Perspective: Microsoft security--no more second chances?

As if Homeland Security Secretary Michael Chertoff didn't have enough on his plate.

Not only has he had to deal with Katrina and Osama. Now he's also got to whip Steve Ballmer and the crew at Microsoft into shape. If past is prologue, that last task may be the most daunting of all.

In a remarkable declaration earlier this week, the Department of Homeland Security--a bureaucracy set up to deal with stuff that generally falls under the category of national emergency--called on all users of Windows software to install a new security patch issued by Microsoft.

This wasn't your garden variety flaw. The fear in Washington was a repeat of something like the chaos caused by the MSBlast worm in 2003.

By now, Chertoff's people must be thoroughly frustrated that Microsoft still turns out poorly designed products.

By now, Chertoff's people must be thoroughly frustrated that Microsoft still turns out poorly designed products. What with terror plots being uncovered overseas and threats of airline bombings, cybersecurity obviously is not the top headline this week.

But the threat of a network meltdown has not disappeared--especially when flaws so regularly turn up in Windows, the computer operating system most people in this country use.

The Microsoft monoculture is a fact of life in government and corporate circles. And that comes at a price in the coin of vulnerable computer security.

Microsoft contends that the situation is improving and that it's doing the maximum to make sure that Windows and the other software products it sells go out the door with as few problems as possible.

Each month, the company issues a security update in which it patches problems. And every Microsoft spokesman within earshot can be counted on to solemnly pledge the company's maximum effort.

It's a familiar refrain.

Ever since Bill Gates announced Microsoft's Trustworthy Computing initiative four and a half years ago, the company says it has reshuffled its development priorities. Cool new features were to take a backseat to improved security and privacy.

Yet the problem lingers. In the last three years, Microsoft has issued an increasing number of yearly security bulletins, in which several patches get put online to fix problems in existing applications. The company sees this as evidence that it's on top of things, not an indictment of managerial incompetence.

If you want to find someone to blame, Gates says, point a finger at the "malicious people" out there looking to "take advantage of whatever things there are."

What did you expect him to say? That it's Microsoft's fault? That would be too hot to handle. Gates and the rest of the brass stick closely to the script but clearly know that Microsoft can't keep turning out finished products that are as porous as Swiss cheese.

Defenders will argue that it's unfair to demand perfection from Microsoft; that software is an imperfect art. And besides, they add, is the Mac operating system or Linux bulletproof? Clearly, the when "Patch Tuesday" rolls around. Another few holes get closed with a magic Microsoft download, and we're safe (unless the bad guys first found a way to burrow into our systems).

Here's something to consider: If bridge builders or airplane designers applied the same standards to their labors, do you believe that the public would so easily forgive the regularity with which bridges would collapse and airliners fall out of the sky?

Biography
Charles Cooper is CNET News.com's executive editor of commentary.

More Perspectives

[davtaylor]

Not a very smart analogy Charles

"Here's something to consider: If bridge builders or airplane designers applied the same standards to their labors, do you believe that the public would so easily forgive the regularity with which bridges would collapse and airliners fall out of the sky?"

Airplanes are not networked to the wider community. I am sure they would be just as vulnerable if any one of a billion individuals could remotely access a planes systems during flight.

Airplanes are not networked to the wider community. I am sure they would be just as vulnerable if any one of a billion individuals could remotely access a planes systems during flight.

If any terrorist targeted one individual bridge, I am sure they could bring it down if they really cared. In fact if all bridges were build to the same spec, you can be even more sure they would be a target of attack.

The comparisons your make in this last sentance are just silly, and we expect better from you Charles.

[cnetsuxxxx]

Try again

His analogies are fitting and relevant. An airplane is a complex
network consisting of miles of wires, a multitude of parts and
devices. I can see the relation to an operating system, such as
Windows. The fact is, Windows is a flawed and poorly designed OS
that is somehow become the "standard" for many businesses. I can
only hope that a large organization, such as branches of the US
Government, start switching to OS X and Apple for their computing
needs. Our security is dependent on it.

[robot999]

You are right...

about the fact that airplanes are not accessable by "networked"
users. However from an engineering (and quality) point of view
they are similar in complexity and systems/subsytems. One
could also argue that both have life and death implications.
Now the point: IT IS POSSIBLE TO CREATE AN OS THAT IS
SECURE! Just look as OS X, it has been done, and this leaves no
excuse for MS. And before someone sprouts about lack of
market shares as the reason for ZERO wild viruses for OS X, I will
quickly point out that no one was able to crack the system via
the internet when given a challenge. And I don't doubt for one
second that thousands of hackers are drooling at getting the
fame of being the first to succeed at cracking X!
Nuf said!

Airplanes are a perfect example of competence

When the risk of loss is your life and money, You will do all you
can to keep it safe and will fix it when there is a problem, often
before there is a major failure. Contrast that ideal about aircraft
design, with that of Microsoft who want to claim that building
software is a tough business and they cant cover everything

...spare me the tears Bill...youve got billions of $$$ ripped off
from users who Dont understand the inner working of a PC so
they let you tell them its as good as it can be. While every day a
new failure,hack gets into a PC, or Windows comes down with
the Flu, people just say "Ah, I dont understand it, so who am I to
judge?"

Boeing builds jets with 4 million parts made by many
manufacturers, yet in spite of pilot error, or terrorists, they
manage to make a safer, more reliable product than Microsoft
does, and most people dont know how a plane is built but you
can bet your sweet bippy they wont get on a rickety old rattle
trap to fly if they are told its got problems, yet they will use a PC
that has the same sense of junk.

there is a disconnect because a PC doesnt often end up in a
smoking twisted heap, unless you teach it a lesson with a
hammer, so people are reluctant to judge that Windows is
broken, and they should move to a safer design...but marketing
and human herd mentality stops them from finding a Mac is the
safer, better way to go.

Until PC bigots wake up, or are willing to ADMIT they bought
junk, this lack of safety, and weakness that we have from
Windows insecurity will plague the world for generations to
come.

[bluvg]

Microsoft ASKED(!!!) the DHS to issue the request

DO YOUR RESEARCH.

[HuggerMugger]

It's the authentication, stupid

Yeah, yeah - market share exposes Windows more, OS X and
Linux would get hacked if it was more fun - blah.

The historical problem with Windows is the scripting systems
and internal message authentication.

Since Windows was stupidly designed as a networked OS and not
provided with enough security, it was easy for a hacker to send
you an email, automatically launch a script as if someone were
typing at the keyboard as Admin, let it raid your Outlook
address book, install an application, turn you into a mail server,
populate itself to all your other Windows user friends, record
everyone's actions, send back any 16 digit numbers you type
in... on and on.

Digging out from 140,000 exploits is tough stuff. So far, most
Windows patches plug the signature of the exploit and do
nothing to fix the underlying problem - the fact that the OS has
no idea if the scripting host or the Admin is running the
machine. All the hackers had to do was change the name of the
virus and off they go again.

It's getting better but there's SO much to fix without destroying
all compatibility first. Vista may beat people to death demanding
passwords all the time and you'll be able to decipher the
password by which keycaps are worn away. Windows RELIES on
the ability of applications to talk to each other freely and make
system calls without restriction. Hackers are just using those
abilities for themselves.

Those paths largely don't exist in Linux or OS X. Sure, there are
patches to fix problems all the time - it's electronic warfare,
after all - but LInux and OS X have a HUGE jump on Windows.
Unlike Windows which runs as root (Admin) and will happily run
whatever you tell it, the majority of exploits the common Linux
or Mac user will encounter would require someone to be at the
keyboard with the Admin password to install it first.

You want security? Encrypt the important stuff on your computer
and be done with it.

[Björn Lundahl]

Godd Comment!

Björn Lundahhl
Göteborg Sweden

[Björn Lundahl]

Good Comment!

Björn Lundahl
Göteborg Sweden

[hthukral]

Not at all a good article

I will say the complete article is misleading. First of all its the complex OS and human creates it and human destroys it.

Secondly, Linux and Apple is used by maybe 5-10% people in the world. A hacker creates ways to breal affect is very less and secondly those OS'es are used by who have knowledge what they are doing. Windows is used by people who have no idea of computers.

Thirdly, your bridge analogy I dont have even words to say....If every day and nite some people are poking hammers or some other things on the bridge I dont know how long that will stand....

[rcrusoe]

Just about everyone uses Linux, and that probably includes you

Everytime you use Google or most major Internet websites you are
using Linux. ;)

[WalterVerm]

It's not

An airplane is not complex ???

Yes, fewer people use Linux. I don't know what breal means. The effect is less; true, so that is an argument against MS mono culture.
Linux users are more knowledgeable; often true, but how knowledgeable do you need to be for autoupdate.

[dudegadget]

Unfair comparison, misleading article

I've heard the bridges and cars argument again and again and the last I expected was from a person who is the editor of a tech news site. How in the world can you compare the two? Everyone in the software world will agree that the production and management techniques that are applied to other engineering disciplines fail when applied to software engineering. I am a software engineer and completely reject the argument. Every software major rolls out packages throughout the year. I have seen FireFox, MacOS, Oracle, major databases and all other kinds of software (something as simple as an Adobe Reader) send out security bulletins routinely. And they all make fewer software titles than Microsoft. The patches MS sends out deal with many issues and I have never had a problem with my computer being compromised. I have autoupdate on.

The point is that in software testing there are infinite number of test cases even when just tested individually in a controlled environment. When combined with other software it starts to exhibit emergent behavior. Smart testers try to partition those cases such that by a process of induction it can be shown that the software behaves properly over the entire test case sample space. If you know anything about computer technology you will agree that there are far more variables here than in civil engineering (building bridges -- not that that is easy by any stretch of the imagination and you need constant maintenance, they also have weight limitations and people are not allowed to change anything on the bridge). Civil engineering is a centuries old discipline and compare that to software engineering which is at most 50 years old. Best practices have evolved and things will get better.

Meanwhile, please don't write such uninformed and misleading articles. You say that MS turns out poor quality software and I disagree with that. They have had problems but it works with thousands of devices and software titles without a hitch. They are single handedly responsible for the tech revolution. Without them I am not sure if you would have a job of an online tech news site editor.

[deanrd7]

so tell me hot shot...

If Mac OS X is every bit as vulnerable as Windoze - why in 5 years of owning a Mac have I never, EVER had a virus or malware or spyware? Please don't even try to tell me that as a software engineer/Windoze user you've never had a virus or some kind of malware/spyware on your system.

Windoze is a poorly designed OS. Period

[qwerty75]

re

"Meanwhile, please don't write such uninformed and misleading articles. You say that MS turns out poor quality software and I disagree with that. They have had problems but it works with thousands of devices and software titles without a hitch. They are single handedly responsible for the tech revolution. Without them I am not sure if you would have a job of an online tech news site editor."

Amazing that so much ignorance can be stuffed into a small paragraph.

MS does put out poor software. With very, very few exceptions, I can point out a safer, more stable and downright better solution to any MS product. ANd lets not forget that the majority of the security issues can be laid directly as MS doorstep.

How is MS singlehandedly responsible for the tech revolution. That would imply leadership. MS is a follower.

[Björn Lundahl]

I wish that all my softwares worked as well as XP!

Yes, I wish that all my softwares worked as well as XP. I would have fewer problems.
Björn Lundahl
Göteborg Sweden

[The Constant Gardner]

Swiss Cheese of an article!

Well, since you took so much effort is pointing out the obvious, thanks. I totally agree with the last posting, a bad analogy...to end the article.
We, are so fixated with "Sucess" in everything that we no longer have patience for minor hiccups or a huge bump in the process. Software developments is hard, it takes the best brains and patience to come up with a product, worth selling...most of us are used to Windows so much in our daily lives...would you rather go back to DOS?? or work entirely on a UNIX system..i guess no, then let the people do their job, and try to help them, than oppose them!

[deanrd7]

I'm loving my system

..and it's UNIX - it's called OS X for Macintosh and is light years ahead of Windoze. In the 5 years I've owned Macs, I've NEVER had a virus or malware or spyware....NEVER.

[WalterVerm]

Minor hiccup of a comment

A minor hiccup. What are you talking about. Windows systems have been completly taken over by hackers. All you're data is accessible to outsiders.
This reminds me of the movie "The Holy Grail" where the knight get's his limps chopped of and he comment "ah it's just a flesh wound".
I have to use Windows for my work, but personaly I just use Linux. So i guess yes.
I wish the people at MS did do there work, so these things wouldn't happen.
My advise: Try Linux, there are a lot of distributions for non-technical users. Or move to Mac OS X, wich is essentially UNIX under the hood.

[bmo99]

Be realistic, not as many people are trying to hack Linux or Mac.

If Linux and Mac OS were on as many systems as Windows there would be millions more people trying to find exploits in those OSs as well and they would succeeded.

All I wish is they could reduce or eliminate the reboots. I think that will be better in Vista.

[WalterVerm]

Argument against MS-MonoCulture2006

Another argument against MS mono culture.
Linux code is open and more checked for errors by more people then Windows. So it's unfair to speculate that it would have as many exploits.

[amadensor]

Linux has the market share

This was a remote hack with no user intervention. Hmmmm, how about machines open to the whole world to hack. How about web servers? Check the stats. About 2 of 3 web servers is a Linux box. They are definitely a big enough target to hack.

Your market share argueement only holds water as it applies to desktops and people being stupid opening attachments.

[Philips]

Not completely true

Linux (and Unix in general) is the most hacked platform. It's just that attacks keep low profile.

Ask any Linux/Unix admin with systems exposed to Internet. My box personally was twice attacked: several years ago somebody tried to exploit old apache hole (which didn't existed in my configuration) and about year ago dumb brute force attack on weak passwords against all common daemons (mysql, ssh, telnet, etc).

With Windows advancements, literally anybody can become a 1337 h4x0r - the rootkits/malware are spread all over the net. Pick rootkit, add exploit for new vuln - and you are ready.

With Linux/Unix systems, the target is harder to crack since it has magnitude more possible configurations. And overall security model of Unix is well known for several decades and is tested routinely by many companies - including Unix and Linux vendors themselves. But the Unix systems are magnitude easier to program and automate - plus many such systems sit on Internet backbones with very very speedy network access times. Cracking such system is like finding a treasure box.

I know about two cracked Unixes: one Linux and FreeBSD boxes. In both cases the machine were used for - try to guess it - exploiting Windows boxes. Seemed to me like operators of botnets tried to extend their reach using /spare/ bandwidth of the servers.

Unix is targeted. Make no mistake. It's just the kind of exploitation is very different - as well as kind of crackers doing that.

[wbenton]

Impossible Comment

As neither Linux or the Mac are as popular as Microsoft is... you have no proof to back up your allegations.

The attempts might be the same... but as to whether the successes would be the same or not... it's plausable at best to assume that you're talking about things without any proof what so ever!

Without facts to prove your case... it's speculation at best.

Walt

[bits95]

Not trying to hack, or not succeeding?

Think about it. Others in all the comments have said, only attack an easy target. It's not that they're not trying to attack OS X, some are I'm sure. They'll try harder too when Apple continues to take market shares from Microsoft. This doesn't mean they'll succeed on the left they have with Windows.

Hopefully Apple won't give us users too much, and open more holes for script kiddies and such.

[phillynets]

Weak Man

If airplanes were falling out of the sky... If devious mechanics were removing previously installed bolts in the wing section; if companies flew the planes without regular maintenance or outside of the recommended operating parameters; if road crews were tossng spikes on runways as the planes were landing and taking off; if cleaning crews were installing snakes on planes... Would it be Boeing's fault? That's where your analogies run weak.

The problems with Windows arise from their near total market share. Macs never worried about viruses because hackers didn't bother with small potatoes. Windows is the money shot.

Since the OS must allow so many different types of software to interact with it the vulnerabilities are more prevelant. Old flaws cannot be removed without upsetting users who need to keep old databases or other 3rd party software packages. MS has tried to strike a balance between users who complain about "nothing works with the new OS" - see Mac's OSX for this - and their improvements in OS architecture (NT to 2000/XP).
Follow the money for a moment: the patches cost MS millions but earn them nothing. With each "flaw" their customer considers switching to a competitor rather than upgrade to the next "hunk of MS junk." They'd love to wave a magic wand, but since that fantasy stick does not exist "Patch Tuesday" is the best we've got.

[Björn Lundahl]

Very, Very, Good!

Björn Lundahl
Göteborg Sweden

[dave.franklin]

Where are you getting your numbers from?

You assert that "...the number of security holes turning up in either operating system is a fraction of what turns up in the Windows world."

According to the US governments own figures 45% of the vulnerabilities discovered in 2005 turned up in Unix/Linux compared with 16% in Windows - the US-CERT site shows a list of the vulnerabilities here: <a class="jive-link-external" href="http://www.us-cert.gov/cas/bulletins/SB2005.html" target="_newWindow">http://www.us-cert.gov/cas/bulletins/SB2005.html</a>

Where does the evidence for your assertion come from?

[mstrclark]

Misleading...

The vulnerabilities for UNIX/Linux cover all application that run under Linux including Firefox.

The numbers are not just for the Linux/Unix OS or kernel.

[bits95]

You're reading YOUR numbers upside down buddy...

Hey nice link, but you forgot one little thing. Windows vulnerabilities are all on the same basic type of OS backbone, Windows.

UNIX/Linux covers a WHOLE HELL OF A LOT MORE OSes than just Windows.

This doesn't even compare. Get over it, Windows is a security f**^$_@! nightmare and will continue to be so until they CHANGE THEIR ARCHITECTURE.

And that will only happen when they're lost 35% of the market shares.

[Brandon Bartelds]

I Can See Problems

Where to start, where to start...

First off, lets look at that plane example. Not to be crual or insensitive to 9/11, but i'm pretty sure you can say that the airplane system IS INDEED FULL OF HOLES too. So it's inaccurate to claim security in other areas when it's proven that those as well are not completely secure. It's a fact of life that not everything is 100% guaranteed.

As for the patches, our author states that Microsoft said years ago that security was the new concern and why hasn't the security improved over the last 3 years or so. THEY ARE PATCHING A PAST PRODUCT. Gates did make the statement before XP, but XP is getting a bit older, and it's not magically going to fix itself even if Microsoft came up with the miracle answer to the perfect operating system.

Working in the security field, another thing I can say is that you have to evaluate what you are using and also look at backups. I don't choose the most reliable energy source, then not get battery backup because i'm using the most reliable first source. I personally don't agree that Macs are 100% secure, but that doesn't matter because no matter what you are going to use, create a backup. These "bridges" the author claims are so strong and safe aren't approved by the construction company. A second party approves the bridge and depending on what it is, perhaps there are motion detectors and other forms of security for very important bridges like border crossings. The people deciding how to set up networks and what operating systems are partially to blame. There are many reasons to go with Windows, but you protect yourself. Disable unneeded services, protect your network at a higher level and don't give your users permissions that will allow certain security vulnerabilities to be opened up.

It's unfortunate that Microsoft has made so many security holes, but it's not an excuse. The author wants to point out how quickly Bill Gates pushes blame to somebody else, well what about computer users. Take some responsibility for your systems and know what you are doing. If I had no clue about cars and didn't put oil it in, I would say it was the automotive makers fault the engine seized, it was MY FAULT cause I didn't take care of it.

This article is just another person complaining because they don't want to have to learn details on their operating system. They just want to sit down and use it, and live in la-la land.

[Kublaitrain]

Microsoft is not the one

From our local governments to our local neighbors everyone is always pointing fingers at Microsoft and their software. The honest truth is that more incompetent IT staff and uneducated computer users are behind these keyboards. Take a good look at our educational system from the very begging we are victims of these digital lines. I see students at high college levels that cant even use or open a piece of software like Power Point. Yet they get government jobs and even become IT graduates. The sanity of a nation has to be looked at its roots, in our case education. From that we can fix many of our flaws and learn to close the door to our friend the robber.

[qwerty75]

funny

An uneducated or ignorant user is not nearly as dangerous behind a mac or linux box.

In fact they would have to work hard to turn their boxes into a security problem. All a windows user has to do is turn it on and connect to the internet.

[Iam Free]

Living in a dream world

Has an airplane ever been designed that didn't have flaws? couldn't crash?, couldn't be hijacked? I can't remember one.The aircraft industry does the best it can and when things go wrong they try to fix them with new upgrades to make them safer for the people that use them.There will always be those that look to exploit any weakness in the plane or the security we set in place to protect them.There are no perfect airplanes, bridges or operating systems. Maybe in your dreams but this is the real world.

[jabbotts]

DC-10

I hear the DC-10 was a real hum-dinger until they started dropping out of the sky. Put a DC-10 on the skirt beside a 747 and see which plane passengers walk towards.

With every new major release, Microsoft gives us that same DC-10 with a fresh paint job and inflight movie screens then tells us it's a DC-15 (or -20, -XP, -Vista).

[rodtrent]

Why this is a stupid post...

Have you actually read the news recently? Homeland Security is a "ghost" agency. Why? Government owned laptops and desktops have been stolen at an alarming rate in the past 6 months. These contain SS numbers and full information on government employees. It's great that HS wants to be "on board" with the latest in tech, but they should get their own "house" in order, too. Write something about that will you? How many government employees still write their passwords on Post-It notes and stick them to their computer screen? It doesn't matter if a security exploit is in the wild if the computer is stolen.

Open Source like Linux is even more scary, where everyone in the world has access to the code. Would you rather Al Qaeda have access to "closed/managed code" or "open code"? Open code is a technology holocaust waiting to happen.

[jabbotts]

I'd opt for open source

They already have OSS and reverse engineered Win32/64 suedo code. So opting for your techno-doomsday doesn't change the stakes at all.

They already have smart people mucking about with computers for potential advantages in whatever OS the target is using; they can always farm the work out to China or the US crackers anyhow so the reading code doesn't change the stakes at all.

The end user working with OSS is either educated and compiling there own binaries from a trusted repository or less educated or happy working with pre-packaged OSS. Since there packages are comeing from a trusted repository they go through the authentication process to validate them before install. Huh, still no change in the stakes at all.

Your tinfoil hat seems to have slipped down over your eyes; it's not winter, you can pull that hat up so you can see clearly. I promis, I won't steal your brainwaves if you do.

[john55440]

Chertoff/DHS Public Relations Stunt

The Chertoff/DHS Microsoft announcement is just a public relations stunt, so they can pretend that they are actually doing something constructive.

In reality, Chertoff/DHS remains a study of gross incompetence.

