Microsoft vs. computer security.

Innovation, the Internet, gadgets, and more.
Jan. 9 2006 1:10 PM

Microsoft vs. Computer Security

Why the software giant still can't get it right.

Illustration by Robert Neubecker.
Click image to expand.

Four years ago, Bill Gates dispatched a companywide e-mail promising that security and privacy would be Microsoft's top priorities. Gates urged that new design approaches must "dramatically reduce" the number of security-related issues as well as make fixes easier to administer. "Eventually," he added, "our software should be so fundamentally secure that customers never even worry about it."

Microsoft customers haven't stopped worrying. A year later, Windows was hit with several nasty worms, including Slammer, Sobig, and Blaster. The viruses caused major traffic bottlenecks throughout the world, which cost tens of billions of dollars to clean up. Vulnerabilities deemed "critical" have forced the company to release an almost unending stream of patches and fixes to the Windows operating system, Microsoft Office, and Internet Explorer.


Just last week, another problem reared its head—a security hole that could allow Windows users to become infected with adware, spyware, or viruses by simply viewing an e-mail, instant message, or Web page. When Microsoft dragged its heels on issuing a patch, the SANS Institute, an organization that tracks security threats, took the extraordinary step of recommending that users download an unofficial patch developed by a Russian programmer. (Microsoft had planned to release its fix on Jan. 10, but ultimately bowed to pressure and issued it five days earlier.)

With the company's security problems still monopolizing the news, you might have expected that Bill Gates would address the vulnerability at the Consumer Electronics Show in Las Vegas. Instead, he boasted how Microsoft's new operating system, Vista, would extend the company's tendrils into your living room. Sure, it might be nice to connect your computer and your television set. But is it worth it to give hackers access to your television?

SANS' list of the Top 20 most threatening security vulnerabilities includes products from Oracle, Apple, Cisco, Mozilla, and even anti-virus software vendors. But Microsoft is still the dominatrix of the desktop and runs about 90 percent of the world's computers, making it the biggest target for hackers, crackers, pirates, and thieves. Microsoft's security problems run much deeper than just being the most popular, though, and that is why many computer security pros despise Microsoft.

While the company claims that Vista will be more secure against hack attacks, the computer security professionals I talked to are skeptical. "We hear this each and every time Microsoft comes out with a new operating system," says Brian Martin, an independent computer security consultant. "It is still built on the same legacy code, it is still written without adhering to secure coding practices, it is still thrown to the masses without adequate security testing."

Richard Forno, a principal consultant for KRvW Associates and a former senior security analyst for the House of Representatives, believes that Microsoft is a threat to national security. The White House, Congress, and Department of Defense all run Windows and send and receive e-mail on MS Exchange Server—exploitable Microsoft products that offer a "target-rich environment for malicious code."

Case in point: buffer overflow attacks, a popular technique for exploiting Microsoft products. By flooding a program with too much data, a hacker can track and manipulate the overflow and trick the system into following his instructions as if he were the system administrator. The technique has been known for decades, yet Microsoft still hasn't come up with a way to defend against it. Although Oracle, Linux, UNIX, and even Apple iTunes have fallen prey to buffer overflow attacks, the number that have afflicted Microsoft products far outstrips them.

Buffer-overflow vulnerabilities are simply programming errors; they occur when coders fail to deploy proper memory-management techniques. When Microsoft shipped XP and its 50 million lines of code in 2001, it claimed it was the most secure operating system it had ever developed and that the company had paid special attention to buffer overflows. Within two months, researchers at eEye Digital Security found a hole in the code that left it vulnerable to buffer overflows—and the operating system has been plagued with these holes ever since.

Security consultant A.J. Reznor points out that every major worm other than the original Morris Worm from 1988 has leveraged a hole in Microsoft products. Reznor refuses to work with Microsoft products but still actively loathes the company because his network becomes "saturated with crap flying out of [Windows] machines." Spammers route their junk through MS machines infected with a trojan—a harmful computer program disguised as an innocuous one—that turns these machines into "zombies." "Even if we don't use them, we suffer from them," he says. "Kind of like secondhand smoke."

Microsoft's security problems are only going to get worse. The company designs its products to work together, creating a Microsoft monoculture. Because there are so many shared paths from Internet Explorer, Outlook, and Windows Media Player into the operating system, if you exploit one, you exploit them all. Vista promises to continue this consolidation by making the operating system the glue that connects users to their PCs, televisions, PDAs, and portable music and video players.


Medical Examiner

Here’s Where We Stand With Ebola

Even experienced international disaster responders are shocked at how bad it’s gotten.

Why Are Lighter-Skinned Latinos and Asians More Likely to Vote Republican?

A Woman Who Escaped the Extreme Babymaking Christian Fundamentalism of Quiverfull

The XX Factor
Sept. 22 2014 12:29 PM A Woman Who Escaped the Extreme Babymaking Christian Fundamentalism of Quiverfull

Subprime Loans Are Back

And believe it or not, that’s a good thing.

It Is Very Stupid to Compare Hope Solo to Ray Rice

Building a Better Workplace

In Defense of HR

Startups and small businesses shouldn’t skip over a human resources department.

How Ted Cruz and Scott Brown Misunderstand What It Means to Be an American Citizen

Divestment Is Fine but Mostly Symbolic. There’s a Better Way for Universities to Fight Climate Change.

  News & Politics
Sept. 22 2014 6:30 PM What Does It Mean to Be an American? Ted Cruz and Scott Brown think it’s about ideology. It’s really about culture.
Sept. 22 2014 5:38 PM Apple Won't Shut Down Beats Music After All (But Will Probably Rename It)
Dear Prudence
Sept. 23 2014 6:00 AM Naked and Afraid Prudie offers advice on whether a young boy should sleep in the same room with his nude grandfather.
  Double X
The XX Factor
Sept. 22 2014 7:43 PM Emma Watson Threatened With Nude Photo Leak for Speaking Out About Women's Equality
  Slate Plus
Slate Plus
Sept. 22 2014 1:52 PM Tell Us What You Think About Slate Plus Help us improve our new membership program.
Brow Beat
Sept. 22 2014 9:17 PM Trent Reznor’s Gone Girl Soundtrack Sounds Like an Eerie, Innovative Success
Future Tense
Sept. 22 2014 6:27 PM Should We All Be Learning How to Type in Virtual Reality?
  Health & Science
Medical Examiner
Sept. 22 2014 4:34 PM Here’s Where We Stand With Ebola Even experienced international disaster responders are shocked at how bad it’s gotten.
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.