Forgot your password?
typodupeerror
Windows Operating Systems Software Microsoft Security

Microsoft vs. Computer Security 439

Posted by Zonk
from the looking-for-the-right-tactic dept.
ArieKremen writes "The Slate has a piece written for the average user attempting to explain why Windows is `still` grappling with security issues. Although Gates made security and privacy top priority four years ago, not much progress has been made." From the article: "Microsoft customers haven't stopped worrying. A year later, Windows was hit with several nasty worms, including Slammer, Sobig, and Blaster. The viruses caused major traffic bottlenecks throughout the world, which cost tens of billions of dollars to clean up. Vulnerabilities deemed 'critical' have forced the company to release an almost unending stream of patches and fixes to the Windows operating system, Microsoft Office, and Internet Explorer." An interesting look at the whole issue.
This discussion has been archived. No new comments can be posted.

Microsoft vs. Computer Security

Comments Filter:
  • by Anonymous Coward on Tuesday January 10, 2006 @06:41PM (#14441514)
    Some kind of anti-microsoft site?
  • It's no secret... (Score:3, Interesting)

    by gbulmash (688770) * <semi_famous@y[ ]o.com ['aho' in gap]> on Tuesday January 10, 2006 @06:42PM (#14441523) Homepage Journal
    Their conclusion about why it's plagued with problems: Too many Microsoft programs that have too many direct hooks into the OS to make them play well together (i.e. Media Player, IE, Word, Outlook, MSN messenger, etc.).

    Their solution about how to shore it up: don't use IE, Media Player, Outlook, etc.

    I hate to sound like a kid, but DUH!

    Given, I use Firefox, Thunderbird, and other non-Microsoft programs because I like them better and they tend to work better, but the fact that they're less likely to compromise my system is also a consideration.

    Note, though, that I say less likely. We have had bug/security fix releases of Firefox and there was a brouhaha with the GreaseMonkey extension inducing a vulnerability, BUT for the most part it seems the fixes were less frequent than with IE-related patches, plus they usually only compromised the browser, not your whole PC.

    That's the big problem with many of the Microsoft glitches. They're not limited to the vulnerable Microsoft application. The vulnerable app provides a gateway for compromising the whole PC.

    - Greg

    • Re:It's no secret... (Score:5, Informative)

      by toadlife (301863) on Tuesday January 10, 2006 @06:49PM (#14441595) Journal
      "That's the big problem with many of the Microsoft glitches. They're not limited to the vulnerable Microsoft application. The vulnerable app provides a gateway for compromising the whole PC."

      I would like to know where everyone heard this crap, and why they keep repeating it vebatim., because it's a bunch of bullshit. Flaws in Microsoft products have no greater danger than equivalent flaws in any other Windows application.

      A remote code execution flaw in IE executes code with the users rights, and therefore gets access to what the user has access too.

      A remote code execution flaw in Firefox executes code with the users rights, and therefore gets access to what the user has access too

      There is no special conduit that Microsoft apps have to the windows kernel or any other windows system object.

      If you browse the web using firefox while running as administrator and you get hit with an exploit that exploit will have full access to your system.
      • Re:It's no secret... (Score:2, Informative)

        by drinkypoo (153816)
        Hey, at least this guy wasn't claiming that IE was in the kernel, like the last slashbot that decided to argue with me about how Windows is put together...
      • Yes, it seems that the biggest problems with desktop security seem to be:
        1. Defaulting to run as administrator, and the defective programs that require this behaviour.
        2. Lack of user eucation.
        3. Lack of testing of software to verify behaviour when passed unexpected input.
        4. The ability to include arbitrary code (not just sandboxed code) in file types that shouldn't.
      • Re:It's no secret... (Score:5, Informative)

        by pete-classic (75983) <hutnick@gmail.com> on Tuesday January 10, 2006 @07:55PM (#14442059) Homepage Journal
        Microsoft has a long history of secret APIs used only by their applications. I remember some sort of hubbub about this around '94 when they were taking over the office suite market.

        More recently the DOJ at least accused Microsoft of using secret APIs in support of IE, Messenger, Media Player, and Outlook Express.

        I don't necessarily think that you are wrong, but the situation is certainly not as cut-and-dried as you seem to think it is.

        -Peter
      • The biggest problem that Windows has ,IMO, is the lack of a secure user system. They give you all of two options for users in XP; Administrator, and Limited.
        Administrator has full control of the computer and unlimited access to the registry
        Limited has next to no control over anything besides just "using" the computer.

