Tuesday, February 16, 2010

Security, Stability and Microsoft

After 10 years of being serious about security, why does Windows still suck?

On January 12, 2010, Google announced via a blog posting that it had been the victim of a targeted, large scale, serious and successful set of Internet based attacks. The same blog posting also revealed that similar attacks had been successfully carried out against "at least 20" other companies. Underlying the "Aurora" attacks was a vulnerability in Internet Explorer that allowed remote code execution. The hole, CVE-2010-0249 had apparently been known to Microsoft for five months before the Aurora attacks were made public. Microsoft released security advisory 979352 to address the vulnerability two days later, on January 14th. Why did this problem go so long without being addressed by Microsoft? Why is Windows still vulnerable to these sorts of problems after 15 years of a commercialized Internet?

No Dummies

I doubt Microsoft is holding back creating the most secure and stable operating system on Earth because they are too dumb to know what that would look like. Microsoft hires brilliant engineers. I think they would deliver on security and stability if they could. But I think those folks are hampered in building a better quality OS for two main reasons.

Legacy

First, there's still a mile high rotting pile of stinking fish and compost bearing down on those engineers. This is the legacy of an earlier Microsoft that didn't understand that a network was more than a way to print and share files. The rot pile was thickened by a long series of marketing decisions that ignored stability and security in favor of short term market advantage. (In other words, they may have gotten a clue about networks and security, but management didn't care.) Since about 2000, Microsoft has been trying to undo the damage their first two decades wrought on the pockmarked face of the PC industry. They have had mixed success. Knocking DOS on the head helped. They also released a series of increasingly stable versions of NT with Win2K and XP plus service packs. But we all know how successful those were in the face of a rising tide of cybercrime, espionage and hooliganism through the first decade of the 21st century. Important advances were made with Windows Vista, but the disaster that occurred with that OS was partly due to those very changes, underscoring the difficulties Microsoft still faces trying to overcome its legacy. Windows 7 is a better try, but has still has problems. It is still a (growing) piece of the biggest virus target in the universe. And it it is still a relatively soft target too. The applications running on top of Windows frequently fall victim, even if the core OS doesn't. In the Aurora case, the hole was in multiple versions of Internet Explorer, including IE8 on Windows 7.

Too Much Success

So that's the legacy problem. The second big issue is that trying to appease thousands of interest groups around Windows is very, very hard. Hardware and (especially) software vendors deliver solutions that vary in quality to an absurd degree. Windows, the biggest software market on Earth, welcomes this menagerie. Architectural improvements in development technologies like .net and the CLR help some, but they are no panacea. Another challenge for Microsoft is the relatively open Wintel hardware platform. Wintel isn't open in the sense that open source software is, but it's accessible to most companies wanting to design hardware to fit in, so many do just that. But drivers for the hundreds of thousands of hardware offerings for Wintel are an important source of Windows insecurity and (especially) instability. Altogether, these partners make demands on Microsoft that are no doubt hard to reconcile. But the real problem is that making changes to the OS, such as patches to security holes, is very, very, very hard. Can you imagine the testing nightmare that Microsoft must face when confronted with a tricky security hole? But that still doesn't excuse the more egregious examples of neglect, such as the Aurora fiasco.

Other Platforms

Other operating systems exist for PCs. They are in the minority, and so enjoy less intense scrutiny from the low-life scum that write malware and crack systems. But that's not the only advantage these alternatives have. Gnu/Linux and MacOS have an easier time with all this partly because they aren't saddled with a bad legacy. MacOS also has the advantage that the hardware platform is closely coupled to the OS, reducing or eliminating an important source of instability. The Linux kernel lacks this advantage, but shares with MacOS a set of rational architectures descended from its Unix forebears, and a commitment to security and stability. The Linux kernel adds transparent development to its list of advantages over Windows. The kernel team can turn on a dime with security problems because of good architectures, and because security and stability come first for them. Gnu/Linux applications vary widely in quality in this regard, but again, the Unix derived architectures mitigate most of the problems with bad apps.

Who is Hurting?

Microsoft faces a unique set of challenges that their current success and questionable legacy place on them. Though I often applaud people making money from imagination, after three decades of watching the clowns in Redmond, I have to say that the problems couldn't happen to a nicer bunch. But my glee at seeing the carrion crows coming home to roost on the house that Gates built is tempered by concern for the hundreds of millions of users of Microsoft software. So on balance, I wish the current group good luck in taming the hydra headed beast that is Windows.