Get the latest updates as we post them — right on your browser

. Last Updated: 07/27/2016

Survey: Most IT Experts Do Not Trust Microsoft

SEATTLE -- Three-fourths of computer software security experts at major companies surveyed by Forrester Research Inc. do not think Microsoft Corp.'s products are secure, the technology research company said.

While 77 percent of respondents in the information technology field said security was a top concern when using Windows, 89 percent still use the software for sensitive applications, Cambridge, Massachusetts-based Forrester said in its report "Can Microsoft Be Secure?"

The survey polled 35 software security experts at $1 billion companies.

Forrester analyst Laura Koetzle said "too few firms are taking responsibility for securing their Windows systems."

Koetzle said that 40 percent of firms were not planning to make security improvements themselves and that only 59 percent of those that suffered security attacks have made changes to the way they use Microsoft software.

Microsoft, the world's largest software maker, launched a company-wide initiative over a year ago to make its software more secure and trustworthy in the face of attacks that targeted the vulnerability and wide reach of its software.

"We understand that achieving the goals of trustworthy computing will not be an easy task and that it will take several years, perhaps a decade or more before systems are trusted the way we envision," a Microsoft spokesman said in an e-mailed response to the report.

"We are working to address existing security concerns, including patch management. This is only the beginning and we are confident that customers will continue to see additional progress over time."

In the most dramatic incidents, such as the Nimda and SQL Slammer worms that exploited holes in Microsoft software, patches were available from the Redmond, Washington-based company well before the attacks happened. In many cases, however, the patches were not implemented by system administrators and engineers.

Koetzle noted that while Microsoft's patches for the last nine high-profile Windows security holes predated such attacks by an average of 305 days, too few customers applied the fixes because "administrators lacked both the confidence that a patch won't bring down a production system and the tools and time to validate Microsoft's avalanche of patches."

Microsoft argues that it is doing a better job of informing customers about security holes in its software, but many customers are questioning the amount of work needed to implement additional patches and fixes to Microsoft's software.

When the SQL Slammer worm, which slowed Web traffic worldwide and shut down automatic teller machines across the United States, hit in January, Microsoft had already provided a security patch that the worm targeted in July of 2002.

But because the patch was difficult to install, Microsoft scrambled to create an installation program that would make it easier for companies to implement the patch.

"Microsoft must develop new simple, consistent tools for applying patches and mitigating security platform risks," Koetzle said.