Microsoft's a big target -- the vendor takes a lot of heat for poor products or just a lack of responsiveness. While some of that criticism may have been true and even warranted over the years, let's give credit where it's due: Windows XP SP2 turned out to be vastly better from a security standpoint than previous versions. In fact, Microsoft-based enterprises have improved their security so much that even Symantec reports that the attack vectors have shifted to employees' homes.
More often these days, exposures come from security firms that "discover" a potential attack vector that was lying dormant and may have remained undiscovered. It's these discoveries, not actual attacks, that are driving both the perception of Microsoft's security "problems" and the frequency of patches. Now, this doesn't mean you should relax -- on the contrary. But it does mean that it's likely that the vendors of any popular platform will have to have the resources to step up to these potential vectors.
Security firms have learned that their practice of rigorously exposing potential vectors of attack drives revenue. While no one's suggesting they've plumbed the depths of Internet Explorer or Outlook just yet, they are nonetheless already targeting Apple and Linux platforms.
Companies the size of say, Hewlett-Packard, may enjoy an advantage with Linux, since they'd be able to step up to this challenge. Apple, to me, seems way too much like the Microsoft of the late '90s and is not taking the threat seriously enough.
The old Microsoft would never have survived what the current Microsoft is overcoming daily, in terms of the frequency and types of attacks. At least as it relates to security, Microsoft has indeed changed.
Vista, IE7, and the SP1 Tradition
Executives often set policies, many unofficial, which are then followed forever regardless of changing conditions. When I speak on this subject I like to compare companies to the Zulu war with the British Army. At the time the British were the best armed but they were outnumbered. With their weapons they could have easily won, but the policy at the time focused on cost containment, which made it impossible to get ammunition fast to where it was needed. Rifles without bullets turned out to have little advantage over spears, and the British lost badly. Policies need to be consistently re-evaluated because they can become obsolete.
One of the existing policies we seem to be stuck with now is not to deploy any new operating system before SP1 (or SP2 in some cases). This rule has its roots back in the early days of computing where the first release of a product was more like a beta test and needed a couple of revisions before the product was actually ready to ship.
Now before I get the typical, "Oh my god, he's shilling for Microsoft" stuff, I realize that nobody included Vista deployments in their 2007 budgets and you probably won't be able to deploy Vista before SP 1 now anyway. What I'm suggesting, though, is it may be time to revisit this "SP 1" policy. Why? The risk of running old stuff, from a security standpoint, is now greater than the reliability risk that created this policy in the first place.
Think back to Windows 2000 -- does anyone want to argue that it was less secure or reliable than Windows ME or Windows NT, even when those older OSes were fully patched? Windows 2000 was better than either one of those turkeys, particularly if you were on NT and had a notebook computer. At its launch, Windows XP was effectively a comprehensive Windows 2000 patch.
In the last couple years you may have noticed that patches for older OSes tend to get labeled "critical" while the same patch for the current version is "important," or doesn't exist. This alone would suggest being on the current platform could have huge support-cost benefits and being more aggressive would seem to be the more secure path.
This appears particularly true of IE7, which addresses a vast array of IE6 security problems and oversights. Given the level of testing and the lack of any truly major problems since launch, it feels better than a second or third release of earlier versions of IE.
Not Just Microsoft
This doesn't just apply to Microsoft. Products from companies like Oracle, IBM, and EMC are vastly more capable at initial launch than they used to be and should also be evaluated on their merits.
There is an increasing possibility that terrorists, professional criminals, and nuts will be aggressively targeting our employees and companies. The best way to mitigate this exposure may be to move more rapidly between platforms and Web-facing products. That either shuts them down, or forces them to try other, less protected sites.
I think it is time we stopped the practice of thinking service packs were generic indicators of product readiness and evaluated everything on its own merits based on the benefits of the new technology against our cost of implementing it. And a big part of that evaluation should increasingly be how many current security exposures does the new offering take off our daily worry list.
In short, in this new Internet age we aren't living in the same world our grandfathers lived in when they set the SP 1 policies. Products are better tested and the threats of standing still are much more pronounced. You aren't your grandfather: Maybe you shouldn't run your shop the way he did.