Thursday, January 8, 2009

Microsoft Security - Keeping the Glass Half Empty

PCWorld has an article up on their site entitled, "Will Microsoft Corner the Desktop Security Market?" Hah! Like they cornered the browser market?

If Microsoft's "Trusted Computing" initiative had been more successful, I doubt we'd even be having this discussion. Owning the vast majority of the desktop OS market, combined with having a large target pinned on their back due to a robust history of easily exploitable vulnerabilities, Microsoft is sleeping in the bed they have made for themselves.

Career criminal Willie Sutton once said, when asked why he robbed banks, "Because that's where the money is." Why do hackers, crackers, the Chinese military, and Russian organized crime attack Microsoft products so often? Because it's a target-rich environment.

As the article points out, Microsoft has offered antivirus software since 1993, with the launch of MS-DOS 6.0.  Surprised by that? You shouldn't be. Back when boot sector viruses were all the rage, AV was a much simpler product, but so was the operating system itself. 

The original MS-DOS 1.0 had about 4000 lines of assembler code. By the time we got to Windows NT 4.0 in 1996, the OS had bloated to more than 11 million source lines of code. In 2001, Windows XP checked in at 40 million, and Windows Server 2003 had more than 50 million source lines of code. Vista has 50+ million. As complexity increased, so did the propensity for coding errors, undiscovered vulnerabilities, and attack vectors.

Compare the Microsoft stats to OpenSolaris with 9.7 million SLOC, FreeBSD at 8.8 million, or the Linux Kernal 2.6.0 at 5.2 million. It's obvious that there's less code to review, and fewer doors and windows to check to confirm they are locked.

Complexity of code alone does not a security nightmare bring. FreeBSD still has a lot of coding, but the development of this OS, with security in mind, was relatively slow and steady, compared to other Linux products, and most certainly when you consider how rapidly Microsoft has launched their OS platforms. With six major operating systems brought to market in less than 15 years, Microsoft programmers seem like hamsters on spinning wheels. Add the hundreds of applications Microsoft has cranked out to run on top of the OS layer, and you have a staggering amount of complexity that needs to be managed from a security perspective. Microsoft's "Trusted Computing" initiative was a public admission that they had much work to do in this area.

Code complexity is one of the reasons that some groups have been designing more secure systems by separating code into sections that run in different security environments, or contexts, with or without elevated privileges. This helps developers make sure that sections that are critical from a security perspective remain small (by comparison) and can be easily audited for flaws.

Microsoft has been slow to the secure code party, and it's going to be difficult for them to catch up because of their committment to a feature-rich product that their customers have come to expect. Introducing security usually comes with the trade-off of limiting functionality, impacting performance, and generally throwing a wet blanket on the whole user experience. Look what happened when Microsoft implemented UAC in their Vista product - users howled when they were prompted for authorization to perform what had previously been simple tasks, like deleting a file or folder. With Vista, frustrated Windows addicts were clicking scores of authorization pop-up screens, and they weren't happy about it, because they were accustomed to a much easier (and less secure) routine before. Well, maybe not scores - I kid. I'm a kidder.

The folks in Redmond have really struggled to get people to buy the various AV products that they've offered, and for good reason. Like many add-ons Microsoft either developed, bought outright, or licensed from other companies, functionality has generally been less robust than similar products offered by security vendors. PCWorld's article points out several examples of this, from the Windows built-in firewall to Windows Defender. I recall how much more effective and user-friendly the Zone Alarm personal firewall was in comparison to Windows firewall, and SpyBot Search & Destroy has earned my confidence where a bundled antispyware product would not. And don't get me started on the who "defrag" thing.

I suppose there's something to be said for having your security products closely integrated with your operating system and core applications, for functionality reasons, but that's a double-edged sword. Take Internet Explorer as an example. One of the key user-experience benefits of IE was how tightly it was entwined with the OS and other apps, but that created two huge issues - the antitrust issues Microsoft spent millions fighting, and the browser security issues that continue to allow IE to be a launchpad for remote code execution that can compromise the entire system. I can put on my Swami hat and foresee similar issues with security integration if Microsoft doesn't do it right.

If Microsoft thought they could make money and gain market share by selling security products, they would do it. The fact that they are now giving it away tells me it's less about them being altruistic and more about Redmond providing a basic security framework for a customer base who either doesn't care or isn't sophisticated enough technologically to know the difference. If you can't sell it, give it away.

Will the US Government or Fortune 500 companies rely on a antivirus product that's shipped with the OS? I doubt it. And neither should you.



No comments:

Post a Comment

Please tell me what you think.