        There is no middle ground, no permission system on comparable grounds to Linux. I run as Admin on my Windows box primarily due to the fact that I don't want the hassle of logging out ever

    • by StikyPad (445176) on Tuesday January 10, 2006 @07:03PM (#14441692) Homepage
      I hate to sound like a kid, but DUH!

      Don't worry, we stopped saying that years ago. Now it just makes you sound old.

      -Kids

    • The real problem is that MS has a billion trillion gazililon lines of code to maintain and retrofit with "secure" code. Much of this code was written in the days when security was an afterthought and bugs were treated as an annoyance, rather than a threat.
  • by Ckwop (707653) * <Simon.Johnson@gmail.com> on Tuesday January 10, 2006 @06:44PM (#14441549) Homepage

    Computer security will get worse before it gets better. It's the second hardest problem in computing, coming second only to DRM; which is provely impossible to do properly.

    The problem comes from many quaters: some theortical, some practical, some managerial. For example:

    1. We know that it is possible to write secure code in any language and we also know it is possible to write insecure code in any language.
    2. We know that people are generally more prepared to pay for features than security but features are the enemy of security. The more features you have, the more code-paths you have and the more chance that you have a defect in any one of those paths.
    3. We know that schedule pressure leads to crappy code and crappy code breeds insecurity.
    4. We know that the attacker only needs to find one attack that works. We have to defend against all attacks..

    I could go on for quite sometime.. the point to appreciate here is that it isn't all Microsoft's fault but they could do a whole lot more. If we could just get rid of the overflows that would be a good start!

    Simon

    • by pHatidic (163975) on Tuesday January 10, 2006 @07:03PM (#14441695)
      the point to appreciate here is that it isn't all Microsoft's fault but they could do a whole lot more.

      Actually it is all Microsoft's fault. Whether or not they deserve to be villified for it is another issue. But consider the following:

      1) They don't fix bugs they know about so they don't break compatability with programs that rely on the bugs.

      2) They don't submit their code for review by the public.

      3) They don't follow security best practices, like turning off services by default.

      4) They make their OS less secure by obfuscating design to make it difficult for competitors.

      5) They use propriety data formats.

      6) They alter the OS to make it work with their programs instead of designing a solid OS so that anyone can make programs run with it.

      etc.
      • They don't fix bugs they know about so they don't break compatability with programs that rely on the bugs.

        Unless the bugs are vulnerability vectors this is called 'doing business'. Unlike FLOSSies, software companies write code for profit and part of that means finding workarounds for stupid design mistakes (like using undocumented internals) made by other companies that write software for your platform. Breaking some shareware author's tray icon is not the same as killing Photoshop or Lotus Notes. Read R

        • You're confusing the layers, there. There are parts of Windows that Microsoft WANTS people to use, and those are reasonably clear. Then there are those part that Microsoft doesn't want people to use, and those parts ARE obfuscated. I only need name 2, ".doc" and "ntfs", both under vigorous attempts to reverse-engineer ***for the legally protected purpose of interoperation*** by third parties, for YEARS, with only marginal success.

          Arguably, a clearly, concisely, well-defined data structure or format would al
        • by mrsbrisby (60242) on Tuesday January 10, 2006 @08:30PM (#14442310) Homepage
          They don't fix bugs they know about so they don't break compatability with programs that rely on the bugs.
          Unless the bugs are vulnerability vectors this is called 'doing business'. Unlike FLOSSies, software companies write code for profit and part of that means finding workarounds for stupid design mistakes (like using undocumented internals) made by other companies that write software for your platform. Breaking some shareware author's tray icon is not the same as killing Photoshop or Lotus Notes. Read Raymond Chen's blog, you'll be surprised at what lengths they go to to cater to the likes of Symantec, Corel, etc.

          They often become vulnerability vectors, and it is admittedly difficult to take a company seriously that says that they are interested in making a secure system when they cannot even factor that into the "cost of doing business".
          They don't submit their code for review by the public.
          That's a nice philosophical point, but philosophical nonetheless. If I follow your logic then Firefox would have had zero vulnerabilities the day it was released, and that's not the case now, is it? The "many eyes no bugs" mantra goes south in a hurry when you have a 10-million line codebase and a few hundred actually qualified people looking at it.

          Post hoc, ergo propter hoc: One doesn't follow the other.

          Having the code available means a larger number of people can find vulnerabilities and a larger number of people can contribute fixes. It does not follow that a less vulnerabilities will be found, although it might follow that a less number of vulnerabilities will be exploited.

