Charles Arthur On technology
'Windows wasn't designed with security - or, indeed, the internet - in mind. Its innards predate that use significantly'
Wednesday 10 March 2004
When Bill Gates says, as he did recently at a packed conference of computer-security experts, that Windows is becoming safer all the time, he is being absolutely truthful.
This may seem surprising, as the "worm wars" between bizarrely named programs such as Netsky, MyDoom and Bagle grow ever more ferocious. But Gates (below) is being precise. He is not talking about the version of Windows that most people have on their computers. He is talking about the version that a tiny minority are using: the one that has all the latest patches and updates applied. He has it on his machine.
A great many people don't, and they're causing everyone, including themselves and innocent users (including those on non-Microsoft operating systems) a lot of trouble. They're the ones whose machines are still infected by worms such as Blaster, SoBig, and even Klez which, despite first appearing in April 2002, is still the fifth most prevalent virus on the net. And even when Klez appeared, it was exploiting a vulnerability (in Internet Explorer 5, but not later versions) that Microsoft had already fixed - in 2001.
Those people are also the most vulnerable to "phishing" scams that exploit weaknesses in Explorer to dupe people into handing over their bank, credit card, Paypal or eBay details, and to viruses and online hacking taking over their machines.
How many people are at risk? While there is no hard data as to how many people use which version of the operating system, a good guide comes from Google's visitor statistics. They reveal that 45 per cent of visitors use WindowsXP, the newest version. Of the rest, 24 per cent use Windows98; 18 per cent, Windows 2000; 3 per cent, Windows NT; 1 per cent, Windows95. (The rest use Linux, Macintosh and other operating systems; see www.google.com/press/zeitgeist.html).
At least half of those WindowsXP installations have never been updated to incorporate Microsoft's patches, because their owners won't know how to; and Microsoft shipped WindowsXP with the functionality to download those updates switched off. It also left the firewall turned off, and didn't close the "ports" to connect to services most home users would never need. Each of these problems is a fault of decision-making within Microsoft about the threats that the machines would face in a connected world.
Few people are better aware of those threats than David Aucsmith, responsible for Microsoft's "security architecture". "There's an army of people 'assisting' us in finding vulnerabilities in Windows," he said recently. Microsoft isn't lax in working on the fixes to holes discovered in Windows; in fact, says Aucsmith, only one attack has been the result of a vulnerability of which the company wasn't already aware. (He declines to name it, but evidence suggests it was last summer's "Blaster" worm.)
"But we can watch what happens when we release a patch for a flaw," he says. "There's a hacking tool that compares the patched operating system with the unpatched one, and generates code to exploit that." The problem is compounded in two ways. "Our Achilles heel is testing our patches against all the variations of customer software out there," said Aucsmith. "If we release a patch that futzes up a bank's software, there's hell to pay. The bad guys don't face the same constraints."
He also readily acknowledges that Windows wasn't designed with security - or, indeed, the internet - in mind. The development of Windows95 began in 1993. So although it came out just as the internet exploded into public use, its innards predate that use significantly. That's one area where rival operating systems have a definite advantage. Both Linux and Apple's Mac OSX are variants of Unix, built to handle multiple, potentially conflicting, users on a network. They presume that people may try to do bad things to the machine, and aim to forestall them; security is an axiom, rather than an add-on.
Microsoft is readying itself for the attacks that will be aimed at its next-generation operating system, Longhorn, due in the second half of the decade. But what if nobody gets the updates, or upgrades to the new version? Microsoft is, I understand, considering a trade-in system for users of older versions of Windows. But what about those using machines that can't run XP because they're too old? That, along with the question of whether Microsoft, or someone else, should foot the bill, means the idea is stuck inside the company for now.
Microsoft has produced a free "Windows Security CD" with updates to Windows (for all flavours from 98 onwards) valid until last October. Unfortunately, you have to order the CD online; and you need to set up a Microsoft .NET Passport account to do so. Microsoft's next "service pack" for Windows XP, due very soon, will turn the firewall on and the unused ports and services off. Future versions might even download the updates automatically.
It's a start, but unfortunately we aren't at the beginning of the problem. Next time you receive a phishing e-mail, or a virus, consider this: some people out there will believe them, and their machines won't protect them against them, even though - as Gates said - Windows is getting safer.
Microsoft Security Update CD: (www.microsoft.com/uk/security/protect/update.mspx)
Diving in at the deep end is no excuse for shirking the style stakes
- 2 PornHub begs users to stop uploading video clips of Brazil getting beaten 7-1
- 3 Why I'm on the brink of burning my Israeli passport
- 4 L'Oreal cuts ties with Belgium supporter Axelle Despiegelaere after hunting trip photographs
- 5 The true Gaza back-story that the Israelis aren’t telling this week
Game of Thrones author George RR Martin says 'f*** you' to fans who fear he will die before finishing Westeros saga
Loom bands: Bids for dress made from colourful rubber pass £170,000 on eBay
Supermoon 2014: When and why will the moon look bigger and brighter this summer?
Gaza-Israel conflict: The terrible price Palestinian children are paying for Israel’s war with Hamas
Rotten egg smell could help battle heart disease and Alzheimer's
Sustained immigration has not harmed Britons' employment, say government advisers
War is war: Why I stand with Israel
7/7 memorial defaced on anniversary of 2005 attacks with ‘Blair lied thousands died’ graffiti
Australia facing international condemnation after turning around Sri Lankans at sea
Even when it brutalises one of its own teenage citizens, America is helpless against Israel
Socialist Worker called to apologise over ‘vile’ article saying Eton schoolboy Horatio Chapple's death is ‘reason to save the polar bears’
iJobs Money & Business
£75000 - £85000 per annum + ex bens: Deerfoot IT Resources Limited: Biztalk Te...
£60000 per annum: Harrington Starr: Trade Desk Specialist (FIX, Linux, Windows...
£35000 per annum: Harrington Starr: Service Desk Analyst (Windows, Active Dire...
£40000 per annum: Harrington Starr: Network Engineer (CCNA, CCNP, Linux, OSPF,...