IPkey.com
information security
monitoring & management
Information Security Bulletin
October 2003
Feature Story:
Readers' Choice Issue:
What's up with Windows?
Your responses to my invitation last month were most interesting. Over half related in some way or another to a single issue: Why is Windows so vulnerable and why can't Microsoft just fix it? I'll do my best to answer this seemingly simple question.
In 1988 I received a new PC with Windows version 1.03. That's 15 years ago - plenty of time for Microsoft (MS) to get the bugs out and for Windows to work properly, wouldn't you think? Evidently not. Windows XP is the most stable build of Windows to date, yet it still needs scores of patches to fix security vulnerabilities.
Part 1: Why is Windows so vulnerable? Windows is arguably one of the most complex collections of technologies ever devised. It's huge - over 30 million lines of programming code built up over a decade of development. Much of the core Windows code was written before the Internet was popular, and long before security was an real issue. While a great deal of the XP and 2000 code base was build upon the relatively secure NT kernel, ease of use, performance and Y2K compliance were the dominant Windows design factors until early 2002. Then last spring, Bill Gates stated that security was the top priority at MS. Would Windows be fixed?
Part 2:Why can't Microsoft fix Windows? Given this epiphany last year at MS, Windows should be a much more secure product by now, right? Not exactly. Windows is a constantly evolving product. In part, this is to optimize new Microsoft applications such as Office 2003, new games, new hardware such as DVD-RW drives, CF and USB memory cards, the latest video cards, multimedia, etc. There is constant 'tweaking' going on to make application and hardware, especially those from Microsoft (nudge, nudge, wink, wink) install easily and operate reliably.
Given this evolving nature of Windows, new vulnerabilities are inevitably created as new code is incorporated. Each new version undergoes exhaustive testing, but Windows is so complex that even tens of thousands of beta testers will not uncover every vulnerability and problem. It's not until millions of users around the world are doing everything imaginable does it get really tested.
This means that the folks who are trying to make Windows secure are constantly playing catch-up. It's an impossible task. Perhaps if MS 'froze' the Windows code they could finally nail it down long enough to fix it? In fact, this actually happened in Spring of 2002 when Bill Gates ordered all Windows development halted in order to make Windows secure. Rumor has it that security really became an issue because Microsoft lawyers sensed some huge class-action suits might start brewing over Windows security failings. Didn't work, did it? It makes Microsoft's 'Trustworthy Computing' slogan ring a little hollow. ->
IPkey Hot Links!
Security
Solutions
Evaluation
Remediation
Monitoring
Management
Recovery
New!
InfoSecurity
Center
Welcome
to the
Information Security Bulletin. This is your source for the latest
practical information you can use to protect your organization's critical
information and
network services.
Marcus Clarke
ISB Editor
email me your opinions!
Managed
Monitoring
Start your
free
30 day trial today
Learn more
/
Register
or call
(866) 330-1010
-> Those of us who know Microsoft well know that they never really fix any current product. Those problems are fixed in a new version, for which they always charge a hefty fee. Microsoft will never fix Windows as we know it because they have a radical new version coming in 2006 (see sidebar).
Part 3: What IS Microsoft doing to make Windows secure today? Given the fact that Microsoft can't (or won't) fix today's Windows, what is it doing? Mostly, they are trying to educate Windows users how to use MS tools that help create a 'secure computing environment'. When confronted about the lack of Windows security, they indignantly respond that most people don't use the Microsoft tools available. That is true, but, MS also don't take responsibility for the fact that these tools are confusing to understand, are not well integrated and are very inconsistent in their terminology and use. It's bad enough for a corporate IT security professional to deal with; home users really don't have a chance.
This means that all Windows users concerned with security face an almost daily task of checking for new Windows Updates, Anti-Virus definitions, Spy ware signatures, Spam filters and so on. The time and effort required by individuals and organizations is truly mind-numbing; most people just don't have the time or budget. That makes for huge security holes which are being quietly (and efficiently) exploited by hackers worldwide.
Microsoft has evidently come to the conclusion that Windows is impossible to secure without almost continual updates. Windows Automatic Update has in many ways offset the burden of checking for updates and manually installing them. Software Update Server has added another dimension to this process for larger organizations.
This is a big step in the right direction, but Microsoft appears to be struggling under it's own bureaucracy. Windows security alerts, bulletins and updates are incredibly confusing as I mentioned earlier. Just last week, Microsoft released no fewer than 7 updates of which 5 were classified as 'critical'. After just one security update in over a month, there is no way that 5 critical (but unrelated) security vulnerabilities just pop up at once. MS needs to improve the Windows Update process if it's hoping to gain any credibility about securing today's Windows.
Final Thought
The Internet has succeeded in inter-connecting all of us to become a giant network. It wasn't until large numbers of us migrated from dial-up to persistent, broadband connections that the consequences of that connectedness became apparent. Worms, viruses, spam, pop-ups and porn have become the scourge of Internet use. Because Windows is inherently insecure, the conduits of threat will have to become much more restrictive to compensate. We're going to see big changes with web, especially with email & spam.
It's the final irony that Windows has become the victim of it's own sophistication and ambition.
A Secure Windows?
In 2006, the next version of Windows will
incorporate security not just in software, but in hardware in a broad
initiative code-named Palladium. This will
require an entirely new computer because it uses a new PC architecture that
Intel is developing jointly with MS. Your secret data will be kept in a
'hardware vault' which can only be accessed in specific ways.
Sounds great, but I suspect that it will do more for Digital Rights
Management (copying music or movies) than avoiding infections from worms and
viruses. Will it be secure enough that MS doesn't
have to keep fixing it? I doubt it.
ISB Takeaway #1:
Use Windows
Automatic Updating is you have Windows 2000 or XP. If not, it's time to
upgrade that 95, 98 or Millennium clunker.
ISB Takeaway #2:
Any important, sensitive or valuable data on your PC should be encrypted.
It's just too easy for Windows to be compromised.
ISB Takeaway #3:
Use strong passwords for everything computer related. Passwords should be at the very least 6 characters and should include numbers, upper and lower case letters and punctuation marks. Do NOT use your pet's name or your birthday.
The ISB is a monthly email newsletter
published by IPkey.com, your source for
affordable information security monitoring and
management.
IPkey.com is part of Meridian Group, a New Mexico based corporation serving
the IT needs of its clients for 14 years. We encourage you to forward ISB to your
co-workers, colleagues and friends. To subscribe or unsubscribe to the
ISB newsletter, email us at isb@ipkey.com.
Past issues of this newsletter are available at IPkey.com
ISB Archive
I invite you to call or email me with your questions and comments. As always we are here to assist you with your Information Security needs.
Next Month:
Email - how secure is it?
All contents copyright (C) 2003 Meridian Group Inc.