          However, it may also be that the reason a less number of vulnerabilities are exploited are due to the lower deployment size.

          Consider then Apache which has a larger deployment than IIS but fewer critical vulnerabilities.
          They don't follow security best practices, like turning off services by default.
          They didn't, but they do now. Server 2003 ships seriously locked down.

          That's still under debate, although I suspect you'll refer to your first argument for rationale.
          They make their OS less secure by obfuscating design to make it difficult for competitors.
          Yes... no one writes applications for Windows because its design is "obfuscated". Yes.

          Very few people write applications that directly compete with Microsoft.
          They use propriety data formats.
          There you go again with the philosophy.

          By having additional lockin, Microsoft surely makes it harder for people to compete with them. This does indeed represent a security risk because formats, when understood, can reveal a great deal of information about the programs that interact with them.

          In general programs that parse more, tend to have greater bugs.

          By intentionally attempting to make their formats more complicated, they have certainly blocked compatability, but they've also decreased security by (again) making their software more complicated.
          They alter the OS to make it work with their programs instead of designing a solid OS so that anyone can make programs run with it.
          First you complain on (1) that they don't fix bugs to avoid breaking applications and now you postulate that they break compatibility whenever they feel like it so that it works only with theirs. Which is it?

          The parent doesn't postulate that at all. You are again exhibiting faulty logic.

          By altering the operating system to meet the needs of the applications, they are introducing more parallel, nearly identically developed subsystems, all with increased potential for bugs. This does indeed cause security problems.
      • If there had been a provably correct design from which the coders operated, OR if Microsoft had elected to spend the time reverse-engineering a design, then getting it into a provably correct form, then re-implemented Windows from that design.

        You can create bullet-proof software in a totally proprietary fashion. The problem is that bullet-proof code requires far more designers and coders than most companies can throw at the problem. Open Source is good, from that perspective, in that a single company doesn'

      • 1) They don't fix bugs they know about so they don't break compatability with programs that rely on the bugs.

        Examples?

        2) They don't submit their code for review by the public.

        That's the nature of a company that is closed source. As has been pointed out many times before, there is no concrete evidence that having the source be open results in greater security.

        3) They don't follow security best practices, like turning off services by default.

        They certainly didn't used to, but they do now. Take a look at their
    • True enough (Score:5, Interesting)

      by jd (1658) <{moc.oohay} {ta} {kapimi}> on Tuesday January 10, 2006 @07:17PM (#14441791) Homepage Journal
      However, there are usually solutions. At least, to parts of the problem. The use of formal methods will mean that you can eliminate (almost) all bugs caused through design and makes it easier to validate code for bugs caused through implementation. Unless you also write the compiler (or have access to a formally-written compiler), it is much harder to validate that the binary is correct.


      It was noted elsewhere that Microsoft spends six billion a year on R&D. If they hired mathematically-inclined software engineers at 100,000 a go, they'd be able to keep a small army of 10,000 such programmers. You can probably reverse-engineer a specification, prove, then re-engineer the code for about 10 lines an hour. Assuming a 40 hour week, that means they could formally re-engineer 208 million lines of Windows per year. Even with all of the standard applications, libraries and utilities, the team should have an iron-clad damn-near-bugproof Windows within 2-3 years. It wouldn't cost them any more than they're already burning on patents for stuff nobody else cares about, and would save three times the total cost of the bugs to the country within a single year.


      The overflows are easier. You compile all the applications with something like ElectricFence, dmalloc, or some other debugging malloc. A few tests at Microsoft should then collect a lot of the overflows. You then recompile such that the debugs won't cause fatal errors but will still generate alerts. You have the Windows error reporting tool collect all those alerts and either notify the user at the time & allow them to send, or send in bulk on the next major error. Microsoft can then fix the overflows BEFORE someone exploits them, because the odds are high that they'll be accidentally triggered long before any black hat learns about them. If only because there are several hundred million users, and most will be trying to do things that are impossible or - at the very least - seriously warped.


      Of course, they could also get a copy of the Stanford Code Validator, or even just download a copy of splint off the Internet. Both would pick up the majority of coding errors and allow Microsoft to fix them.


      Regardless of which of these solutions is used, a company the size of Microsoft should be able to completely and utterly clean their software of 98%-99% of its defects within three to four years. As the article noted, it has now been over four years since the proclamation of taking security seriously, but yet there is no sign of any kind of rigorous campaign to really erradicate faults. Rather, there seems to be much more of a campaign to make users more accepting of the fact that there are faults.


