
Think Windows is insecure? You're wrong, says security firm Kaspersky. - barista
http://blogs.computerworld.com/18791/think_windows_is_insecure_youre_wrong_says_security_firm_kapersky
======
oconnore
People who say Windows is insecure aren't comparing it to Flash or Java, they
are comparing it to OS X, Linux, or *BSD. Without addressing that comparison,
this article is useless.

~~~
udp
It's amusing that Windows only recently introduced both real home folders and
UAC, when *nix had been working like that for years.

Imagine how much trouble could have been avoided if MS had used that model in
the first place...!

~~~
tptacek
Home folders and UAC have very little to do with the real-world security of
Windows vs. other operating systems. The reality is, even today, if you get
arbitrary code execution _on any operating system_ you are probably boned.

~~~
udp
Even when arbitrary code is being executed, if the user has limited
permissions kernel-level, a program can't screw up the whole system.

The Android NDK is reliant on this - any application in Android can perform
your arbitrary code execution, and it seems to be working out alright.

~~~
oconnore
The kernel is not some almighty bug free program. The question is then just
whether or not the person who has gained the capacity to run code on your
system knows an exploit that will give them root privileges.

The Android thing works because you aren't just running arbitrary code, you
are probably running code that you got from the Android Marketplace, which was
probably screened to make sure it doesn't do something bad.

~~~
udp
How would they be screened? If you include native libraries in your APK,
they're binaries, not code. They could scan the binary for API calls, but
you're permitted to call dlopen() etc, so you could always hide a shared
object in there and call it dynamically.

------
runjake
Windows 7 is pretty damn secure, perhaps more so than Mac OS X and Linux with
a default install. The problem is all the common shortcuts people (in some
cases are forced to) take to use the applications they need/want.

I still see regular end users routinely made administrators of their computers
for no good reason, or due to sloppy software (hello, Intuit).

~~~
beaumartinez
> _Perhaps more so than Mac OS X_

Windows 7 is many orders more secure than OS X—just look at Pwn2Own, OS X is
regularly the first to be eliminated.

~~~
tzs
Pwn2own doesn't work the way you think it does. The participants use prepared
exploits. You can't infer anything about the relative security of different
systems that both get exploited there.

~~~
recoiledsnake
Zero day hackers and the malicious Chinese hacker spies also use prepared
exploits, so you can infer _something_ about the relative easiness of finding
exploitable holes.

~~~
tzs
What do you think you can infer?

~~~
recoiledsnake
Pwn2own may use prepared exploits, but researchers tend to go for the easy low
hanging fruit, so there is a lot to infer from who falls on the first day etc.

Read this from the horse's mouth and see what you can infer from it.
[http://www.zdnet.com/blog/security/questions-for-pwn2own-
hac...](http://www.zdnet.com/blog/security/questions-for-pwn2own-hacker-
charlie-miller/2941)

~~~
SageRaven
I thought the Mac was exploited first because a Mac is more valuable than most
Wintel machines, thus a better material prize.

~~~
barista
You really think the hackers who spend hours of meticulous planning in
preparing the hacks do it for the material prize? Insightful...

------
tristanperry
I'd agree with these findings.

Windows 7 especially does seem fairly safe and secure. The only time I've had
a virus on my current computer is when I've actively downloaded files and run
them without properly scanning them first (which is 100% my own fault of
course; not a wise idea to download when rushing!)

I know some non-tech-savvy users who literally have 200+ programs installed
and 3+ of those spammy toolbars on their IE installs. When you've got people
who will download anything and everything they see, it's no surprise they get
loads of viruses - and then blame Windows when thing go awry.

I agree that the architecture of Unix-based OSes is probably more secure than
Windows 7 overall, although this doesn't mean that W7 is insecure.

------
phatbyte
"...that conventional wisdom is wrong..." ... "...For the very first time in
its history...". So people are wrong to assume that windows products are
vulnerable just because for the first in years it happend not to be ?

This article is pointless imo, doesn't explain why is it any safer, only
assumes it because some hacker HIRED by microsoft said so.

~~~
Iv
Even worse : it just says that flash is more insecure than windows. Nothing
more.

------
fractalcat
Security isn't just about lack of buffer overflows. It's in the way users
interact with the system, and the way they're encouraged to interact.

In most Linux distributions, the user is encouraged (by the design of the
system) to, in almost all cases, either install cryptographically-signed
software packages vetted and maintained by the vendor; or download a source
package and compile it themselves. In Windows, the user is encouraged (by the
design of the system) to download unsigned binaries from all over the Web and
run them.

That's why I'll never consider Windows to be comparably secure to modern Linux
distributions. Sure, you can keep a Windows system airtight, but the way the
system is designed makes it require effort, so users, in general, don't.

~~~
bad_user
I'm a Linux user and I do agree, but I do have to tell you - the lack of
universal binaries that you can just download and install on a Linux
workstation is one of the reasons Linux will never be as popular as Windows or
even OS X.

People want convenience over anything else. A computer has to be secure in
spite of people downloading software from all over the web.

~~~
xilun0
Considering how i use computers, most of the time i found it far more
convenient to apt-get search and 20s latter install (or the equivalent with
the package manager you use) than downloading a random piece of software from
a random internet site, which from this point might become a risk if it does
not auto update, and if it does it's with a stupid yet-another rewritten auto
update program that always uses 50 MB of RAM for just one program installed on
the system, even when the program does not run.

And considering the success of "app stores" and the general dislike of the
traditional windows desktop computers by the general public (except if you are
fool enough to help them for free doing all the busy work maintenance tasks
that can't even exist on serious systems), I guess the centralized packaging
and distribution model is also pretty convenient for the general public...

------
Herring
_> living in the past_

Yeah and so is everyone on XP, and there are a lot of them worldwide.

~~~
discreteevent
Its not necessarily my favorite OS but I think that in general a lot of
commenters have been living in the past (particularly wrt performance and
reliability) since windows switched from 3.1 to NT.

------
m0nastic
To be fair, almost all of the proclamations I see from people about Windows
being insecure are based on old, pre-SP2, pre-SDLC anecdotes and experiences
(which were definitely true at one point, but haven't been true for quite a
while).

It would be like if I railed against Linux being usable by complaining about
how bad the sound subsystem was...

This Usenix video from last year of Crispin Cowan going over improvements to
Windows security was interesting:

<http://www.usenix.org/multimedia/sec10cowan>

------
beck5
Im not a security expert but saying something isn't in the top 10 worst
anymore isn't the same as saying its now better, Flash & Java may have become
more insecure.

------
Mithrandir
Define insecure/secure.

I know that if a popup tells me I can get free cat screensavers at
'randomwebsitewitharandomname.com', it's most likely fake and might have a
virus attached. I don't download it and my system is 'secure'. However, if I
don't know it's fake (i.e., I'm not experienced with computers at all,) I
might download it. Now my system is insecure. Whoopee.

You could say that a system is only secure if it can catch things like that
before it's too late. The problem there is that Windows, like other OSes, does
not come with any anti-virus program built into the system itself (I'm
excluding security measures built into Windows as this doesn't fully protect
it.) Windows is only secure from viruses when an antivirus program is used.

Of course, that doesn't make other systems safe. