Microsoft vs. Computer Security

Why the software giant still can’t get it right.

Four years ago, Bill Gates dispatched a companywide e-mail promising that security and privacy would be Microsoft’s top priorities. Gates urged that new design approaches must “dramatically reduce” the number of security-related issues as well as make fixes easier to administer. “Eventually,” he added, “our software should be so fundamentally secure that customers never even worry about it.”

Microsoft customers haven’t stopped worrying. A year later, Windows was hit with several nasty worms, including Slammer, Sobig, and Blaster. The viruses caused major traffic bottlenecks throughout the world, which cost tens of billions of dollars to clean up. Vulnerabilities deemed “critical” have forced the company to release an almost unending stream of patches and fixes to the Windows operating system, Microsoft Office, and Internet Explorer.

Just last week, another problem reared its head—a security hole that could allow Windows users to become infected with adware, spyware, or viruses by simply viewing an e-mail, instant message, or Web page. When Microsoft dragged its heels on issuing a patch, the SANS Institute, an organization that tracks security threats, took the extraordinary step of recommending that users download an unofficial patch developed by a Russian programmer. (Microsoft had planned to release its fix on Jan. 10, but ultimately bowed to pressure and issued it five days earlier.)

With the company’s security problems still monopolizing the news, you might have expected that Bill Gates would address the vulnerability at the Consumer Electronics Show in Las Vegas. Instead, he boasted how Microsoft’s new operating system, Vista, would extend the company’s tendrils into your living room. Sure, it might be nice to connect your computer and your television set. But is it worth it to give hackers access to your television?

SANS’ list of the Top 20 most threatening security vulnerabilities includes products from Oracle, Apple, Cisco, Mozilla, and even anti-virus software vendors. But Microsoft is still the dominatrix of the desktop and runs about 90 percent of the world’s computers, making it the biggest target for hackers, crackers, pirates, and thieves. Microsoft’s security problems run much deeper than just being the most popular, though, and that is why many computer security pros despise Microsoft.

While the company claims that Vista will be more secure against hack attacks, the computer security professionals I talked to are skeptical. “We hear this each and every time Microsoft comes out with a new operating system,” says Brian Martin, an independent computer security consultant. “It is still built on the same legacy code, it is still written without adhering to secure coding practices, it is still thrown to the masses without adequate security testing.”

Richard Forno, a principal consultant for KRvW Associates and a former senior security analyst for the House of Representatives, believes that Microsoft is a threat to national security. The White House, Congress, and Department of Defense all run Windows and send and receive e-mail on MS Exchange Server—exploitable Microsoft products that offer a “target-rich environment for malicious code.”

Case in point: buffer overflow attacks, a popular technique for exploiting Microsoft products. By flooding a program with too much data, a hacker can track and manipulate the overflow and trick the system into following his instructions as if he were the system administrator. The technique has been known for decades, yet Microsoft still hasn’t come up with a way to defend against it. Although Oracle, Linux, UNIX, and even Apple iTunes have fallen prey to buffer overflow attacks, the number that have afflicted Microsoft products far outstrips them.

Buffer-overflow vulnerabilities are simply programming errors; they occur when coders fail to deploy proper memory-management techniques. When Microsoft shipped XP and its 50 million lines of code in 2001, it claimed it was the most secure operating system it had ever developed and that the company had paid special attention to buffer overflows. Within two months, researchers at eEye Digital Security found a hole in the code that left it vulnerable to buffer overflows—and the operating system has been plagued with these holes ever since. Security consultant A.J. Reznor points out that every major worm other than the original Morris Worm from 1988 has leveraged a hole in Microsoft products. Reznor refuses to work with Microsoft products but still actively loathes the company because his network becomes “saturated with crap flying out of [Windows] machines.” Spammers route their junk through MS machines infected with a trojan—a harmful computer program disguised as an innocuous one—that turns these machines into “zombies.” “Even if we don’t use them, we suffer from them,” he says. “Kind of like secondhand smoke.”

Microsoft’s security problems are only going to get worse. The company designs its products to work together, creating a Microsoft monoculture. Because there are so many shared paths from Internet Explorer, Outlook, and Windows Media Player into the operating system, if you exploit one, you exploit them all. Vista promises to continue this consolidation by making the operating system the glue that connects users to their PCs, televisions, PDAs, and portable music and video players.

What can you do to protect yourself? Besides avoiding Microsoft products, one way would be to use substitutes whenever possible. If you run Windows or the upcoming Vista, use a different e-mail program, browser, and/or media player than the ones that come in the box. Stay up to date on patches and anti-virus software. And the next time Bill G. promises to make software that is so fundamentally secure that customers never have to worry about it, ask him what decade he plans to release it.