Charles Arthur On technology
'Windows wasn't designed with security - or, indeed, the internet - in mind. Its innards predate that use significantly'
Wednesday 10 March 2004
When Bill Gates says, as he did recently at a packed conference of computer-security experts, that Windows is becoming safer all the time, he is being absolutely truthful.
This may seem surprising, as the "worm wars" between bizarrely named programs such as Netsky, MyDoom and Bagle grow ever more ferocious. But Gates (below) is being precise. He is not talking about the version of Windows that most people have on their computers. He is talking about the version that a tiny minority are using: the one that has all the latest patches and updates applied. He has it on his machine.
A great many people don't, and they're causing everyone, including themselves and innocent users (including those on non-Microsoft operating systems) a lot of trouble. They're the ones whose machines are still infected by worms such as Blaster, SoBig, and even Klez which, despite first appearing in April 2002, is still the fifth most prevalent virus on the net. And even when Klez appeared, it was exploiting a vulnerability (in Internet Explorer 5, but not later versions) that Microsoft had already fixed - in 2001.
Those people are also the most vulnerable to "phishing" scams that exploit weaknesses in Explorer to dupe people into handing over their bank, credit card, Paypal or eBay details, and to viruses and online hacking taking over their machines.
How many people are at risk? While there is no hard data as to how many people use which version of the operating system, a good guide comes from Google's visitor statistics. They reveal that 45 per cent of visitors use WindowsXP, the newest version. Of the rest, 24 per cent use Windows98; 18 per cent, Windows 2000; 3 per cent, Windows NT; 1 per cent, Windows95. (The rest use Linux, Macintosh and other operating systems; see www.google.com/press/zeitgeist.html).
At least half of those WindowsXP installations have never been updated to incorporate Microsoft's patches, because their owners won't know how to; and Microsoft shipped WindowsXP with the functionality to download those updates switched off. It also left the firewall turned off, and didn't close the "ports" to connect to services most home users would never need. Each of these problems is a fault of decision-making within Microsoft about the threats that the machines would face in a connected world.
Few people are better aware of those threats than David Aucsmith, responsible for Microsoft's "security architecture". "There's an army of people 'assisting' us in finding vulnerabilities in Windows," he said recently. Microsoft isn't lax in working on the fixes to holes discovered in Windows; in fact, says Aucsmith, only one attack has been the result of a vulnerability of which the company wasn't already aware. (He declines to name it, but evidence suggests it was last summer's "Blaster" worm.)
"But we can watch what happens when we release a patch for a flaw," he says. "There's a hacking tool that compares the patched operating system with the unpatched one, and generates code to exploit that." The problem is compounded in two ways. "Our Achilles heel is testing our patches against all the variations of customer software out there," said Aucsmith. "If we release a patch that futzes up a bank's software, there's hell to pay. The bad guys don't face the same constraints."
He also readily acknowledges that Windows wasn't designed with security - or, indeed, the internet - in mind. The development of Windows95 began in 1993. So although it came out just as the internet exploded into public use, its innards predate that use significantly. That's one area where rival operating systems have a definite advantage. Both Linux and Apple's Mac OSX are variants of Unix, built to handle multiple, potentially conflicting, users on a network. They presume that people may try to do bad things to the machine, and aim to forestall them; security is an axiom, rather than an add-on.
Microsoft is readying itself for the attacks that will be aimed at its next-generation operating system, Longhorn, due in the second half of the decade. But what if nobody gets the updates, or upgrades to the new version? Microsoft is, I understand, considering a trade-in system for users of older versions of Windows. But what about those using machines that can't run XP because they're too old? That, along with the question of whether Microsoft, or someone else, should foot the bill, means the idea is stuck inside the company for now.
Microsoft has produced a free "Windows Security CD" with updates to Windows (for all flavours from 98 onwards) valid until last October. Unfortunately, you have to order the CD online; and you need to set up a Microsoft .NET Passport account to do so. Microsoft's next "service pack" for Windows XP, due very soon, will turn the firewall on and the unused ports and services off. Future versions might even download the updates automatically.
It's a start, but unfortunately we aren't at the beginning of the problem. Next time you receive a phishing e-mail, or a virus, consider this: some people out there will believe them, and their machines won't protect them against them, even though - as Gates said - Windows is getting safer.
Microsoft Security Update CD: (www.microsoft.com/uk/security/protect/update.mspx)
- 1 VMAs 2015: Was Nicki Minaj and Miley Cyrus' awkward acceptance put-down real or staged?
- 2 If you're not already angry about the migrant crisis, here's a history lesson to remind you why you really should be
- 3 Rules on 5p plastic bags likely to lead to arguments at the check-out
- 4 Chaos breaks out in courtroom as father attacks killer of three-year-old daughter
- 5 Blood Moon and Supermoon: September to bring brightest – and dimmest – full Moon of the year on same night
VMAs 2015: Was Nicki Minaj and Miley Cyrus' awkward acceptance put-down real or staged?
Bank Holiday Monday opening times: Are Tesco, Asda and other supermarkets open today?
The nine most warmongering countries in the world revealed
Isis releases graphic video showing four Shia 'spies' being burned alive in Anbar, Iraq
Blood Moon and Supermoon: September to bring brightest – and dimmest – full Moon of the year on same night
Climate change: 2015 will be the hottest year on record 'by a mile', experts say
'Women only' train carriages: Jeremy Corbyn unveils radical move to tackle public harassment
Jeremy Corbyn calls Osama bin Laden's killing a 'tragedy' - but was it taken out of context?
Black holes are a passage to another universe, says Stephen Hawking
Tony Blair attacks Jeremy Corbyn's 'Alice In Wonderland' politics
Theresa May says migrants should be banned from entering the UK unless they have jobs lined up
iJobs Money & Business
£25000 - £30000 per annum: Recruitment Genius: From modest beginnings the comp...
£35000 - £40000 per annum: Recruitment Genius: From modest beginnings the comp...
£15000 - £65000 per annum: Recruitment Genius: This is an exciting opportunity...
£18000 - £20000 per annum: Recruitment Genius: This is a fantastic opportunity...