[hberenson]

My response to Charles

Charles,



I generally agree with you, and as a software user Im very frustrated by the number of critical flaws that continue to appear in Microsoft software. At the same time, as a software developer for the last 34 years Ill say Im not surprised. Bug Free software just doesnt exist. The problem isnt that Microsoft will need to fix something now and then, its the severity of the flaws each and every month. If Microsoft could get its software to the state where Critical fixes only appeared a couple of times per year, this issue would fade from the headlines.



In your article you contend that Linux has fewer security vulnerabilities, but the last time I went through the list of known vulnerabilities (the CVE directory) that just wasnt the case. UNIX and Linux systems had just as many, if not more (particularly when the stacks are made comparable), vulnerabilities as do Windows systems. There are environmental factors (most systems under professional system management rather than on end-user desktops, more systems locked down to dedicated functions with unnecessary features turned off, users generally running without privileges, vastly fewer systems overall, etc.) that tend to mitigate the Linux/Unix vulnerabilities compared to the Windows vulnerabilities. Vista addresses the major factor under Microsofts control, the need for normal users to run with privileges. Actually, you can run without privileges on Windows XP but many things become painful (e.g., installing new software). And some third-party products, like Intuits QuickBooks, require Power User privileges thus defeating all attempts to make ones PC secure. Having all normal users run without privileges would cause many of todays Critical fixes to be reclassified a level lower and thus change the entire discussion about Windows security.



A second point really has to do with your frustration versus the release dates of software. Windows XP is five years old and predates Microsofts security push. Yes, SP2 was done to proactively find and fix a lot of problems before they were discovered by others. But that was just a band-Aid. It could fix some things, but it couldnt alter the design of the OS. Windows Vista is the first real test of if Microsoft has its OS act together. This is also largely the case for Microsoft Office, as the new release will be the first one whose development occurred completely after Microsoft started its big security push. So while your message is right on the money, it would be a more appropriate editorial 12-18 months from now (if needed).



The third point has to do with holding Microsoft developers more responsible for the quality of their code. I dont know what current Microsoft goals are for SDEs, but I will say that it is very hard to hold people responsible for defects that arent discovered for many years after they write it. Take one of the most severe vulnerabilities in recent memory, the Windows Metafile (WMF) file SETABORTPROC GDI call flaw. This is a design flaw carried over from Windows 3.x and no doubt the people responsible for it left Microsoft a long time ago. Even if they are still at Microsoft, how do you punish them for a decision that was the correct one at the time it was made? Ok, thats an extreme example. But nearly all bugs being found in Windows today were created 6 to 10 years ago, and most of those responsible are either not at Microsoft or else far removed from that particular job. The one thing you can do is change the culture to make having the fewest bugs one of the top two most critical evaluation factors for anyone who writes code. Fewer total bugs should mean fewer security vulnerabilities. But even if you have someone who writes near bug-free code, if the one bug they introduce in a year is a Buffer Overflow you can be sure that means another critical fix on a Patch Tuesday some years in the future. And Microsoft has thousands of developers.



So the message has to be that despite a Herculean effort so far Microsoft has to get better, far better, than where it is today. But it isnt yet time to say theyve failed. By the end of 2007 well know if theyve succeeded. And, if not, theyll probably find that even the most faithful are seriously looking to make a change.

[`WarpKat]

HeH

&lt;begin quote&gt;
Bug Free software just doesnt exist.
&lt;/end quote&gt;

Sure it does!

&lt;?php
echo "Hello world!";
?&gt;

100% Bug Free!

[Jeremiah256]

RE: My response to Charles

hberenson,

Great comment. In between the trash talking between Microsoft, Nix and Apple zealots, it is possible to find some great diamonds in the rough.

I'd like to throw out something else for discussion: does Microsoft have that 12-18 months hberenson mentioned to prove itself? None of Microsofts competitors is standing still. And though I don't think Microsoft will go under, I do believe that like Internet Explorer vs Firefox, you'll see a decline over the next several years in Microsoft's O/S dominance. Particularly if Google bundles an Office/pdf compatible application that can be used offline with their online word processing and spreadsheet initiatives. Put enough services online, make them compatible with existing defacto standards and it won't matter what operating system you use.

[bluvg]

Microsoft ASKED(!!!) the DHS to issue the request

DO YOUR RESEARCH.

(Sorry for the double-post--this was meant to be a response to the article.)

[technewsjunkie]

Link please

Where did you get this from?

[mystereman]

If it's so secure

If, as you say, Linux code is better because there are "more eyes", then how exactly does so much code get on to end users systems that need security updates? My linux system here gets security updates what seems like *DAILY* most of the time. Almost Daily. Not an average of a few a month, as with Windows.

