For the six years prior to January of this year, these were the perceptions about Microsoft Windows’ security:
Those are simple, but they sum it up well.
Security of Windows began to be exposed when they put it on a network in the days of Windows for Workgroups. The kernel for Windows NT was not written with network security as a priority (Microsoft was not strong in networking, remember the horrid IP stack introduced in WfW?), and since Microsoft was late to the Internet party (another network boat they missed) that priority didn’t change much for Windows 2000 and XP. The result? Over 110,000 virus in the wild — those that actually infected user machines — and malware running rampant. It is absolutely mandatory to run anti-virus and anti-malware/spyware software to protect a Windows machine. No one disputes this.
Microsoft and the IT community have done a good job of brainwashing people to think this is “normal,” and somehow no big deal. Indeed, some Windows users have it so ingrained into their heads they can’t imagine not doing these things, much to the delight of anti-virus vendors. Many IT security professionals and analysts work hard to scare-monger and BS there way around the fact that other OS’s don’t require this kind of “protection” and “maintenance.” Who can blame them? Their very livelihoods depend upon it!
That UNIX (or UNIX-like) systems such as BSD, HP-UX, Linux, Mac OS X, Solaris and others do not require virus and malware protection tools is the biggest proof that Microsoft and IT are full of it. How many UNIX-based viruses in the wild, 700 in perhaps 30 years? Compared to 110,000+ in half that time it seems pretty clear to me. Microsoft apologists lately point to theoretical vulnerabilities or exposures developed in the lab as somehow equating to a bona-fide attack in the wild. Um, no. Only a fool would argue that the risk of attack on a Windows machine on the Internet, even with current anti-virus software, is the same as any of the aforementioned OS’s without anti-virus. The empirical evidence alone is sufficient to remove all credibility from anyone making this argument.
So how did Microsoft combat their security issues? For a long time, they didn’t. As I mentioned, for many years it had no special priority. Regular patches to keep up appearances, but no concerted effort to plug the holes in their leaky OS and Internet browser. Sooner or later, you’d think at least a few people would start to ask questions and demand a bit more. Well, it took years, but that finally did happen.
One reason Windows Longhorn (a.k.a. Vista) was late was that it was delayed for the effort expended by Microsoft on XP Service Pack 2. The infamous SP2 was almost exclusively a security patch, and a very large one at that. Microsoft was going to secure the OS and silence the critics springing up. It added the Windows Firewall, Security control panel, and many behind the scenes changes to help stem the security tide.
Further, Microsoft eventually took IE 6 and worked on it to improve its security. While initially slated for Vista, IE 7.0 was released to XP SP2 as a critical security patch, which tells you just how important Microsoft knew it was!
The problem is, even XP SP2 with IE 7.0 is not on the level of a UNIX-like OS in terms of risk of attack. Microsoft put on a brave face, but also claimed Vista would be much more secure. No big surprise — Microsoft always tells us the next OS will solve the problems of the current one — but what’s funny was Microsoft talking out of both sides of its mouth: “XP is secure, oh but Vista will really be secure.” Huh?
So how did Vista work out? Well, it did give us the vaunted UAC function, which tells you a lot of what you’re doing is “suspicious” so you can cancel or allow it. Like the user will always know! But, hey, if you allow it and your system is harmed, Microsoft is off the hook, which is what UAC was meant to do anyway. My previous article links to an article saying Vista and XP aren’t that different from a risk standpoint, here’s another article that agrees:
“So, what have we got here? An adequately secure version of Windows, finally? I think not. We have got, instead, a slightly more secure version than XP SP2…. The old problems never go away: too many networking services enabled by default; too many owners running their boxes as admins and downloading every bit of malware they can get their hands on. But MS has, in a sense, shifted the responsibility onto users…”
Vista’s already been nailed by the animated cursor bug that had claimed XP. With that one attack it’s had more in the wild in just six months than Mac OS X Tiger has since it was introduced over two years ago!
I’m not saying other OS users do not have to worry about security. That’s nonsense. Quite the contrary, any OS can be attacked, and I noted there have been UNIX attacks. But ultimately it’s about risk assessment. As a matter of cold fact, security is a strong reason to dump Windows and run an OS that doesn’t require third-party apps to help defend against attacks it’s not likely susceptible to in the first place. Put simply, I’m not moving to Mac OS X so I won’t have to worry about security, I’m moving to it because I do worry about security. In any rational risk assessment, Windows loses. The best “anti-virus” software doesn’t come from McAfee or Symantec, it comes from Apple, open source, Sun, etc. in the form of a more secure OS!
The jury is clearly out on Vista’s security, but given early results and Microsoft’s track record of delivering a secure OS, I wouldn’t put my money on it. Clearly, other people are not putting their money on it either, which is why Microsoft had to take another tack in their security propaganda, attempting to redefine how to measure it, which brings us full circle to my previous article…