Microsoft: How big of a problem with security? (Part 1 of 2)
Jim Reavis
Network World on Security, 12/27/99
As we wind down 1999, a check of Microsoft's Security Advisor site reveals that Microsoft has issued in excess of 50 security bulletins. The actual number of advisories is probably a meaningless statistic, but for those of us that follow security news on a daily basis, there is no doubt that a majority of the security incidents that made the headlines this year targeted Microsoft-specific platforms. Melissa, ExploreZip, Back Orifice - these vulnerabilities don't exist on other operating systems.
Of course, you say, who is going to write an AS/400 virus? Microsoft products run everywhere, therefore targeting Microsoft platforms is the way for a bad guy to cause maximum damage. But do security problems plague Microsoft simply because of the company's size, or are there other technological or business reasons?
There are plenty of reasons to love or hate Microsoft. If you have owned Microsoft stock for the past several years, you probably love them. If you have tried to compete with them on any front, you probably hate them. The company's penchant for consuming any technology or application space is well known - from dominating the word processor market to eating away at Netscape's browser share to attempting to co-opt Java.
Microsoft has shown no fear of getting into new businesses, such as WebTV and City Sidewalk. No doubt Microsoft plays the role of the 800-pound gorilla to perfection, and the company is a magnet for publicity, good and bad. Regardless of the outcome of the Department of Justice's litigation and any possible remedies, Microsoft will continue to aggressively pursue new markets and dominate existing ones. In the meantime, are they adequately protecting the back door?
Microsoft is in the crosshairs of the hackers, no doubt about that. M$, Windoze - these negative nicknames are certainly only there to mock Microsoft, and there do not seem to be equivalent negative terms for other companies. There is a fair amount of validity to Microsoft's claim that Back Orifice 2000, for example, could have been written for other platforms and was mostly written to embarrass Microsoft. However, we believe it is a leap of faith to claim that all of Microsoft's security issues are relative to the popularity of its products, and other competing products have the same problems.
What are architectural differences between Microsoft operating systems and others? Windows 98 and Windows NT are two completely different operating systems, each with its own heritage. Windows 98 can be traced back almost to the origins of the company itself, as it is an iteration of MS-DOS. Windows 98 is a personal operating system. Its design and capabilities are to act as a single user operating system, with primary consideration being given to that one person behind the keyboard. The efforts put into Windows over the years have been to simplify the tasks of that one person, with considerations for the rest of the world being bolted on: network access, file sharing and of course, security. There is no concept of different levels of local system authority, user context vs. administrative, file system permissions, etc. It is a completely unsophisticated core operating system that over time has been overlaid with a terrific set of end-user features. These are major issues with the Windows 9x operating system that make it wholly unsuited for the security requirements of the connected world.
NT owes its existence to the fractured relationship Microsoft and IBM had over OS/2 10 years ago. Microsoft didn't agree with IBM that Windows did not have a future and sought to build its own "OS/2" to compete in the enterprise market. Microsoft wanted it to be a graphical user interface to the core, and although it was influenced by many technologies, notably VMS, it was a brand new operating system. Unlike Windows 9x, it was built to be a multiuser operating system from the beginning. The concepts of a superuser, user, guest, contexts and inherited privileges are all in there. The Local Security Authority of NT authenticates and provides access based upon access control lists that extend to file systems, processes and any other objects defined by the system. In essence, it has a lot of the security features of Unix; it is simply less mature, with more security bugs yet to be exploited. This immaturity often leads to add-on applications not fully taking advantage of the security model and defaulting to additional services being implemented in an insecure manner, often by installation with administrator rights. NT is just as susceptible to application-borne viruses as 9x, including programs like Melissa, although a virus that tries to directly access hardware or specific files may be constrained by the user's privileges.
While there are stark differences in the foundation and architecture of these two operating systems, there are also security vulnerabilities common to both platforms, caused by other product groups within Microsoft. The effort to create a tight integration of its operating systems with Internet Explorer and Office has not only gotten Microsoft into hot water with the Department of Justice over possible antitrust violations, but has created an integrated security nightmare. Because of this integration, Windows 98 and NT (to a somewhat lesser degree, it depends upon the machine account privileges the user has) are unique among major operating systems in that a malicious hacker can create a program on a Web site that can be opened and in one step destroy a computer. Tightly integrating applications with operating systems is bad for security - probably the worst thing Microsoft has done for security. In fact, it could be argued that NT has a fairly good security model, until you start adding Microsoft applications on top of it.
While there is some validity to the argument that Microsoft's size and market dominance makes it a magnet for unwanted hacker attention, in the final analysis most of the company's security vulnerabilities are self-inflicted wounds. In the next newsletter, I will look at some possible remedies to the situation.
Related links
Microsoft fixes bug in Mac version of Outlook Express
Network World, 12/23/99.
N+I: Intel, Microsoft step up network security
Network World, 09/15/99.
Security-seeking vendors find strength in numbers
Network World, 11/08/99.
Microsoft: Bad security, or bad press?
Network World, 09/27/99.
RELATED LINKS
Microsoft fixes bug in Mac version of Outlook Express
Network World, 12/23/99.
N+I: Intel, Microsoft step up network security
Network World, 09/15/99.
Security-seeking vendors find strength in numbers
Network World, 11/08/99.
Microsoft: Bad security, or bad press?
Network World, 09/27/99.
Archive of Network World on Security newsletters
Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.