Now, it's true that Linux system ship with so much more stuff, but your argument that Linux code is so well checked by more "eyes" would seem to imply that this wouldn't matter, it would simply be perfect out of the box.

[qwerty75]

Very pathetic

Most of the updates that show up in linux are THIRD PARTY APPS, NOT PART OF THE OPERATING SYSTEM. This a very good feature. The vast majority of the linux programs can be updated in one place.

You obviously know nothing about writing software. All non-trivial programs have flaws, it is a fact of life. Linux is better because of the way it is designed. Even if a virus or hacker gains control of a default system, they can do little to no damage. They also fix problems fast. That is why you get updates alot. Compare that with MS's policy of leaving systems vulnerable to known and exploited flaws until they can be bothered to release a patch.

The kicker is that MS has released some fairly trivial programs and are loaded with flaws. Even the non-trivial apps are so poorly written that an attacker can cause so much havok with no effort or technical knowlege.

[psychosmurf]

This is a horrible article. . .

. . . that was probably spit out of this mindless hack's power book.

Apple and Linux account for less than 10% of the world market for computers, a mojority of that being server based (with regard to Linux). HELLO!! The standard computer user base is more likley around 2 percent. Why the hell would a hacker want to crack those operating systems? It would be a waste of their time; there would not be enough attention or glory for them to take.

Microsoft's standards has made computers accessible to the common individual. They standardized the OS and made it possible for the common individual to do things that a programmer would have been required to do in bygone days. Look at Linux for example. I've located at least fifteen different installations out there all of which work, look and act differently. There are no standards. But if Red Hat became the status quo in OS software, would you then be attacking them like this when hackers started picking apart their security? MS works to correct problems that are found and producing a perfect piece of software is impossible. No software is perfect and if you think you can do better, please, indulge us with your acumon. I'm anxiously awaiting your download. And in fact, I would pay you to build a perfect piece of OS software.

As far as the bridge analogy is concerned; I can't even tell you how stupid and wrong that is. Give someone with enough determination a hacksaw and enough time and see how much damage they can do to say the Golden Gate bridge. Or give them a jackhammer and see how much damage they can do to
the foundation of the bridge. Likewise, a chisel can eventually crack a dam if enough time and energy is involved.

And one more note on that. I live here in San Francisco and I would very much like to point out the amout of seismic retrofitting that has had to be done on the Golden Gate and Bay Bridges in the last five years. Damn engineers; how dare they build a bridge that can't stand up to an earthquake. (That's sarcasm by the way.)

Think about your words before you write them and understand what you're talking about.

[qwerty75]

wow

Maybe you shuold take your own advice "Think about your words before you write them and understand what you're talking about."

Why are MS fans so stupid?

Windows gets hacked because anyone can do it with no effort. Linux and OSX don't because it is extremely difficult.

Go look up server hacks and market share and then come back here and spout your drivel.

[ripntime]

ripntime

Hey What exactly does market penetration have to do with the fact that windows is a flawed system from design not from the hackers and malware writers.
Get your head out of you know who's A**.
Proof that watching to many windows ads and running windows leads to a self induced lobotomy.
Now comparing the bridges is just idiocy at it's greatest. Had those builders been found to provide faulty workmanship or products they would be shut down before you could say the sky is falling.
And personally i think thats what should be done with Microsoft, Because thier products are faulty and lacking workmanship of any kind, If any other company put out crap like they do they would have the better businees beuro down thier necks.

POP thats the sound you'll hear when you pull your head out....

[kalodev]

WHO HAS MORE SECURITY BUGS?

I am tired of hearing the same thing over and over again. Claiming that Windows has more security bugs, without backing it up with facts is all I hear. The number of bugs, both in severity and number, prove otherwise...

[qwerty75]

look at the stats

closely

Lets say there is a flaw in the linux kernel. That is not counted just once, but for each distro.

Also consider that Linux fixes its flaws well before any exploits surface.

Windows has more security issues. To claim otherwise is stupidity.

[dragonsprayer]

MS bashing must be cool?

You must not travel much - you have never seen a rusty bridge being painted and patched - welded and sealed?? I never seen a computer collapse on the floor or fall out of the sky or for that matter completely not work - unless you open the door for the malware!

In fact if you do not go on line the OS never needs updates - like wise if never take the plane out of the hanger the bridge out of the factory it will not need repair either!

I guess a airplanes never needs repair - every rivet last for ever? Why do they replace the rivets on planes? Why do they over haul plane engines?

Why did the tail fall off that airbus? Why did the concord get grounded - why did its tire blow and kill all those people! Why do you get paid to write non-sence?

