0

The first interesting missive to arrive in my inbox came courtesy of the words of Microsoft COO, Kevin Turner, speaking at the July 26th Microsoft Financial Analyst Meeting 2007. Turner decided to focus his attention on Vista security, rolling out the usual 'most secure Windows operating system ever' company line as expected. Perhaps less predictable was his insistence that it was safer than both OS X Tiger and all major distributions of Linux!

Talking about high-severity vulnerabilities, Turner insisted that "in the first 180 days we've had 12 in Vista" comparing this to the 25 in XP over the same period and drawing attention to how much more sophisticated people are when it comes to exploiting vulnerabilities today. "Over that same time period, I think you should also note that Windows Vista had far fewer than Apple, as well as any major desktop Linux distributor" Turner added. As I previously stated in my blog posting here, given the resources available to them the level of security vulnerability exposure achieved by major players such as Microsoft is still way too high.

Comparing oranges to oranges, I would contend that Microsoft should stop playing the blame game and start concentrating on quicker responses, better testing and more open vulnerability disclosure. All areas where they could learn a thing or three from the Linux folk.

The second Microsoft missive to land on in my inbox was word that Steve 'Barmy' Ballmer, the Microsoft CEO, is predicting that the installed user base for the Windows OS would reach 1 billion in under a year. Speaking at the same Financial Analyst Meeting 2007, Ballmer confirmed that as from 2008 it would only be selling Windows Vista as far as direct OEM and retail licenses were concerned, XP only being an option for system builders after February 2008. "If you stop and just think about that, parse that for a second, by the end of our fiscal year '08, there will be more PCs running Windows in the world than there are automobiles, which is at least to me kind of a mind-numbing concept" Barmy Ballmer said. Mind-numbing is not the word I would use to describe this vision of the computing future: mind-boggling perhaps, frightening definitely, and misleading possibly.

Misleading because Ballmer is talking about Windows as a whole, everything out there including the die-hard Windows 95 users for example. The prediction might be very different were he to concentrate on the numbers of users likely to be running Vista within a year. Current market share statistics are revealing, with Windows XP hogging the limelight on some 81.94% of the OS market, and Vista with its 4.52% share sitting between Mac OS with 6% and Linux on a rather disappointing 0.71%. Those figures could change dramatically once support for XP is dropped, when it fails to benefit from security updates for example and users are pushed towards making the decision whether to upgrade to Vista or move to another OS altogether. It is not in the realms of fantasy to imagine both Mac OS and Linux starting to increase their presence considerably under such circumstances. Users having to invest in new hardware in order to run a new version of the OS, might just be tempted into making the change to Apple, now that this platform can comfortably run Windows in a virtual environment. Users looking for real security, however, might be tempted by the value for money offered in the Linux field, especially while upgrade prices to Vista remain so high.

With the installation woes of Linux distributions becoming a thing of the past, and the desktops becoming increasingly familiar in look and feel, it really must only be a matter of time before Microsoft starts treating the OS competition with a little more respect.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

5
Contributors
4
Replies
5
Views
10 Years
Discussion Span
Last Post by cutepinkbunnies
0

>I would contend that Microsoft should stop playing the blame game and start concentrating on quicker responses, better testing and more open vulnerability disclosure.

So many people say that, but do you think it's really feasible for them? Their responses would be a lot quicker if it was safe to deploy the updates that way; unfortunately it's not. They have to make sure that the patch works and [hopefully] doesn't leave any other holes open. Then when they release it they need to do so in a manner such that the patch can't be reverse-engineered to find the exploitable code (that used to be when a lot of exploitable code was targetted by virus authors). Then there's the issue of deployment usability. If nobody installs the patch, it won't be effective. Having the update notification go off every day would likely cause many people to just turn it off; instead, to goes off a couple times a month (e.g. Patch Tuesday). Actual deployment rates are still excruciatingly slow though, so that making it public whenever they patch some exploitable code would probably cause more malware authors to take advantage of the vulnerability window. As to the testing, they're on a pinched schedule which is an apple the exploit finder's orange. The Blaster exploit took 6 months of tinkering to find an exploitable input for that one little bit of code (it was like 2 lines, as I recall). No company is going to spend that much time on so little, especially when even realizing that the threat exists is so difficult. The SDL is also significantly helping Microsoft to improve its development with respect to security.

>Users having to invest in new hardware in order to run a new version of the OS, might just be tempted into making the change to Apple, now that this platform can comfortably run Windows in a virtual environment. Users looking for real security, however, might be tempted by the value for money offered in the Linux field, especially while upgrade prices to Vista remain so high.

The hardware is expensive, yes. But to run XP, you can use a computer that's 10 years old (obviously the experience will be somewhat lacking, but it's doable). The people who have newer machines can likely save up to get an upgrade for Vista. Or they can live without the Aero features. Apple's computers are still expensive too; if you're going to pay a lot for a computer, do you want to risk an OS you're not familiar with? And running Vista in a VM is going to yield a poor experience, if it's even supported; planning to run XP in a VM very far into the future is just silly. Your Linux statement is quite stereotypical as well. Linux does have a considerable portion of the server market, so the claim that it is "too small to target" is hardly feasible. However, the same is likely not true for desktop apps (which really are the target these days). Windows does have a few bugs in the OS; Linux surely does as well. Most of the big exploits these days, however, are found in user applications (or even users), not in the OS.

0

"Current market share statistics are revealing, ...." - who says that? What companies? There are lies, there are fat lies and there are statistics. Just to prove you, there are companies reporting a significant shift of development towards the Linux platform, of about 4% at the expense of windows. Are these companies dumping windows for just 0.71% of users? M$ can't help itself but spreading FUD. Do they have technology? Does windows have a clue of multiple desktops (on the desktop side) or of clusters (on the server side) ? Not to mention governments and countries that chose this year that Linux is their way to go from now on.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.