Microsoft isn’t known for the security of its software. But that’s something the company is trying to change. Read the article at Forbes.
Plugging The Holes In Windows
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
… what would have happend … more bug?
no intresst to fix?
…but they were overall unsuccessful. With issuing patches every week, they are just starting to do what Redhat has been doing for quite a while (and daily, not weekly). Their analysts probably told them that denial and hiding the patches into service packs are much worse PR-wise than publicizing vulnerabilities. Well, that’s progress, too, I reckon.
If by “withought[sic] us” you are including yourself and your fellow Microsoft developers, then I would agree with you.
So how long has Microsoft been trying to fix its security?
Its a nice thing to tell financial advisers or the type of people who read Forbes, but here in reality we know that their whole trustworthy computing intiative is nothing but PR and lies.
If they want to secure their software how about recommending they change their default settings to be more secure, eh?
The real problem facing Microsoft in it’s battle against the holes in Windows is the fact that they are unwilling to take the time and focus on quality control. To be fair, this is a problem facing most makers of software I’ve used, and not just Microsoft. Every single Linux distribution I’ve used also seems to have been put together by a bunch of drunken monkeys who care more about features and flash than about making a solid product.
One of the biggest reasons I am such a big fan of the three free, open source BSDs is that the BSD developers understand the need for proper quality control. I’ve noticed far fewer advisories for core BSD software than I have for Linux and GNU software. It is becoming ever more clear to me that this kind of attention to detail is the only way that software can really be made into secure and stable products.
OT: I am also a fan of the idea of making software vendors legally responsible for the security and safety of the code they distribute, especially when that software ends up in cars or hospitals, banks or government institutions. Only under this kind of pressure could Microsoft ever be forced to change their thinking on the matter of software quality.
Yeah, it may hurt some open source endeavours, but the biggest ones would still be around. Perhaps open source developers could be held somewhat less liable due to the fact that they make their code open for all eyes to see. At any rate (keeping in mind that I am a FreeBSD zealot myself) I am sure that the OpenBSD folks could keep going, not for an abundance of money on hand, but due to the sheer quality of their work.
All this talk about Microsoft’s security endavour is pure marketing. Sadly enough, it seems to work
Is it just me, or does it seem like one of these articles is coming out every 3 to 6 months for the last few years? In another few months, there will be another big Windows hole revealed and MS will come out again and declare that sercurity is there number one priority. Really. And they mean it then. Seriously folks…
Like stated above, this is nothing more than another marketing stunt.
It always suprises me that the average Linux user seems to know more than professionals, people who did studies on this matter, who know what they are talking about.
If one of these experts says that Linux is bliss, you all agree. But once they say something “good” about MS, they suddenly “don’t know sh*t”.
Interesting…
That’s because most of us are Microsoft customers as well, and we know more about the OS than how to turn the computer on. The people that do the studies on the OS are rarely technical, and are usually 90% inaccurate.
MS could, if they wanted to, continue on making shoddy software, because nobody can compete with them on the desktop. Their license agreement ensures that they will never be called to account for flaws. They will always have a following on the server side due to their army of drones with certs, jobs, and PHB’s who know nothing.
So, why are they making any attempt? Public perception. MS really prefers to go about its business without being noticed. Gates realizes that the company has image problems, like Bob Lutz realized at Chrysler. If they can cut things even in half, things will be better for them. Truly fixing their problems, however, will require a complete redesign of their products. And even a company like Microsoft can’t afford to do that. The closest they’re coming is finally realizing that it’s *okay* to break backwards compatibility. But it’s something they never wanted to do.
I wouldn’t go that far. If they were to ship Windows (for example) with no unnedded services running (remote registry anyone?) and did a complete line by line audit of their source code (not just once, but continually), and didn’t enable scripting in everything by default, then they could easilly get away with not having to do “a complete redesign of their products.”
Like I said before, QUALITY CONTROL.
Many of the security problems stem from the fact that Microsoft seeks to make computing easy and build software that works with a range of different hardware. “Microsoft has taken the attitude that it should be easy for people to use, as opposed to secure,” says Michael Cherry, who follows security issues for Directions on Microsoft, an independent consulting firm based in Redmond.
Sorry pal. The truth of the matter is simply a lack of consideration for consequences each time Microsoft Windows developers add a new “feature” to the operating system. In other words, bad design. Plain and simple. Most attacks are targeted at, or work through, “Features” of the OS that are questionable at best. VB scripting, RPC, etc.
I feel entirely confident that my WindowsXP system will not succomb to any vulnerabilities… because it’s being protected by Linux and OSS.
