Comments on: Security from A to Z: Open source

Experts have issued warnings of complacency over security in open-source projects. Part of a series on hot security topics.

[jabbotts]

obscurity is not security

"But that's because the company's products are used by nearly all PC users, not because Microsoft software has more vulnerabilities."

This is missleading in direct oposition to reality. Obscurity is not security. Your saying that Windows is not more vulnerable, it's jsut less obscure and as such, attacked more.

Until Vista (jurry ist still out on Vista) the very way in which Microsoft had developed it's software meant inherent vulnerabilities.

Internet Explorer (IE6, less so in IE7) being forceably imbeaded into the OS while still allowing JAVA, ActiveX and other network transfered program code to run at very low OS levels (users interact with a very high OS level normally) is a vulnerability of design not lack of obscurity.

Basing every version of Windows (win95 through to winXP) on all of it's previous versions software code (msDos at the very core of the onion) is an inherent vulnerability. Patches for winXPsr2 where still including fixes for old Dos flaws. Multiplying your software flaws by every major OS version you demand to be backward compatible with is a vulnerability not lack of obscurity.

Microsoft's development architecture for Dos through to WinXP is fundamentally insecure. Dos was a standalone OS; it was developed at a time when no one even considered connecting two machines together. It was meant to run on a lonely workstation that transfered files by floppy disk. Win95 was little better, win98 had more complete network support without any security. Again, every version of windows just get's wrapped around the previous like onion skins. You can't build a secure OS with a hollow core.

Microsoft insecurity is because of inherent vulnerabilitys and years of treating security as an afterthought, not because it runs on the majority of personal computers and, frighteningly enough, servers.

If anything, running on the majority of computers should result in the majority of user bug reports leading to a hardened system. Microsoft is profit driven however, not quality driven. And, being a grandpa proprietary software company, they spent many years earning there bad-will among the hacker community by ignoring and discounting any bug reports submitted by "outsiders".

As for Vista, we'll see. It won't be worth seriously considering until service pack one or two and in the mean time, it's not yet been put through it's pases by "intrusion analysts". It'll be pretty to be sure but the jurry's out still on the security effectiveness.

[dagwud]

Are we reading the same article?

The article I read makes no comparisons of vulnerability of Microsoft products and other software. It does, however, note that the ubiquity of Microsoft products has meant that they end up in the headlines more often than anyone else.

But that's a far cry from saying it's more vulnerable because it's less obscure.