      Not everyone can guarantee 99% fault-free software within a reasonable timeframe. There aren't the mathematician/software engineers, for a start. However, maybe it would be possible to have a standards authority that could certify a software product as "mid-grade" (50% bug-free), "high-grade" (75% bug-free) or "mission-critical" (99.99% bug-free). Software providers could elect whether or not to be certified and consumers would then be free to decide how much quality they want to pay for, because they'd know how much quality was there. Consumers would also be in a stronger position to interpret the lack of such certification.


      Thoughts?

      • Re:True enough (Score:3, Interesting)

        by Dalroth (85450)
        Thoughts? Yeah, I've got one: you're completely cracked and have never done any real world software development.

        Even IF you're completely unfounded speculation had any basis in reality, you ignore the fact that every line of code changed has the potential to impact other parts of the system. You fix one bug here, another bug pops up there. You go there and fix it, and another pops up elsewhere. The more code you have, the worse it becomes. No person on this planet can keep 200million lines of code in
      • Re:True enough (Score:3, Interesting)

        by Coryoth (254751)
        Thoughts?

        Well I'm not really so sure about your quoted time frames for "re-engineering" Windows - in practice it would porably be easier to start from scratch using best practices from the outset (like, say Singularity [microsoft.com]). One point does stand out though:

        Not everyone can guarantee 99% fault-free software within a reasonable timeframe. There aren't the mathematician/software engineers, for a start. However, maybe it would be possible to have a standards authority that could certify a software product as "mid-g
    • DRM is like Thermal Nuclear War. The only way to win is not to play at all.
  • by biocute (936687) on Tuesday January 10, 2006 @06:44PM (#14441552) Homepage
    The article is advising people: "Besides avoiding Microsoft products, one way would be to use substitutes whenever possible. If you run Windows or the upcoming Vista, use a different e-mail program, browser, and/or media player than the ones that come in the box. Stay up to date on patches and anti-virus software."

    I thought most importantly users should be responsible enough not to simply click on or open anything in front of them.
    • by Soko (17987) on Tuesday January 10, 2006 @06:57PM (#14441653) Homepage
      I thought most importantly users should be responsible enough not to simply click on or open anything in front of them.

      Ummm... the recent WMF vulerability needed no user interaction, other than visiting a web page or getting an e-mail with a "specially crafted" WMF file disguised as a .JPEG or .GIF file. It wouldn't matter which program accessed the file either - the OS would bypass the extension based MIME type and treat the file as a .WMF anyway, complete with being able to execute code, as WMF files are able to do by design. IOW, there was very little defense for an end user, unless you knew what sites had these files in advance. Users are usually the weakest link in the chain, but not always.

      Your first bit of advice was correct - security is a process, not a product, and as such needs to be maintained and thought out in advance. I'd add "Educate users why people want into thier machine and here's how they get in" to the list too.

      Soko
      • Actually, Windows does very little in the way of handling MIME types, so it really does depend on the application. If your image viewer uses the file extension, then a WMF disgused as a GIF or JPEG would just produce an error along the lines of "Bad GIF file."
        The WMF vulnerability only affected applications that used the Windows GDI built in WMF rendering API. Other WMF renderers (there are a few) were not affected (at least not in the same way.)

        And since when did CAD programs use WMF format?! I've never se
        • Quite a lot, actually. I'm going back to AuoCAD 13, but it would save a .DWG as a WMF for you so you could paste your drawing into Word. IIRC, the .WMF format was essentially a dump of what was on the clipboard, and the clipboard in Windows 3.11 and 95 couldn't handle some larger CAD files as metadata, hence .WMF files.

          And thanks for the clarification regarding MIME types, though the effect is still the same.

          Soko
  • will be under these kind of attacks all the time. Geeks, like everyone else, wants to stick it to the man. The man in this case is Gates and Windows. While this does not excuse the flaws and lack of attention at times, it does present another angle. To make a OS as robust as windows without things like this happening is hard to imagine honestly. If Macs were what windows is today, the story would be the complete opposite I assure you. You see the SAME thing in popular games as well. The most hacked games
    • And of course, you have an explanation for the fact that before Microsoft had such enormous market share (check here: http://www.osdata.com/kind/history.htm [osdata.com] : computer history DID NOT begin with MS-DOS), security holes were virtually unknown?
    • If popularity were truly what dictated worminess, Apache would have been overrun long ago.
      • It's not popularity per se, it's really a desire to do harm to something geeks believe did not earn its popularity honestly. I think it's also a sort of "not invented here" syndrome as well. Geeks want their creations to succeed at the cost of all others.
        • It's not popularity per se, it's really a desire to do harm to something geeks believe did not earn its popularity honestly.