All this talk about Microsoft’s security endavour is pure marketing. Sadly enough, it seems to work
Quite true, they’re moving to a new api with longhorn, I don’t see them wasting time and money fixing api’s they’re about to ditch. They’ll probably just continue releasing pathes and sp’s as more holes are found.
They’re just adding more. It’s not typical of Microsoft or Windows development (based on historical proof) to remove much of anything from the OS and APIs. So I wouldn’t say the word “moving.” ;-P All the same stuff will be there in one way or another… with the same exploits, only with bandages over the known. If there was ever a case where a developer needed to tear it all down and start over again without backwards compatability, this is it… …and it will never happen.
I am forced to agree with those who say that Microsoft will eventually be its own downfall. I just don’t want to wait as long as it will take for their dominance and influence to pass.
I think this has to be with the pervasiveness of Networks now. Couple of years ago it might not have been feasible to issue patches on a weekly basis. Most people still relied on cds to get the latest service packs, and sending out six or seven cds every week is just noe economical. Now people just download updates from the microsoft website as needed.
RPC is core module of the operating system. It’s not a feature, unless yor’re the type of person who considers built in tcp/ip stacks and guis to be unnecesary “features.”
As for locking down the operating system, check out Win2k3 Server plus they also have a baseline security manager which will scan your system for security vulnerabilities. I read somehwere taht MS is having IBM programmers look through their code.
the reason microsoft will never be secure is because they use their software to exploit their customers. and whether it’s to use their software for advert delivery, upgrades, to spy on them, or other stuff, microsoft values milking every possible penny out of their products that security will always be joke, since it would inhibit their exploitation.
Big Monopolies are like Big Goverment they both move to slow to effect change when it needs to be done, which is before others realize that their needs to be change. Anyways Japan, Korea, China are all teaming up to replace windows in Asia. Possibly they might use Linux or a BSD replacement or even come up with something unique but MS’s days are for sure numbered in Asia.
Sorry MICROS~1, I’ve already moved to a different platform.
“It always suprises me that the average Linux user seems to know more than professionals, people who did studies on this matter, who know what they are talking about.”
It depends on what kind of ‘professional’ we’re talking about here. If you’re talking about someone who actually ran a study, than it is quite possible that they have at least some grasp of the situation.That dosn’t mean you can’t take them to task for starting from faulty conclusions, or using bad methods to get their results. As much as we don’t want to believe it, trained scientists or whatever are just as human as anyone else – and humans make mistakes.
But if you’re talking about articles from reporters – please don’t include the “know what they’re talking about”. Certainly some do, but just as certain is that there’s a large amount who have only a superficial understanding of the issue. Much of any story just comes down to the reporter asking the opinion of someone whose knowledge they can’t properly evaluate, and then sending that back to the readers cloaked in the reporters own bias.
>>>One of the biggest reasons I am such a big fan of the three free, open source BSDs is that the BSD developers understand the need for proper quality control.
>>>OT: I am also a fan of the idea of making software vendors legally responsible for the security and safety of the code they distribute, especially when that software ends up in cars or hospitals, banks or government institutions.
The thing is that BSD make changes on a slower scale, much slower than linux. Mission critical OS’es like QNX (which are used in nuclear power stations) only make changes once every 10 years (QNX 2 in 1981, QNX 4 in 1990 and QNX 6 in 2000). Sure you can make Microsoft legally responsibile for security and safety, they’ll just update their OS once every 10 years. But problem is that the average joe wants an OS update every 3 years.
“The thing is that BSD make changes on a slower scale, much slower than linux.”
It seems as though you haven’t actually used BSD lately. The packages in FreeBSD for example are more up to date than are the ones in say, RedHat.
On the kernel front, you’ll see hits and misses on both sides. FreeBSD is playing cathup in the areas of SMP and kernel threads (and will be at least on equal ground very soon, like in a month or three). Linux on the other hand will always be playing catchup to FreeBSD in the areas of stability, and VM performance. (Which VM are you using today?
Let’s not even get into security or portability. Linux loses. BSD wins.
“Mission critical OS’es like QNX (which are used in nuclear power stations) only make changes once every 10 years.”
You seem to be forgetting about “point releases”. And one of the reasons that QNX is used is because damn near everything is in userspace instead of in kernel space, allowing most of the OS to be preemptible. If a filesystem driver chokes, it’s restarted without the OS going down. This is better than Linux, Windows and BSD. It was very well designed from the beginning in such a way that it *DOESN’T* require more frequent updating. We are all playing catchup there.
“Sure you can make Microsoft legally responsibile for security and safety, they’ll just update their OS once every 10 years.”
Doubtful. They’d just be more careful about what they rhew in there, and wouldn’t be so careless as they are now. They might also considder updating the retail boxes every time a service pack comes out. Same time scale as service packs today.
