In-Depth

Security Experts Warn Microsoft's Pervasiveness Puts Companies At Risk

Dominance of the Windows platform, coupled with its insecurity, can't be ignored any further, one security analyst warns.

• By Stephen Swoyer
• 09/30/2003

Chances are that at one time or another you’ve argued this issue with your corporate CIO until you were blue in the face. Now a report from a group of prominent security experts makes it for you, without pulling any punches.

The report, entitled "Cyberinsecurity: The Cost of Monopoly", was authored by seven of the leading luminaries in IT security, including cryptographic specialist Bruce Schneier of Counterpane Internet Security, security consultant Perry Metzger, and Daniel Geer of the security firm @stake.

All seven authors participated in a conference call last week during which they discussed the report and its findings. The report's authors don’t mince words in describing both the source and scope of the problem.

"Most of the world's computers run Microsoft's operating systems, thus most of the world's computers are vulnerable to the same viruses and worms at the same time,” the report states. “The only way to stop this is to avoid monoculture in computer operating systems … Microsoft exacerbates this problem via a wide range of practices that lock users to its platform. The impact on security of this lock-in is real and endangers society."

It’s an alarmist diagnosis, with an even stronger prescription, but co-author Geer said that he’s nevertheless willing to stake his professional reputation on it. "There is a matter of competition policy and security policy that cannot be ignored any longer," he said. "It isn't any one factor, but a combination of factors that make this important. It's the nature of the platform that dominates every desktop everywhere. Its dominance, coupled with its insecurity, can't be ignored any further."

Added Metzger: “[We’re talking about] a gigantic susceptible population of machines. You can do awful things to vast numbers of machines. Whether or not the vendor is trying to protect the systems, with such a huge number of machines, any vulnerability can be spread to huge numbers [of systems].”

Surprisingly, the report’s authors didn’t attempt to place the blame on the alleged insecurity of Microsoft’s software, but, instead, on its pervasiveness. "If every machine on earth ran Mac OS X, it would be the same problem,” said Metzger.

Counterpane’s Schneier went even further, actually exonerating Microsoft of this charge. "I wouldn't put any of the blame on Microsoft … The problem won't be fixed based by the altruism of Microsoft, but by businesses saying this is a problem and we're going to fix it."

The authors offered little in the way of a solution, short of abandoning the use of Microsoft software, that is. "We're speaking as scientists, not as policy people. We understand there are lots of political ramifications to this," Schneier said.

Several of the authors suggested that government could have a leading role in any remedy of the problem, but didn’t prescribe concrete solutions.

The report was issued by the Computer and Communications Industry Association (CCIA), which counts among its members Microsoft rivals America Online Inc., Oracle Corp., and Sun Microsystems Inc. CCIA has also been involved in anti-trust action against the software giant. Although the authors said they weren't influenced by CCIA's relationship with Microsoft, the report's introduction—which was written by CCIA—is a harshly worded broadside against Redmond. "Microsoft's efforts to design its software in ever more complex ways so as to illegally shut out efforts by others to interoperate or compete with their products has succeeded … The presence of this single, dominant operating system in the hands of nearly all end users is inherently dangerous," it states.

ENT Magazine editor Keith Ward contributed to this article.