          I'd point out that the majority of geeks who code Windows viruses are Windows geeks, and the majority of geeks who genuinely loathe Microsoft mostly use a UNIX variant - either Linux or one of the BSDs. Are you seriously suggesting that there's a large number of Linux geeks who are buying Windows, investigating the grisly depths of the Windows API at painful length and wasting their

    • by twitter (104583) on Tuesday January 10, 2006 @07:37PM (#14441940) Homepage Journal
      Geeks and Nerds sticking it to the man, is that what's wrong with Windoze? Is that who's running all of these porn and pill advertising spam serving botnets? I don't think so. Wouldn't a better way to stick it to Bill Gates be to cripple M$ corporate or it's "Partners" like CompUSA? Wouldn't people who really want to stick it to the "man" be attacking banks and institutions, you know, the one's who run LAMP without problems but get creamed running IIS.

      The popularity argument is pure bullshit. Non Microsoft runs most of the web and anything that's mission critical. Those foolish enough to try making M$ do things live to regret it and it has nothing to do with popularity, Geeks and Nerds but everything to do with marketing and crappy software. Apple, Sun, Linux and every other kind of software works better and non have had the kind of automated worm problems M$ has.

      From the above, you can imagine that the functionality and features excuse is also bogus. Operating systems robust enough to provide services over the network can also be made with pretty GUIs that are equally robust. There is nothing a Windoze user can do that I can't do better with free software and many things that I can do that they can't without lots of effort and money. I share my classwork with anyone who's interested and I share my music and movies with myself without any of the problems Windoze users suffer just connecting to a network, reading their email or browsing the web.

      When is the big Linux worm coming? Never, thanks to the diversity of excellence that a truly free market for software provides. Free software writers also don't make the mistake of mixing content with executable code, unless they are copying someone else's bad implementation for compatibility sake. Still everyone makes mistakes but that still won't do to free software what it does to M$. As an example, imagine Firefox had a problem. It would get about 1/3 of GNU/Linux users. Why? because the rest of them are using other browsers and all of them can stop using the browser with a problem until it's resolved one or two days later. Because Free Software is all about code, binary problems don't automatically propagate across distributions. A Red Hat exploit might not work on Debian and probably won't on Gentoo and won't do anything to a BSD box. The Free Software fix is always easier too. When things go wrong on a free software box, the user downloads the latest and greatest to fix it. The worst case is a rebuild, which preserves all user data and takes less than 20 minutes. In the Windoze world, the user takes out their "original CDs" or blows a few hundred bucks at the computer store for software that's at least two years old and probably has the same problems. Things are much much more difficult for crackers outside of the M$ monoculture of binary crap.

    • Yeah, same way that Apache, various open-source operating systems, and various open-source databases have had so many more widely-exploited bugs in the last 5 years... you know, because Linux, Apache, and MySQL (for example) drive so many more websites than IIS, Windows, and MS-SQL... oh, wait, THAT'S COMPLETELY WRONG. Windows has LESS market share and MORE exploits. Hmm, I wonder why... You know, maybe, juuust maybe, is it possible that Windows is not designed that well from a security standpoint? And UNIX
    • by bersl2 (689221) on Tuesday January 10, 2006 @09:03PM (#14442541) Journal
      To make a OS as robust as windows without things like this happening is hard to imagine honestly.

      "Robust" is not an adjective I would ascribe to Windows.

      If Macs were what windows is today, the story would be the complete opposite I assure you. You see the SAME thing in popular games as well. The most hacked games are the biggest and best, not because it is easier, but there are far more people attempting to exploit the system.

      Homogeneity is weakness. Stop being so damn homogeneous (x86, Windows, the most popular software, etc.), and start being more diverse (POWER, SPARC; Linux, *BSD; good but not most popular software; etc.); otherwise, you're just bringing this upon yourselves.

      I know that the herd mentality still affects humans' decisions, but please do try to balance your cognitive biases out.
  • saying != doing (Score:5, Insightful)

    by sczimme (603413) on Tuesday January 10, 2006 @06:46PM (#14441574)

    Gates urged that new design approaches must "dramatically reduce" the number of security-related issues as well as make fixes easier to administer. "Eventually," he added, "our software should be so fundamentally secure that customers never even worry about it."

