Microsoft® has a notoriously bad reputation for the security of their software. Let's elaborate on the reasons by first considering some examples.

In 2004 web-based phishing (spoofing of web pages to collect user information) became much more frequent and feared by mainstream users. They are often implemented by taking advantage of one or more vulterabilities in Microsoft Internet Explorer and/or IIS (Microsoft's web server). "Victims of phishing attacks might conceivably lose their life savings. Some people now perceive Internet Explorer and Internet Banking as a potentially lethal cocktail that must not be mixed, with insiders in the banking industry urging their families to switch if not operating systems, then at least browsers... The phishing threats and the growing professional chorus of disapproval for Internet Explorer provide Windows users with very good reasons to turn elsewhere." (Moody, Glyn. "Browser Wars to Recommence?." Netcraft 5 July 2004)

In May, 2003, Microsoft was notified of a security problem with their Passport identity service which existed since September of 2002 and affected all 200 million accounts. This exploit, which took the notifier all of 5 minutes to discover, required only the entry of a simple URL into any web browser (more technically, a GET request to the Passport servers with a specific URL and parameters), giving anyone the ability to change the password for any Passport account. To complicate this simple issue the student who discovered the problem had a difficult time notifying Microsoft by e-mail. Due to an earlier agreement with the FTC to make the Passport service more secure Microsoft could be liable for $2.2 trillion in fines.

Microsoft was notified of significant issues with their implementation of the Java Virtual Machine (JVM) on September 2, 2002, and on April 9th, 2003, Microsoft issued an update to fix the problem. That took more than seven months. For such critical vulnerabilities this amount of time is unacceptable.

One particularly atrocious design flaw of Win32, the fundamental API to most existing versions of Windows, has been known to Microsoft since 1994 and has not yet been resolved. Exploiting it has come to be known as a Shatter attack. The flaw is so fundamental it appears to be insolvable within the current design.

Even the Microsoft Windows™ help system was exploitable for about 7 years. From the time of Windows NT 4.0's release (1996?) until June, 2003, an attacker could exploit the help system to run their own code.

In September, 2003, there were 31 known unpatched vulnerabilities in Microsoft Internet Explorer (reference page - http://www.pivx.com/larholm/unpatched/ - removed at Microsoft's request, archive missing from the Wayback Machine). Some of the most critical were not fixed for over a year. Among the many causes it appears the scripting engine was not built from the beginning to be secure, and has since not been rewritten as possibly it should. One Internet Explorer vulnerability allows someone to gain complete control of the computer when a user simply clicks on a link in a web page. In February, 2004, another source documented 24 known unpatched vulnerabilities. There could be any amount of unpublished vulnerabilities.

Compounding the security problem are Microsoft's contradictory responses. In October of 2004 an interviewer for USA Today mentioned, "Internet Explorer has had well-publicized holes." Bill Gates responded, "Understand those are cases where you are downloading third-party software." Yet Microsoft's web site documents many cases of security weaknesses quite specific to Internet Explorer through which an attacker can directly gain control of a computer without downloading any additional software. His statement also counters his company's "secure computing initiative" in which they supposedly make security a top priority. Denying responsibility is counterproductive to such an initiative.

For a comparison, consider a Samba vulnerability found in 2003. Once notified, the developer took accountability for the mistake and the Samba project released a patch within 48 hours. Within another 24 hours, Red Hat incorporated the downloadable patch into their Linux distribution. This is not atypical in the open source software model.

It also appears that Microsoft's own implementation of their SMB protocol (which Samba implements for Unix and Unix-like systems) is vulnerable to attack and Microsoft has known about it for over eight years. Microsoft either can not or chooses not to fix the problems.

Many people consider [open source] software to be inherently more secure. Some cite the fact that anyone can review the code for vulnerabilities. More likely, it's because open source developers are more careful to write better code knowing anyone in the world can see it. Reputation is a valuable incentive. Linux's modular design being based on UNIX is another reason for its better security and quicker fixes. For a complete explanation see http://www.theregister.co.uk/content/55/36029.html.

Comparing software to determine which is more secure is a complex task. One may be more secure in one scenerio while less secure in another. One system may have more software packages installed than another. Some criteria, such as bug severity and patch management, are subjective. Counting vulnerabilities for comparitive purposes requires tedious work to determine how critical each issue is, how many systems might be affected, how difficult it is for someone to exploit the flaw, how long users wait for patches, and other details. Sometimes it's also difficult to remove bias from analysis. This is especially true of studies which require significant funding. As of this writing no unbiased studies are known to be available.

Whether or not other mass market software is more secure, Microsoft software's security is completely inadequate. The moment their software is connected to a network it's immediately vulnerable to a wide variety of attacks far beyond any acceptable level. The lack of adequate security for Microsoft's platforms becomes critical for systems that manage classified information. According to Professor William Caelli, head of the school of software engineering and data communications at the Queensland University of Technology, "Under no conditions should anyone in their sane mind run intelligence analytical systems on a Microsoft platform... I'm talking about the problem of putting highly security-relevant systems on a totally insecure base." (Tadros, Edmund. "Professor 'Horrified' by Poor Security." The Age 26 Oct 2004)

Giving The U.S. Government The Key To Your Computer

For at least versions 95 OSR2, 98, NT, and 2000 Microsoft Windows has included a secret cryptographic key owned by the U.S. National Security Agency (NSA). It's most likely that the NSA's key exists within Windows so U.S. government users of Windows can run classified cryptosystems on their computers. But it has been kept secret and it does provide the potential for abuse. "According to Fernandez of Cryptonym, the result of having the secret key inside your Windows operating system 'is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system.'" Users of Windows outside the U.S. should be especially concerned that the U.S. government can possibly gain security control over their computers. Users within the U.S. should also be concerned that Microsoft has provided the government with a secret back door that they can exploit. (Campbell, Duncan. "How NSA access was built into Windows." Heise Online 4 Sept 1999)

Viruses

There are about 60,000 viruses known for Windows, 40 or so for the Macintosh, about 5 for commercial Unix versions, and perhaps 40 for Linux. Most of the Windows viruses are not important, but many hundreds have caused widespread damage. Two or three of the Macintosh viruses were widespread enough to be of importance. None of the Unix or Linux viruses became widespread - most were confined to the laboratory. (Granneman, Scott. "Linux vs. Windows Viruses." The Register 6 Oct 2003)

As the opinion article also explains, it is the fact that Microsoft software on many computers is identical which will allow the spread of viruses. For example, when a vulnerability is found in Outlook it often affects every Outlook user. In contrast, [Linux] installations typically vary per computer. The use of a variety of distributions, customizations, and versions creates a mixed environment where a virus will usually find it harder to spread since it won't find the same software on every computer. Just as in biology, it is diversity which prevents one threat from destroying everything.

Viruses aren't only a nuisance to home computer users. They're also a major financial burden to corporations. Even though most corporations use anti-virus software, the majority are still affected by viruses. Often these viruses cost corporations more than any other form of security breach. With the vast majority of viruses being specific to Windows this raises the cost of using Microsoft software more than any other.

See also:

• Singh, Amit. "Unix vs. Microsoft Windows." A Taste of Computer Security 2004
• For some background on how companies should handle software security, see how to close the window of exposure (PDF).

Copyright © 2004-2007 Matthew Schwartz