Does Microsoft find excuse for their security woes in mythology?

by Uche Ogbuji

Myth #1 that Microsoft might have fallen for: Microsoft's security woes are just because of its popularity. If Linux or OS X were as popular, they'd be dogged just as badly.

No one has a shred of evidence to indicate that any Linux has more vulnerabilities than Windows, and that the only reason they're not attacked is that they're not popular? But lack of evidence has not always interfered with Microsoft's apparent beliefs. Apathy towards security has the specious advantage of saving some resources. Often it takes no more than the silliest premise to dissuade an organization from necessary investment.

There was a time, years ago, when there were too many vulnerabilities in Linux, especially buffer overflows in the likes of IMAP and SMTP servers, and even the kernel. Guess what? These bugs were heavily exploited, even though Linux was less popular than it is now. Many machines got rooted in those days. But a curious thing happened. Those days vanished.

These days most Linuxen are impressively secure in their default distribution and almost all significant software developers associated with Linux have cleaned up their act (or faced ejection from distributions). It has become much harder to exploit a Linux, even for a determined attacker.

It doesn't take much grade school logic to figure that since Linuxes were hit hard back when they were even less widespread than now, that the relative present-day lack of malware punch is not because they're not as popular as Windows.

Myth #2 that Microsoft might have fallen for: people get malware when they do things Microsoft doesn't approve of, anyway.

It's so tempting. "These people getting malware are doing things they shouldn't be doing, so they get what they deserve". If Microsoft believed this, it would be an effective salve to the conscience. A cynic such as I am considers that Microsoft would rather send BSA paratroopers after people they vaguely suspect of naughtiness than deploy measures to protect the whole class. Of course, no one who has had any experience with Windows can believe for one moment the canard that people only get malware when installing pirate or peer-to-peer software, or legit software by shoddy vendors (interestingly enough, the vendors usually cited are Microsoft's competitors).

I could tell a thousand stories, but one will do for anecdote. I set up Windows XP for my parents in law. Pretty run-of-the-mill custom PC. I patched it to the nines using Windows update. A lot of work, but it's what we kin techies do. When I was done my son wanted to play around with it, so I opened IE (I was taking a break before installing Firefox and hiding all traces of IE) and wandered on-line to his favorite spot: Trouble is, I misspelled the Web site name. I don't remember the exact mispelling, but I do know that as soon as I saw the resulting page, I could tell there was trouble. The resulting cascade of trojan spyware was spectacular. Looking at "Add/remove software" listed some twenty of them. On a lark, I tried nuking them all using all the measures I could--uninstalling, removing directories, etc. Emtying a lake with a teaspoon. I had to start all over again with a reinstall.

This is what can happen with one erroneously entered URL. I've seen similar effects from an aunt who clicked one of those "download these cute smileys for your e-mail" ads, and countless other examples. It's not hard to imagine how close each keystroke/mouseclick brings Aunt Hattie to MalHell. Oh no. Malware victims are ordinary people doing perfectly ordinary things, and being cruelly punished for it.

Microsoft must recognize this to some extent, considering they've now pledged seriousness to anti-Malware. After all, why would they offer Penicillin to Corsairs? But is such a misperception possibly part of the reason they waited so long to take action?

As a Linux user married to an OS X user, malware is not something I worry much about. But I'm kin techie for many other households, and Windows security problems affect me all too painfully. If mythology helps to fuel Microsoft's lagging response, I hope I can do what I can to help debunk the silly myths.


2005-01-16 00:25:47
The relative present-day lack of malware punch
I think that partly is because Windows is more popular.

I believe what happened is that as the Linux distributors as well as all the projects they rely on were laid into by the community to clean up their act, they eventually hardened their stuff well enough that it's just a bad investment of time for crackers to try to exploit Linux boxen nowadays. Linux security is not quite as good as the figures make it seem, but it has gotten so much better than Windows security and Windows is so much more widespread that it just isn't worth it. Not because Linux is unpopular is it cracked so seldomly, but because the product of Windows insecurity multiplied by the popularity of Windows is so much larger.

We'd see a rise in attacks on Linux if Windows security tightened up or if Linux got spectacularly popular. But that would still require much more effort than in the days of yore, and attacks on Windows wouldn't let up if Linux popularity happened to explode.

Another issue I think plays an important role is how woefully slowly MSFT react to security alerts. They leave critical holes unpatched for months. Most vendors in the libre software camp have reaction times on the order of a week. That means writing malware to target Windows is much, much more profitable, as you can count on far greater lifetime and deeper penetration. A shift in relative popularity of platforms will do nothing to diminish the effects of this particular disparity.

Overall, I think it can be argued pretty effectively that popularity indeed has nothing to do with the current situation.