    Fair enough, but regardless of what is happening in the way of "new design approaches", the current installed base is the problem. The best ways to show dedication to the reduction of security issues would be a) rigorous code review + pre-emptive bugfixes and b) more rapid response to issues that are found elsewhere. There have been improvements, but the sum of the successes will not outweigh the sum of the failures.

    • Gates urged that new design approaches must "dramatically reduce" the number of security-related issues as well as make fixes easier to administer. "Eventually," he added, "our software should be so fundamentally secure that customers never even worry about it."

      So, all technical arguments aside, Gates has failed to the achieve the managerial decision he has made.

      We geeks can worry all we like about the minutiae; Gates, as a manager and businessman, has failed to deliver.

  • FTA:"With the company's security problems still monopolizing the news, you might have expected that Bill Gates would address the vulnerability at the Consumer Electronics Show in Las Vegas. Instead, he boasted how Microsoft's new operating system, Vista, would extend the company's tendrils into your living room. Sure, it might be nice to connect your computer and your television set. But is it worth it to give hackers access to your television?" LOL!!! My prediction? One week after "tendrils" are extended
  • by ENOENT (25325) on Tuesday January 10, 2006 @06:53PM (#14441623) Homepage Journal
    From TFA: "...Microsoft is still the dominatrix of the desktop..."

    Yeah, baby. Tie me to your platform and make me pay.
  • SHOW ME THE MONEY (Score:5, Insightful)

    by halo8 (445515) on Tuesday January 10, 2006 @06:55PM (#14441637)
    tens of billions of dollars to clean up

    you know we as a tech community lambast the **AA whenever they (and the media) say a "hacker" did millions of dollars pirating

    why do we not do the same when crap like this gets printed?

    tens of billions? prove it, thats our job, thats what we do
    • by StikyPad (445176) on Tuesday January 10, 2006 @07:10PM (#14441742) Homepage
      Yeah, I started to make a similar post, but then I decided it wasn't so absurd. Probably on the high side, but it's not as much as it sounds like. 10M IT workers, even if they only averaged a salary of $100/day would be $1B. And that doesn't even factor in possible data loss which would result in users redoing their work.
      • And this is vs the claims of the RIAA/MPAA, who seem to do things like multiply the entire cost of making the movie by the number of copies that were distributed, or something equally absurd.
        • Right, but redoing work is certainly a loss, as is preventing work from being done. That's an actual damage, not a "potential loss" like piracy. Arguably, IT workers are already paid to maintain systems, so you could factor them out entirely.
  • The Only Thing... (Score:2, Informative)

    by Mad Ogre (564694)
    The only thing worse that "Windows" in the common OS versions in use... is the orphaned version of XP called "XP 64 bit edition" that doesn't work with all the tools normally used to resolve security issues. Many applications that we use here in the shop just flat dont work with 64. It looks like MS just took Server 2003 slapped an XP theme on it, and then broke all the strengths of both OS's. As a result, I've got a number of issues over here that I can't get resolved. As soon as I get a decent copy of t
  • by Nom du Keyboard (633989) on Tuesday January 10, 2006 @07:04PM (#14441700)
    Microsoft software bad.

    There, I've just saved you from having to RTFA.

  • So we should all switch to FireFox and Thunderbird because IE/Outlook are the most common browser/e-mail clients, and hence the biggest target. And besides, Microsoft can't write secure code.

    Except if we all do switch then FF and TB will become the most common browser/e-mail clients, and there's no reason to believe that Mozilla's coders are that much better than MS's. FF has gone through how many versions these last 12 months?

    • Re:Easy fix not (Score:5, Insightful)

      by drinkypoo (153816) <martin.espinoza@gmail.com> on Tuesday January 10, 2006 @07:37PM (#14441946) Homepage Journal

      Except if we all do switch then FF and TB will become the most common browser/e-mail clients, and there's no reason to believe that Mozilla's coders are that much better than MS's. FF has gone through how many versions these last 12 months?

      There IS reason to believe that Mozilla's coders are that much better; The most serious hole found in Firefox in some time actually ended up being a hole in Windows.

      FF has gone through more versions because they don't release incremental security patches, and because their code is subject to public review. Microsoft does release patches, meaning there are less versions, and their code is not subject to public review, meaning they fix problems only when someone finds one accidentally.

      Your arguments are universally specious.

