QandO

July 11, 2004

Suck it Up, Apple-Boy
Posted by Dale Franks

The Danish computer-security firm, Secunia, has released a report showing that the Microsoft Windows operating system is not significantly more unsecured than other operating systems. Moreover, the Macintosh OS doesn't appear to be significantly more secure that other operating systems. Oh, and Red Hat Linux sucks, too. But Mac's OS X has the highest proportion of "extremely critical" flaws.

For example, Windows security holes generally receive a lot of press because of the software's popularity, but the statistics show that Windows is not the subject of significantly more advisories than other operating systems. Windows XP Professional saw 46 advisories in 2003-2004, with 48% of vulnerabilities allowing remote attacks and 46% enabling system access, Secunia said.

SuSE Linux Enterprise Server (SLES) 8 had 48 advisories in the same period, with 58% of the holes exploitable remotely and 37% enabling system access. Red Hat's Advanced Server 3 had 50 advisories in the same period - despite the fact that counting only began in November of last year. Sixty-six percent of the vulnerabilities were remotely exploitable, with 25% granting system access.

Mac OS X does not stand out as particularly more secure than the competition, according to Secunia.

Of the 36 advisories issued in 2003-2004, 61% could be exploited across the internet and 32% enabled attackers to take over the system.

The proportion of critical bugs was also comparable with other software - 33% of the OS X vulnerabilities were "highly" or "extremely" critical by Secunia's reckoning, compared with 30% for XP Professional and 27% for SLES 8 and just 12% for Advanced Server 3. OS X had the highest proportion of "extremely critical" bugs at 19%.

Sun Microsystems' Solaris 9 saw its share of problems, with 60 advisories in 2003-2004, 20% of which were "highly" or "extremely" critical.

Heh.

The thing that makes Microsoft stand out is the sheer prevalence of Microsoft Windows, and the ubiquity of MS Office. The two things that make Microsoft such a target is the sheer prevalence of Microsoft Windows, the ubiquity of MS Office, and the demands of the user community. Rats. Alright, the three main...

Ok, before we descend to far into Spanish Inquisition territory, let's just keep it at that.

When everybody is using Windows and MS Office, it becomes the big hacker target by default. So, some script kiddie that finds and utilizes a security weakness for them automatically enters the big time. One hack gets huge publicity because it affects so many people.

The other problem is a real quandary for Microsoft. Business customers for Microsoft products support a huge developer community. There are tens of thousands of people who go to work every day to use or create custom designed applications that use office automation that makes Access, Word, Excel, and Outlook work seamlessly with each other through code. I regularly have to create Access database front-ends for SQL server databases. These front-end applications use shell commands to call up HTML help files, and use Microsoft Word as a dynamic report generator, or Outlook to create new contact lists from the SQL database. In addition, these applications generally store values to the registry for things like user preferences. When I make one of these little apps, I've got the whole Windows world in my hand.

And I like it.

What customers--from small business to large--need is a unified programming environment that they can use to automate business information processes. And that is largely what the MS Office/Windows combination gives them. But here's the rub: To fully take advantage of that power, they need to access the Windows operating system, and make it do stuff.

Even having the browser tied directly into the operating system is extraordinarily useful, because, using the same programming object, you can switch between calling up local files on the users computer to pulling down data stored on the corporate intranet from other locations all around the world, with just a few lines of code.

That's power, my friend.

That allows them to leverage some pretty extraordinary power into their applications. But the downside is that, by opening up the Windows applications programming interface (API), you open it up to all sorts of malicious coding as well, unless of course, your OS code is security-perfect.

But, with millions upon millions of lines of code to make the OS work, perfect security is a goal that is unattainable. The best you can hope for is to converge towards perfect security, without ever quite reaching it.

This is a huge quandary for a company like Microsoft. On the one hand, their customers have an absolute demand for the type of programming power that has improved the ability of businesses to of automate information-related business processes, and, incidentally, spawned a huge development community that didn't even exist 15 years ago. On the other hand, like any other extraordinarily powerful tool, it carries with it the possibility for misuse.

This is not to say that Microsoft doesn't have a responsibility to perform serious security vetting for all of its products. But even the best security vetting will never be perfectly effective, as the example of the Mac OS X problems this report highlights.

But, as long as customers demand the ability to create custom applications in-house to meet their business demands, Microsoft pretty much has to give it to them.

Look, there's a reason why practically no one is using Lotus Smart Office or Corel Perfect Office--or Even Sun StarOffice--in a business setting. Once you buy them, you have to live with them pretty much out of the box, except for the rather limited ability to make a few macros. With MS Office, what comes out of the box is only the beginning. Your limits with these products are the mainly the limits imposed by your own knowledge.

Businesses apparently prefer the latter.

Sure, if you want something that approaches perfect security, then you can live by never using email, never browsing the web, and using WordPerfect v5.1 for DOS.

Good luck with that.

(Hat Tip: Lopsided Poopdeck)

TrackBack