Is Microsoft to Blame?

[mikmik]

15 Seconds
A year ago, if you put an unprotected machine on the Internet, it would be attacked within 15 minutes. Now it's 15 seconds.
Source: Symantec.

Is Microsoft to Blame?
All modern software has bugs—lots of them. That goes for Windows, Linux, Mac OS, and any other operating system or application you can think of. Part of the problem is that regardless of how many developers are working on a software tool, and no matter how clever they are, they can't possibly anticipate each and every way someone could attack it.

"Just as you can't stop all bank robberies, you can't stop all software attacks," says Gary McGraw, coauthor of Building Secure Software and chief technology officer at Cigital, a firm that helps improve software security at several Fortune 500 companies. "In any field," he adds, "security is about risk management."

In the software business, however, there are two additional problems: First, modern software is often so complex that developers have trouble understanding exactly how it works, much less how someone could attack it. "Software is the most complicated artifact that we build as a species," posits McGraw. "Something like Window XP includes 40 million lines of code. How many people do you need in the room before they understand all that?"


Second, today's code is built atop yesterday's code, because everybody wants compatibility with old apps and old OSs. When those old apps were written, before the rise of the Internet, when viruses spread like molasses, on floppy disks handed from person to person, the average PC wasn't exposed to outside threats. It didn't have the same need for secure software.

Clearly, Microsoft has a difficult task on its hands. But so do its competitors, and their software isn't attacked nearly as often. Does this mean that Windows is somehow less secure? Maybe, maybe not

....

Who's right? Proponents of the different operating systems will probably never agree, but a recent Forrester Research study seems to support Gates's claims. Between June 1, 2002, and May 31, 2003, the study says, security experts found more flaws in each of the four major Linux offerings than in Windows. In that time, for example, 286 flaws were found in Debian Linux, and only 128 were found in Windows. Forrester didn't track flaws in Mac OS or other operating systems, but at least when compared with Linux, Windows seems to be more secure

...

"The fact that dedicated hackers working around the world are able to find security holes in Windows does not mean Microsoft is at fault," says Ian Ballon, cochair of the intellectual property and Internet practice group at international law firm Manatt, Phelps & Phillips and also the executive director of Stanford University's Center for E-Commerce. "It's like suing the New York City fire department for injuries arising out of 9/11."

[mushroom]

The original concept that windows was an OS for the home user is the root of the problem, back then there was no internet and security was sacrificed for ease of use. now all windows users have to pay for this lack of vision.

[mikmik]

Haha, hey mushroom. I found that late last night :O)

The conclusion of the article does state that Microsoft FAILS in their responsibilities!

Also, IE and Outlook Express are inately tied to the OS and there are some serious problems there, no doubt about it. The fact that these client apps are so weak needs to be stressed, and that it takes user knowledge and responsibility to fix is a large shortcoming.

The immense difficulty of controlling the windows scripting host, and stopping mintrusions from hooking to exe and com calls is also overlooked.

This makes windows less user friendly than I used to think.