Site Presented By
Tuesday, Nov 10, 2009
The Windows world is fertile ground for infinite virus plagues, especially when users refuse to take proper care of their computers.
Aug 27, 2003 | On Jan. 15, 2002, Bill Gates, the chairman of Microsoft, sent his staff a remarkably candid e-mail outlining his thoughts on the company's products: Our software isn't secure enough, he said, and we need to make it stronger. In the memo, which Microsoft quickly made available to the public, Gates lamented that computers -- unlike telephones or the water and electricity system -- do not meet the level of "trustworthiness" that the public expects of them.
"Every week there are reports of newly discovered security problems in all kinds of software, from individual applications and services to Windows, Linux, Unix and other platforms," Gates wrote. "We have done a great job of having teams work around the clock to deliver security fixes for any problems that arise. Our responsiveness has been unmatched -- but as an industry leader we can and must do better."
But a year and a half since Gates sent his memo, it doesn't seem as if Microsoft is doing much better. Its software appears as vulnerable to security threats as it's ever been; indeed, August 2003 may be the worst month for viruses on record.
First came the Blaster worm, a bit of code that squirmed into Windows XP and 2000 machines through a hole that Microsoft discovered in July. After that, in the sort of twist you sometimes see in the underground virus-writing world, a good-guy variant of the Blaster worm appeared online. This worm, which some people call Welchia and others call Nachi, attempted to remove the Blaster worm from infected computers and to inoculate machines against further attack. (Because it was poorly programmed, though, many experts say it ended up doing more harm than good.)
Then, on Aug. 19, the Sobig e-mail virus -- the one responsible for all those messages from friends exhorting you to check out a purportedly wicked screensaver -- began shooting through in boxes. The virus, which only infects Windows machines, has been around before; its first incarnation, Sobig-A, appeared in January. But for reasons that are somewhat unclear, the current version, Sobig-F, has spread at an extraordinary rate -- according to some experts, it's the fastest-replicating virus of all time.
The surge in viruses has given Microsoft's detractors much to crow over. Many see the multiple plagues as proof that the company doesn't care about securing its code, Gates' memo notwithstanding. But is that really what we ought to conclude? Does the spread of Blaster, Welchia and Sobig -- not to mention Melissa, ILOVEYOU, Nimda, KLEZ, Code Red and the countless other Microsoft-dependent viruses and worms that have attacked most of the world's machines during the past five years -- prove that Redmond's code is shoddier that everyone else's?
Well, not really. "There have been many serious vulnerabilities found in Linux and Macintosh as well," explains Graham Cluley, a virus expert at Sophos. Microsoft even believes that, in terms of security flaws, "we're actually running below some of the competing platforms," according to Steve Lipner, Microsoft's director of security engineering strategy.
If Windows seems to suffer more for its holes, that's because virus writers find it a significantly more attractive target than the other operating systems, experts say. "They want to infect the world, and the easiest way to do that is to target Windows," Cluley says. And because Windows is the platform most malicious programmers devote themselves to damaging, causing havoc is a well-documented endeavor. "With 85,000 computer viruses in existence, it's not difficult to find out how to write a new virus for Windows. There's a lot of information out there," Cluley says.
There's one other reason why attackers might have more success with Windows -- its users. Not only do a lot of people use Windows, but a lot of tech-unsavvy people use Windows -- just the sort of folks who'd click on a message advertising a wicked screensaver, a virus-writer's dream.
Not that any of those factors should get Microsoft off the hook. Experts say that today's viruses illustrate, once again, the mistakes Microsoft routinely makes when it builds its software -- it adds in too many features, making its systems unnecessarily complex; it keeps safety add-ons, like the firewall it built into Windows XP, turned off by default; and it tightly integrates many of its applications, making it easy for a virus aimed at one kind of program to wreak havoc across your whole system.
"Microsoft likes to talk about vulnerabilities like they're the weather, like they just happen," says Bruce Schneier, the founder and chief technical officer of Counterpane Internet Security. "But in fact it's a mistake -- it's a programming mistake based on decisions they make, and it doesn't just happen."
But why does Microsoft make these mistakes? The company won't say this, but at least part of the reason could be that programs that are less than fully secure have been good for its business. "The average user of Windows does not want secure code," says Mike Sweeney, a security expert at Packetattack.com, a tech consulting firm. Typical computer users find maintaining their systems a pain; running an anti-virus program or a firewall, or making sure you're fully patched-up, is an inconvenience people would rather not deal with. "The trouble is, a computer's a commodity -- there's no license, there's no training, you don't need permission to use it. On the one hand that's a good thing, but on the other it leaves us open to all these viruses like Sobig."
Sweeney doesn't place the blame entirely on users -- "The fault's all around," he says, a sentiment most experts agree with. Microsoft and its users seem to deserve each other; the company makes dumb mistakes when it's building its software, and the users make many dumb mistakes when they're running it -- and everytime something blows up, nobody does anything differently.
How can Microsoft address this situation and realize Gates' vision of a computer that is "so fundamentally secure that customers never even worry about it"? You start, experts say, in the obvious way -- you stop making dumb mistakes.
