Microsoft Windows security revisited: One reason I’m Macintosh bound.

I wrote about Microsoft’s latest security ploy last month (link at the end of this article). This is a “prequel” to that piece…

For the six years prior to January of this year, these were the perceptions about Microsoft Windows’ security:

1) It is weak.
2) XP SP2 is going to fix it.
3) It is weak.
4) Internet Explorer 7.0 is going to fix it.
5) It is weak.
6) Vista is going to fix it.

Those are simple, but they sum it up well.

Security of Windows began to be exposed when they put it on a network in the days of Windows for Workgroups. The kernel for Windows NT was not written with network security as a priority (Microsoft was not strong in networking, remember the horrid IP stack introduced in WfW?), and since Microsoft was late to the Internet party (another network boat they missed) that priority didn’t change much for Windows 2000 and XP. The result? Over 110,000 virus in the wild — those that actually infected user machines — and malware running rampant. It is absolutely mandatory to run anti-virus and anti-malware/spyware software to protect a Windows machine. No one disputes this.

Microsoft and the IT community have done a good job of brainwashing people to think this is “normal,” and somehow no big deal. Indeed, some Windows users have it so ingrained into their heads they can’t imagine not doing these things, much to the delight of anti-virus vendors. Many IT security professionals and analysts work hard to scare-monger and BS there way around the fact that other OS’s don’t require this kind of “protection” and “maintenance.” Who can blame them? Their very livelihoods depend upon it!

That UNIX (or UNIX-like) systems such as BSD, HP-UX, Linux, Mac OS X, Solaris and others do not require virus and malware protection tools is the biggest proof that Microsoft and IT are full of it. How many UNIX-based viruses in the wild, 700 in perhaps 30 years? Compared to 110,000+ in half that time it seems pretty clear to me. Microsoft apologists lately point to theoretical vulnerabilities or exposures developed in the lab as somehow equating to a bona-fide attack in the wild. Um, no. Only a fool would argue that the risk of attack on a Windows machine on the Internet, even with current anti-virus software, is the same as any of the aforementioned OS’s without anti-virus. The empirical evidence alone is sufficient to remove all credibility from anyone making this argument.

So how did Microsoft combat their security issues? For a long time, they didn’t. As I mentioned, for many years it had no special priority. Regular patches to keep up appearances, but no concerted effort to plug the holes in their leaky OS and Internet browser. Sooner or later, you’d think at least a few people would start to ask questions and demand a bit more. Well, it took years, but that finally did happen.

One reason Windows Longhorn (a.k.a. Vista) was late was that it was delayed for the effort expended by Microsoft on XP Service Pack 2. The infamous SP2 was almost exclusively a security patch, and a very large one at that. Microsoft was going to secure the OS and silence the critics springing up. It added the Windows Firewall, Security control panel, and many behind the scenes changes to help stem the security tide.

Further, Microsoft eventually took IE 6 and worked on it to improve its security. While initially slated for Vista, IE 7.0 was released to XP SP2 as a critical security patch, which tells you just how important Microsoft knew it was!

The problem is, even XP SP2 with IE 7.0 is not on the level of a UNIX-like OS in terms of risk of attack. Microsoft put on a brave face, but also claimed Vista would be much more secure. No big surprise — Microsoft always tells us the next OS will solve the problems of the current one — but what’s funny was Microsoft talking out of both sides of its mouth: “XP is secure, oh but Vista will really be secure.” Huh?

So how did Vista work out? Well, it did give us the vaunted UAC function, which tells you a lot of what you’re doing is “suspicious” so you can cancel or allow it. Like the user will always know! But, hey, if you allow it and your system is harmed, Microsoft is off the hook, which is what UAC was meant to do anyway. My previous article links to an article saying Vista and XP aren’t that different from a risk standpoint, here’s another article that agrees:

“So, what have we got here? An adequately secure version of Windows, finally? I think not. We have got, instead, a slightly more secure version than XP SP2…. The old problems never go away: too many networking services enabled by default; too many owners running their boxes as admins and downloading every bit of malware they can get their hands on. But MS has, in a sense, shifted the responsibility onto users…”

Vista’s already been nailed by the animated cursor bug that had claimed XP. With that one attack it’s had more in the wild in just six months than Mac OS X Tiger has since it was introduced over two years ago!

I’m not saying other OS users do not have to worry about security. That’s nonsense. Quite the contrary, any OS can be attacked, and I noted there have been UNIX attacks. But ultimately it’s about risk assessment. As a matter of cold fact, security is a strong reason to dump Windows and run an OS that doesn’t require third-party apps to help defend against attacks it’s not likely susceptible to in the first place. Put simply, I’m not moving to Mac OS X so I won’t have to worry about security, I’m moving to it because I do worry about security. In any rational risk assessment, Windows loses. The best “anti-virus” software doesn’t come from McAfee or Symantec, it comes from Apple, open source, Sun, etc. in the form of a more secure OS!

The jury is clearly out on Vista’s security, but given early results and Microsoft’s track record of delivering a secure OS, I wouldn’t put my money on it. Clearly, other people are not putting their money on it either, which is why Microsoft had to take another tack in their security propaganda, attempting to redefine how to measure it, which brings us full circle to my previous article

Advertisements

7 thoughts on “Microsoft Windows security revisited: One reason I’m Macintosh bound.

  1. I think Mike’s point on Apple’s slow updates on Open Source code is that it leaves Macs vulnerable. Why? Because the updated open source code points out the security gap that could then be exploited since Apple has not yet updated.

    I agree with you overall, but in this one area, Apple can move a bit quicker.

  2. Therea re over 30 millions of OSX users – 7 years RUNNING, zero infections.

    There are over 110 million ipod users (who have to connect to a computer including PC’s to update) – zero infections. 6 years – zero infections.