“But problem is that the average joe wants an OS update every 3 years.”
That would not be a problem, as far as I see things.
NetBSD and OpenBSD are on a much slower scale than FreeBSD — and therefore NetBSD and OpenBSD have less problems than FreeBSD.
I am just using the time scales as a rough illustration. The software in the space shuttle has remained the same for 30 years. There was only 2 new “minor” features added — glass cockpit and linking their systems with the GPS satellites.
RedHat enterprise edition is lengthening their distribution cycles.
Of course I am giving you an extreme example of 10 years between releases. But Microsoft’s next desktop OS (longhorn) won’t be released for another (at least) 2 years. That’s a 5 year OS cycle. That’s probably the longest the average consumer is willing to accept a balance between code safety and new OS releases.
There’s no real (technical) reason why minor OS releases shouldn’t be made even once a year, with no pressure to upgrade more than once every three.
The fact that reality seems to oppose my point of view is due to the efforts of corporate software makers and those that emmulate them becuase they’ve known no other way. I’m sure that you are aware that in the free and open software world, releases are done much more in tune with my view of the way things should be.
As for OpenBSD and NetBSD being slower to evolve than FreeBSD, I’d have to say look again. NetBSD also is working on a simillar kernel threading infrastructure as FreeBSD, and OpenBSD tends to keep pace with NetBSD. I am currently playing with OpenBSD 3.3, and I can tell you that it is quite nice and up to date. Admittedly kernel threads and such aren’t as advanced as in the other two and in Linux, but they are there. Remember, both your and my favorite OSs are playing catchup to OpenBSD in terms of security and in overall software quality.
On this particular machine (AthlonXP 1600+, 512 MB, nVidia GeForce 4 64 MB, 40 GB HD, 160 GB HD /home) OpenBSD took 3 minutes to format, 2 minutes to install the base system, and about 5 more minutes to set up KDE 3.1, Gnupg, Emacs and a small number of other things. All of my various devices were supported out of the box, requiring *no* configuration, and now here I am working as if I were still using my native (tweaked) FreeBSD. It was released in May of this year, and it (so far) requires two patches, totalling 5KB. Sweet.
You really should try these things on your own machines or on a friend’s failing the ability to do the first. You be in a better position to make such arguments. All I can say is that overall, the rate at which the BSDs and Linux are evolving are roughly equivalent, with only the specialties of any given project providing misleading indications counter to this general fact.
Microsoft should not be shipping Longhorn in 2005 without selling an updated Windows XP in the mean time, and they are in this bad place because they are taking on too much at one time for their supposed next release. Not to mention the fact that licensing 6 will come back to bite not only those who fell for it, but also Microsoft themselves for having nothing there for the poor folks to upgrade to.
The real, underlying problem that Microsoft never addresses, only applies a bandaid to, is that all of its programs can execute scripts and macros. VBA was the be beginning of the modern virus, thank you Microsoft for building it into every Office application. Thank you, Microsoft, for making both of your email clients able to auto-execute scripts that mail themselves to everyone in the Windows address book…something that has been going on for years yet you seem to be unable to stop. Why? Mozilla Mail, Eudora, Apple Mail, Evolution, Kmail, they don’t seem to have this problem at all. They never have. Why did you build the ability to execute scripts into Windows Media Player and the wma and wmv file formats? So your “partners” could sprinkle DRM all over them and pop up advertising in my face while I’m trying to listen to a song? Thanks. This mindset of yours that has been going on since the ’80s when you announced that your intention was to make every program have its own, built-in programming environment has created a huge mess that the entire world is still being affected by on a regular basis, yet you refuse to change this approach to software design. It needs to stop, and if you refuse to stop, then we will stop using your software. I already have, so have many others I know. If you don’t change your ways, we’ll change them for you, with our wallets and our words.
“No software can ever be truly secure,” he says. “Mistakes can never be eliminated.”
While a short article, this is probably the best line in the article…
Microsoft has been making this claim for a long time. And just think they are going to be integrating IE directly into the OS which will add those security issues there and probably introduce more security issues. No matter what M$ tries to do they just seem to come across more and more security issues.
This is why I use Mac OS X & Mandrake Linux more than I do Windows XP Pro now. I only use Windows when im required to for my classes. Microsoft just has plain bad software design and bad ideas about how to add features and integrate everything so as to introduce many security flaws.
All i can say is the day M$ actually seriously addresses their security issues pigs will fly and turtles will tap dance. All M$ knows how to do is fiddle around with other peoples software they buy and make it their own, and they don’t even do that very well.
“Big Monopolies are like Big Goverment they both move to slow to effect change….”
