Is Microsoft to Blame?
All modern software has bugs—lots of them. That goes for Windows, Linux, Mac OS, and any other operating system or application you can think of. Part of the problem is that regardless of how many developers are working on a software tool, and no matter how clever they are, they can't possibly anticipate each and every way someone could attack it.
"Just as you can't stop all bank robberies, you can't stop all software attacks," says Gary McGraw, coauthor of Building Secure Software and chief technology officer at Cigital, a firm that helps improve software security at several Fortune 500 companies. "In any field," he adds, "security is about risk management."
In the software business, however, there are two additional problems: First, modern software is often so complex that developers have trouble understanding exactly how it works, much less how someone could attack it. "Software is the most complicated artifact that we build as a species," posits McGraw. "Something like Window XP includes 40 million lines of code. How many people do you need in the room before they understand all that?"
Second, today's code is built atop yesterday's code, because everybody wants compatibility with old apps and old OSs. When those old apps were written, before the rise of the Internet, when viruses spread like molasses, on floppy disks handed from person to person, the average PC wasn't exposed to outside threats. It didn't have the same need for secure software.
Clearly, Microsoft has a difficult task on its hands. But so do its competitors, and their software isn't attacked nearly as often. Does this mean that Windows is somehow less secure? Maybe, maybe not