    As you mentioned, things could change but other than lab infections created by people with an agenda to sell security software or consulting services – ZERO.

    Every week, there are warnings that this is it – this can’t last much longer because PC users cannot conceive of a computer that requires ZERO virus software.

    WE DON’T EVEN THINK ABOUT IT – it’d be like if asked Bill Gates where is the nearest tattoo parlor – we both hae NO IDEA.

    Apple is not complacent. Apple issues many security updates to patch things BEFORE there is an infection. Of course, we like Apple. They actually service customers AFTER the purchase for FREE instead of allowing 120,000 infections AND THEN asking us for $99 a year to fix a recall!

    I know it’s hard to believe at the other side because its so inconceivable but just like we don’t have to phone in to get permission to use our computers, Macs are ready to go & use.

  3. Thanks, Tom, for a very balanced article.

    I have to agree, working in the IT field for 10+ years, that the Windows admins still don’t get how much more secure the Unix platforms are. They are stuck in their mindset and I really believe it is costing their companies money that is just assumed to be a cost of doing business. It’s really sad. I now work in an all-Mac shop and we still don’t run anti-virus software on the desktops, although we do sit behind a managed firewall. Call me stupid, but until I start seeing viruses for the Mac, why spend the money?

  4. What took you so long?
    That’s what a friend said after I went ‘totally’ Mac 2 years ago after just 4 months with a G5 iMac loaner. It was absolutely the best decision/purchase I ever made. Of my hardcore PC co-workers… around 10 in our dev lab, there is only one holding his stance and that’s only for contrary reasons. Hardware failures aside, we have not seen or requested IT staff help in the last year. Even my boss remarked on the lack of support costs last spring and did some switcher calcs for the whole site, but at the current conversion rate(we can specify our own platform within the company) most people will change over within 6 months anyway ;->>
    So, from 0 to 90+% Macs in less than 2 years – that’s some major shift in mindshare for us former PC users who would have died laughing had someone predicted it.
    My wife visits our workplace fairly regularly and she swears that the lab is a much friendlier place these days. Productivity is much higher tho’ perceived workload is lower…go figure. Oh, and staff turnover has dropped to almost zero too

  5. Mike,

    Thanks for the comments. #3 is probably the single biggest reason I’m avoiding Vista.

    As for OS X’s security, how many viruses in the wild have you got on your Mac? How many have your friends or family? How many have you read about? It’s not even close.

    I’m not crowing about OS X, but rather countering the garbage (and it is garbage) that would imply OS X (or _any_ UNIX ) isn’t miles ahead of the game. The open ports on a Vista box alone create exposures no reasonable person would want, yet Microsoft says they may not be able to close them until Vienna (Windows 7.0). It’s insane.

    Frankly, I think the Mac community has become less passionate with all its “success,” and become too susceptible to the crap spewed by Microsoft apologists and security “professionals” who want nothing more than to keep their jobs by getting people on a leaky Microsoft OS.

    Mac OS X open source is a version or two behind the industry? Surem and that version is still miles ahead of Vista, and has also been vetted by numerous groups. It’s silly to think Apple must move to the latest every time. That whole “Apple’s behind” campaign is meaningless FUD to make you somehow think a system that’s secure might fall apart tomorrow.

    Vista’s falling apart today. Which system would you rather have on the Internet? Which one would you bet on to get attacked first? You know the answer, so to shake your head and feel the need to doubt Apple over the FUD-spewing campaigners is not being fair, it’s not being impartial, rather it’s being caught up in yet another propaganda campaign orchestrated by an industry whose very existence requires the Windows security model to sustain itself!

    If Mac users are complacent at all, it’s only in that they take OS X’s security for granted. Like someone who has something great and, being used to it, then bitches about it, they’re all to quick to criticize and not appreciate. Some of us non-Microsoft apologists on the other side see it differently.

    Mac OS X (and UNIX) isn’t perfect by any means. That’s not the point. All OS’s can be attacked, and I stated this. But it’s so far ahead of Microsoft it’s doubtful even Vienna will catch up. THAT is the reality. You should enjoy that, and not be fooled by the FUD-meisters.

  6. To be frank, I’m becoming more and more sceptical of OS X’s security. It was a shock for me to find out recently that much of the open source software used in OS X is often a version or two behind the industry.

    This interview makes sobering reading:

    http://www.forbes.com/security/2007/08/04/iphone-apple-mac-tech-cx_ag_0804miller.html

    As I say, the more I find out, the more sceptical I become. I think Apple are coasting on low market-share and not doing many things they could do. Why no ASLR in Leopard, for example?

    Some Mac users are very protective of the company, but I don’t understand that: as a Mac user I’m more inclined to be angry at the thought that Apple is not doing all it could (till I remind myself that that’s the way of the world).

    Perhaps it would be better if Mac users were not so complacent. Microsoft only tightened up its act because it got such a bad rep. Microsoft are now admitting that XP was appalling insecure – they can afford that admission now Vista is out. However, at least they finally did take some precautions that Apple *still* doesn’t, and at least they did finally step back through the code, use checking tools on it, and rewrite large chunks of it.

    I wouldn’t buy Vista and here’s why:

    1. The GUI and the desktop environment as a whole is rubbish. The same goes for GNOME/KDE. The only decent, attractive, well-designed desktop environment on the market is Apple’s.

    2. Microsoft want too much money (compare the price of OS X ($129) with that of Vista (Amazon gives $399.95 as the list price for the full version).

    3. Vista is riddled with DRM:

    http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html

    4. I don’t like buying from Microsoft because of their lack of ethics.

    But I’m not in a mood to crow about OS X’s security, because I think it’s more apparent than real.

Comments are closed.