  • I have never read a more scathing remark of Bill outside of /. :

    And the next time Bill G. promises to make software that is so fundamentally secure that customers never have to worry about it, ask him what decade he plans to release it.
  • It makes no comments as to why Microsoft stuff is any better or worse than anything else. There's no mention, let alone a comparison between Microsoft and Linux, Apple, or anything else beyond just a mere fluff sentence.

    But beyond that, my biggest issue is there are no FACTS in the damn piece. Everything is anecdotal. How are Microsoft product's better/worse? Why? By what measurement?

    All this article does is pick on Microsoft because it's the biggest and easiest target, so any flaws make the news. It's like
  • by Kozar_The_Malignant (738483) on Tuesday January 10, 2006 @07:22PM (#14441833)

    Microsoft made the choice to tie things closely to the OS. In particular, their Netscape killing plan was to essentially make IE part of the OS. Outlook also requires the presence of IE to render html mail, or at least it used to. Similar decisions were made regarding hooks to the OS for other Office programs. These decisions were made for reasons of competitive advantage over competing software such as WordPerfect and Lotus.

    The consequences of these decisions is an OS with fundamental security issues. Microsoft has an opportunity to change this with Vista, but I'm betting that they haven't.

  • by Anonymous Coward on Tuesday January 10, 2006 @07:24PM (#14441839)
    An insane amount of progress has been made on Windows security. Automatic updates ensure even the most retarded of end users has a chance of being patched, built in firewall has resulted in a significant chance of end users having a firewall, the security added to IE in SP2 has given a whole lot of protection.

    It doesn't matter who the dominant OS / company is, the biggest threat to security on anyones computers is the person sitting in front of it.

    You can't win a fight against ignorance, misunderstanding or plain stupidity. Microsoft has made some pretty damaging blows and that is commendable.

    I think it's time the end users' took just a little bit of responsibility for their security issues. It's callous to assume (and blame) Microsoft when so many 'issues' are avoidable with a little common sense.

    God help the *nix world if they ever get bundled with the masses of ill-informed, ill-prepared and irresponsible people who use Microsoft software.
    • God help the *nix world if they ever get bundled with the masses of ill-informed, ill-prepared and irresponsible people who use Microsoft software.

      Good point. But is *nix an operating system or a philosophy? Why has it spent the last 20 years losing market share to Windows? My guess would be that there are only so many people with the patience, curiosity and abstract reasoning to grok the philiosphy of "worse is better [jwz.org]".

  • by Anonymous Coward
    I like this whole "versus" thing. It encourages the idea that Microsoft is against or competing with the idea of Computer Security in general.
  • Their overall conclusion that MS products are still vulnerable to security problems is correct, but it is not accurate to suggest that Microsoft has done nothing to address buffer overflows. Now it is clear that they have not done all they could. Specifically, they have not started writing their applications in type-safe languages, and they have only recently starting trying to apply automated static analysis to detect buffer overflows in existing code (A technical report about their efforts can be found
  • Yeah they have... (Score:5, Insightful)

    by jofi (908156) on Tuesday January 10, 2006 @07:59PM (#14442088)
    As someone said, security is a process and not a product. But for those who bothered to look or care to notice, upgrade from 2000 to XP SP2 is more than eye candy. It is just that the hidden features are ignored by Slashbots and ignorant users alike.

    One thing to help would be a default account type in the Users group, and if currently an admin, switch your group to Users. Third parties need to fix their programs that requires more privileges (not necessarily admin) after the program is installed because of write access to system folders and HKEY_LOCAL_MACHINE. Vista fixes this, but if you ask me I think MS is only encouraging the bad behavior of alot of third party programs by providing this method of keeping non-compliant applications compatible with least privilege. (Keep in mind, there are a$$holes like Even Balance who purposely wrote their anti-cheat to require true admin privileges)

    Sure they have a firewall... you're screwed as admin because the code that launched can also create an exception for itself via netsh command or damn it all to hell and disable the firewall via "net stop". Malware does do this today, and sad how easy it was stopped.

    Don't want to run as non-admin? XP can run specified apps automatically with User privileges even if you are admin (and I am not talking about Run As with a lower privileged account). And for fuck's sake, don't take the default of "SYSTEM" for your apache or whatever server software services.

  • by Fortran IV (737299) on Tuesday January 10, 2006 @08:04PM (#14442131) Journal
    Actually the article is a lot of the same old "what's wrong," and darn little "why." Accurate enough, but nothing new—waste of a Slashdot posting, if you ask me.
  • by MickLinux (579158) on Tuesday January 10, 2006 @08:07PM (#14442154) Journal
    ... why Windows is still grappling with security issues. I'm not really sure that they are. Yes, they address them sometimes; but they aren't grappling.

