Charles Arthur On technology

'Windows wasn't designed with security - or, indeed, the internet - in mind. Its innards predate that use significantly'

When Bill Gates says, as he did recently at a packed conference of computer-security experts, that Windows is becoming safer all the time, he is being absolutely truthful.

This may seem surprising, as the "worm wars" between bizarrely named programs such as Netsky, MyDoom and Bagle grow ever more ferocious. But Gates (below) is being precise. He is not talking about the version of Windows that most people have on their computers. He is talking about the version that a tiny minority are using: the one that has all the latest patches and updates applied. He has it on his machine.

A great many people don't, and they're causing everyone, including themselves and innocent users (including those on non-Microsoft operating systems) a lot of trouble. They're the ones whose machines are still infected by worms such as Blaster, SoBig, and even Klez which, despite first appearing in April 2002, is still the fifth most prevalent virus on the net. And even when Klez appeared, it was exploiting a vulnerability (in Internet Explorer 5, but not later versions) that Microsoft had already fixed - in 2001.

Those people are also the most vulnerable to "phishing" scams that exploit weaknesses in Explorer to dupe people into handing over their bank, credit card, Paypal or eBay details, and to viruses and online hacking taking over their machines.

How many people are at risk? While there is no hard data as to how many people use which version of the operating system, a good guide comes from Google's visitor statistics. They reveal that 45 per cent of visitors use WindowsXP, the newest version. Of the rest, 24 per cent use Windows98; 18 per cent, Windows 2000; 3 per cent, Windows NT; 1 per cent, Windows95. (The rest use Linux, Macintosh and other operating systems; see www.google.com/press/zeitgeist.html).

At least half of those WindowsXP installations have never been updated to incorporate Microsoft's patches, because their owners won't know how to; and Microsoft shipped WindowsXP with the functionality to download those updates switched off. It also left the firewall turned off, and didn't close the "ports" to connect to services most home users would never need. Each of these problems is a fault of decision-making within Microsoft about the threats that the machines would face in a connected world.

Few people are better aware of those threats than David Aucsmith, responsible for Microsoft's "security architecture". "There's an army of people 'assisting' us in finding vulnerabilities in Windows," he said recently. Microsoft isn't lax in working on the fixes to holes discovered in Windows; in fact, says Aucsmith, only one attack has been the result of a vulnerability of which the company wasn't already aware. (He declines to name it, but evidence suggests it was last summer's "Blaster" worm.)

"But we can watch what happens when we release a patch for a flaw," he says. "There's a hacking tool that compares the patched operating system with the unpatched one, and generates code to exploit that." The problem is compounded in two ways. "Our Achilles heel is testing our patches against all the variations of customer software out there," said Aucsmith. "If we release a patch that futzes up a bank's software, there's hell to pay. The bad guys don't face the same constraints."

He also readily acknowledges that Windows wasn't designed with security - or, indeed, the internet - in mind. The development of Windows95 began in 1993. So although it came out just as the internet exploded into public use, its innards predate that use significantly. That's one area where rival operating systems have a definite advantage. Both Linux and Apple's Mac OSX are variants of Unix, built to handle multiple, potentially conflicting, users on a network. They presume that people may try to do bad things to the machine, and aim to forestall them; security is an axiom, rather than an add-on.

Microsoft is readying itself for the attacks that will be aimed at its next-generation operating system, Longhorn, due in the second half of the decade. But what if nobody gets the updates, or upgrades to the new version? Microsoft is, I understand, considering a trade-in system for users of older versions of Windows. But what about those using machines that can't run XP because they're too old? That, along with the question of whether Microsoft, or someone else, should foot the bill, means the idea is stuck inside the company for now.

Microsoft has produced a free "Windows Security CD" with updates to Windows (for all flavours from 98 onwards) valid until last October. Unfortunately, you have to order the CD online; and you need to set up a Microsoft .NET Passport account to do so. Microsoft's next "service pack" for Windows XP, due very soon, will turn the firewall on and the unused ports and services off. Future versions might even download the updates automatically.

It's a start, but unfortunately we aren't at the beginning of the problem. Next time you receive a phishing e-mail, or a virus, consider this: some people out there will believe them, and their machines won't protect them against them, even though - as Gates said - Windows is getting safer.

Microsoft Security Update CD: (www.microsoft.com/uk/security/protect/update.mspx)

Start your day with The Independent, sign up for daily news emails
ebooks
ebooksAn introduction to the ground rules of British democracy
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

iJobs Job Widget
iJobs Money & Business

SThree: Talent Acquisition Consultant

£22500 - £27000 per annum + OTE £45K: SThree: Since our inception in 1986, STh...

Recruitment Genius: Experienced Financial Advisers and Paraplanners

Negotiable: Recruitment Genius: This extremely successful and well-established...

Guru Careers: FX Trader / Risk Manager

Competitive with monthly bonus: Guru Careers: We are seeking an experienced FX...

Guru Careers: Investment Writer / Stock Picker

Competitive (Freelance) : Guru Careers: An Investment Writer / Stock Picker is...

Day In a Page

How to stop an asteroid hitting Earth: Would people co-operate to face down a global peril?

How to stop an asteroid hitting Earth

Would people cooperate to face a global peril?
Just one day to find €1.6bn: Greece edges nearer euro exit

One day to find €1.6bn

Greece is edging inexorably towards an exit from the euro
New 'Iron Man' augmented reality technology could help surgeons and firefighters, say scientists

'Iron Man' augmented reality technology could become reality

Holographic projections would provide extra information on objects in a person's visual field in real time
Sugary drinks 'are killing 184,000 adults around the world every year'

Sugary drinks are killing 184,000 adults around the world every year

The drinks that should be eliminated from people's diets
Pride of Place: Historians map out untold LGBT histories of locations throughout UK

Historians map out untold LGBT histories

Public are being asked to help improve the map
Lionel, Patti, Burt and The Who rock Glasto

Lionel, Patti, Burt and The Who rock Glasto

This was the year of 24-carat Golden Oldies
Paris Fashion Week

Paris Fashion Week

Thom Browne's scarecrows offer a rare beacon in commercial offerings
A year of the caliphate:

Isis, a year of the caliphate

Who can defeat the so-called 'Islamic State' – and how?
Marks and Spencer: Can a new team of designers put the spark back into the high-street brand?

Marks and Spencer

Can a new team of designers put the spark back into the high-street brand?
'We haven't invaded France': Italy's Prime Minister 'reclaims' Europe's highest peak

'We haven't invaded France'

Italy's Prime Minister 'reclaims' Europe's highest peak
Isis in Kobani: Why we ignore the worst of the massacres

Why do we ignore the worst of the massacres?

The West’s determination not to offend its Sunni allies helps Isis and puts us all at risk, says Patrick Cockburn
7/7 bombings 10 years on: Four emergency workers who saved lives recall the shocking day that 52 people were killed

Remembering 7/7 ten years on

Four emergency workers recall their memories of that day – and reveal how it's affected them ever since
Humans: Are the scientists developing robots in danger of replicating the hit Channel 4 drama?

They’re here to help

We want robots to do our drudge work, and to look enough like us for comfort. But are the scientists developing artificial intelligence in danger of replicating the TV drama Humans?
Time to lay these myths about the Deep South to rest

Time to lay these myths about the Deep South to rest

'Heritage' is a loaded word in the Dixie, but the Charleston killings show how dangerous it is to cling to a deadly past, says Rupert Cornwell
What exactly does 'one' mean? Court of Appeal passes judgement on thorny mathematical issue

What exactly does 'one' mean?

Court of Appeal passes judgement on thorny mathematical issue