“Anyways Japan, Korea, China are all teaming up to replace windows in Asia. …. but MS’s days are for sure numbered in Asia.”
How is the biggest government (China) in the world going to bring down Microsoft. According to you they should be slower than Microsoft.
“And by being the biggest, Microsoft has a huge target painted on its back.”
Gosh, I wonder how many times we’ve heard this crap. Coming from a so-called security expert, that statement surprises me. With the wide spread use of the internet, any computer connected to it becomes a potential target. If hackers can exploit a vulnerability on that machine, they will, no matter what OS it runs.
The whole Longhorn hoopla is becoming tiresome. Those who are really interested in writing secure and reliable code simply do it. They try to explain which new features they’re going to add to their product and when ready, they release it (for instance, OpenBSD 3.4, in two months). They don’t waste reporters time by talking of a ghost that may come to life in a distant future.
Same here. Tired of viruses and corrupted TCP/IP stacks that needed Windows reinstallations, I switched to Linux. Never a problem since then.
A.) It’s not just China and it’s more then making a Chinnese or Asia based OS for themselves. For countries out-side the U.S. it has to do with national security. Of course one could argue that they should of done this a few years ago instead and so yes they did move very slowly compared to companies which have switch to Linux a long time ago for secuirty reasons as well.
B.) They can easly out-source to smaller companies and support their development like they did with their MS Office replacement.
C.) MS was/is blinded by greed and giving China a peak at their source code was not a good idea.
I am forced to agree with those who say that Microsoft will eventually be its own downfall. I just don’t want to wait as long as it will take for their dominance and influence to pass.
Haha, this reminds me of something, remember back in the 50’s-80’s when the Big Three AUtomakers had a hold on the auto industry. Their lack of progress, innovation, lack of safety eventually led them to losing half their markets to the Asian companies. They were dominant in the auto industry for 50yrs before finally relinquishing market share.
It looks like it will the same for linux, it might take another 50years, before we see Linux having 50% of the desktop. hopefully.
By that time most of us pro LInux users will be in our graves. lol
My main os is linux for quite some time now, I have a dual boot with win98 for just in case… and for the sake of some games but other than that, windows – no thank you
I don’t think that avarage user expects an os every 3 years. The avarage user would prefer to have a solid product and not to update every 3 three years for features that she/he is not going to use anyway. The only reason for the update would be compatibility… that just sucks…
One can only hope that they delayed the release of Longhorn to make it more solid and secure… but the history still has a bad habit of repeating itself…
It is not true that because Microsoft has focused on ease of use, they haven’t been able to write secure software. I don’t see any link between the two. MacOS X is presumably very easy to use, yet its vulnerabilities don’t lead to global disasters (I’m too broke to own a Mac, that’s why I wrote “presumably”).
Moreover, it is often said that thousands of people are hired by Microsoft each year. Although these are part time workers, they represent quite a pool of valuable resources that could be put to good use.
If a filesystem driver chokes, it’s restarted without the OS going down. This is better than Linux, Windows and BSD. It was very well designed from the beginning in such a way that it *DOESN’T* require more frequent updating. We are all playing catchup there.
If a file system driver chokes, other than when you’re doing devlopment and debuging, I think your OS has deep issues to deal with.
“I don’t think that avarage user expects an os every 3 years. The avarage user would prefer to have a solid product and not to update every 3 three years for features that she/he is not going to use anyway. The only reason for the update would be compatibility… that just sucks..”
Exactly it’s only MicroSoft who’s interested in releasing new products every 3 years or so. If all they did was release 1 every 10 years and release service packs over that time, they’d most likely be in the hole because they couldn’t meet their financial requirements to shareholders.
“But that’s something the company is trying to change.”
Right. And I’m a richer than Bill Gates. (I’m not even worth a million so it isn’t close). If MS made chairs that equaled their security efforts they would make wobbly chairs with only half a seat to sit on.
Be VERY glad that MS isn’t in charge of airport security, software for airplanes, etc. because a lot more people would be dying every day.
> It always suprises me that the average Linux user seems to
> know more than professionals, people who did studies on
> this matter…
I suspect you’d be surprised if you knew the qualifications of some of the “average Linux users” who post to this site.
Aside from that, active users of a given product or OS tend to know a lot more “real” information about it through their extensive firsthand experience than folks who know it only from occasional light use (or those who know it indirectly via reviews written by others and have never actually used it at all).
Many of those who set themselves up as industry pundits and speak on technical issues in the press really *aren’t* very well qualified to do so, relatively speaking, at least when compared to the many folks reading these sites who either write software or admin systems and networks for a living. Some of the technical issues we see as important are much more than just theory; they sometimes make or break the viability of the systems we maintain every day…