    I tend to prefer the question, why are Windows customers still grappling with security issues?

    Relax. Don't worry. Be happy. Your daily stress will be less if the main server crashes.

  • Microsoft is no different than many other large publicly traded companies. They hire inexperienced programmers right out of college who have little or no programming experience background. These people wind up writing insecure applications that become widely exploited by external individuals, groups, corporations and the very programmers that Microsoft hired. Its hard to sit back and assume that these programming errors are indeed actual mistakes. A whole cottage industry has formed around these program
  • by innocence18 (897646) on Tuesday January 10, 2006 @08:17PM (#14442220)
    Sure Windows has gots it's fair share (and mayb more) of security problems. What I don't get is why it's a big deal that they release lots of patches to fix stuff. At least if they're releasing lots of patches that means they're doing some work. It's the number of patches that don't get released that people should be worried about.

    Ubuntu quite frequently tells me there are updates available for a large variety of packages I run, so what's the difference. This close-minded MS hating mantality gives me the shits. Everything is fallible to some degree, it's just a question of how much that degree affects you.

  • by n6kuy (172098) on Tuesday January 10, 2006 @09:08PM (#14442561)
    I would guess it should be obvious that Windows evolved by random chance. There's certainly no evidence of Intelligent Design there...

  • by cpu_fusion (705735) on Tuesday January 10, 2006 @09:20PM (#14442620)
    The press focuses on the delay between when the WMF exploit became common knowledge and when the fix was released. That's an important concern, but it distracts from a far more scary question:

    How much privacy has been violated in the last 15 years using this exploit?

    Before info on the exploit was splashed on news websites, it may very well have been known to intelligence agencies, Microsoft, and organized crime. We will likely never know. However, it is the window of time between when an exploit is privately found and it is made common knowledge that the real mischief occurs. For the WMF exploit, that window may have been 15 years!

    It's not hard to see how this simple exploit could have been used for corporate espionage, perhaps against you or your company, and you would be none the wiser today. Government agencies at every level use Windows. Your doctor probably does. Your bank probably does. Someone with knowledge of this exploit before it was widely known would have been in "god mode" in the monoculture of Windows. They could have made a ton of cash rooting a few stock brokers.

    There's LOTS of nasty things that could have happened, that it is just as reasonable to assume happened as to not. We'll never know, because digital tracks are very easy to cover up. Why the press isn't asking the bigger question: how could Microsoft (or someone else) NOT have known about this, and how do we deal with a world where some people, right now, might know about the next WMF exploit and might currently be using it to make a quick buck.

    So let's not focus totally on the cost to clean up the mess once the problem is known to the script kiddies. The unknown cost of the undetected zero-day exploits is quite possibly much higher.

    (And for those who say "there's nothing we can do about that!", I suggest you compare Windows security to something like SELinux.)

  • Oxymoron: (Score:3, Insightful)

    by eyepeepackets (33477) on Wednesday January 11, 2006 @12:42AM (#14443608)
    Microsoft security.

    That Microsoft has security like a cheese grater has bouyancy is a very well known fact, but the interesting point underlying the well known fact is _why_ Microsoft has such lousy security.

    I suggest it's their attitude towards security. For example, last Thursday Microsoft released a patch for the .wmf file format security hole, a real gapping maw of a hole. The following Monday, YESTERDAY, _two_ (2) more .wmf flaws are reported and posted with exploits.

    This is the way Microsoft does security: They wait for users to get hammered and scream, _then_ they might fix it, but just that one thing, anything else related is ignored until the cycle starts again with users getting hammered and screaming about it.

    After the past two years of Microsoft "security," the only people who still run that junk are the ones locked in by their PHBs and the clueless pubic who buy PCs based on what they see on TV. Oh yes, and the willfully locked-in Microsoft fanbois who are out in droves today defending their sinking ship against the crush of reality.

    Microsoft fans are much like the "Intelligent Design" people: They believe and insist their belief is the same thing as knowledge. This gives them the excuse to ignore reality with it's rather unpleasant (to them) consequences.

    Face the reality of the situation with Microsoft products: They want your money first and foremost, anything and everything else is, at best, second thought. This includes security, quality -- everything else.

    That's your reality, deal with it in a constructive way by getting off the Microsoft Gerbel Wheel from Hell (tm): It's the only way to be sure.

    Cheers.

What the world *really* needs is a good Automatic Bicycle Sharpener.

Working...