about the process, which should increase participation. The end result, presumably, will be better written software with fewer vulnerabilities. And heck, you might not even have to upgrade to a new version to realize the benefits. What a concept.