Very irresponsible statement and its only sheik MS bashing!

"Here's something to consider: If bridge builders or airplane designers applied the same standards to their labors, do you believe that the public would so easily forgive the regularity with which bridges would collapse and airliners fall out of the sky?"

[Tanjore]

Yes looks like MS bashing is cool

Microsoft deserves some blame for what is happening.

I am sure any operating system that gets widespread audience like Microsoft OS will show up holes.

No OS is perfect.

From what I read, Microsoft is doing a lot to improve the operating system. Unfortunately, microsoft does not get credit for the efforts.

[halesgarcia]

Hail monoculture!

Germ says: The herd will follow. Say Amen.

Herd says: Mooo.

[wbenton]

More of the inevitable!

Microsoft is still trying to learn how to exist... but it has yet ot cope with the methods required to allow it to continue to exist.

The recent list of patches included 9 critical flaws and 3 not-so-critial flaws. Under normal security related issues, 24 hours max for Critial issues and 72 hours for non-critical issues still seems to pass Microsoft by the wayside.

Microsoft has been aware of the critical issues for MUCH MORE than 24 hours... but they still shove their Critial patches into their Monthly updates... regardless of whether they're critical or not and regardless of whether the normally accepted 24-hour deadline has elapsed or not.

Microsoft's Trustworth Computing is as gullible as Osama Bin Laden's conversion to Christianity is!!!

[ekarjala]

A pitifully myopic article

Seriously, it sounded like a 3rd rate, MS hater rant on Slashdot. The airplane/bridge analogy was particularly laughable if not offensive given the not so distant events of 9/11. IF Apple and Linux ever develop something beyond low single digit adoption rates as a desktop environment, there will be similar issues as the true culprits turn their attention in that direction. In the meantime, if things are so bad, stop running Windows and switch!

[Europodboy]

Simple

Look guys, its really very simple.

If OSes were potential girlfriends and one was better looking
easier to get on with and virus free and the other was known to
be riddled with 140,000 viruses (and a bit unstable!) - which one
would you date?

[Björn Lundahl]

It is not clever to compare aeroplane constructions to OS programming

Naturally, the priority is different. We would not want Microsoft to take the same precautions for safety as we want Boeing to take it, or do we, for example, want Vista to be ready for shipment in another ten years? There are always trade offs. If our lives were at stake every time Windows crashes, the comparison would be analogous and our safety preferences would also be different.
Björn Lundahl
Göteborg Sweden

[ordaj]

Microsoft's Trustworthy Computing

The only reason Microsoft came up with "Trustworthy Computing" is because they were in danger of being usurped by the Trusted Computing Group. They were forced to admit that security has to be tied to hardware. So, to blunt that admission they came up with, as Microsoft always does, their own controllable initiative.

Ever since, as a "member" of the TCG, they've slow-walked trusted computing and made sure that the press, who never dig too deep, focused on Microsoft's "Trustworthy Computing."

[caelli]

Secure by Design - not just Implementation!

Remember MULTICS? What about "fail-soft"?
and DEC's VMS?
What's the point?
Well - we have known for 50 years that software development and deployment are subject to error - human error - and so many years ago as a result of extensive research activity in computer science and engineering at MIT and elsewhere, the scientific/engineering result was that CPU architecture MATCHED WITH OS design had to incorporate tolerance of "bugs" and even "malware". Thus we have the memory typing and address segmentation of the Intel x86 architecture coupled with its 4-ring protection architecture.

the time is now - the time is a major need to stop and reconsider just what a modern OS has to be - e.g. allow for device drivers that do not come from the OS orginator, "trojans" that attempt to "invade" the OS kernel, etc. We solved all this many years ago BUT it means rethinking - well, the basis of OS design and the use of necessary hardware support, such as that memory segmentation and ring structure. Couple this with the need to acknowledge that a move to a form of "mandatory access control (MAC)" - yes - a form of it - is absolutely required in a globally interconnected IT world of Internet and computers where the origin of software loaded is largely unknown to the end user - and the need to retink, quickly is paramount. Can this happen in a largely acknowledged monoculture? Hmmm... Maybe, but SELinux from tne NSA has still not taken the world "by storm". MAC has to become:
* integral to new OS structures
* be re-invented in a CIO/CSO "friendly" format
* re-aligned to the interconnected world, and
* most impportant, become a topic of education and training for IT professionals.

After all, that disastrous move from a security viewpoint to "RISC" structures in the 1980s let the industry move away from fundamental security architectures at the CPU hardware level. Intel continued - but for how long - and who cared?

Is it too late?

Bill Caelli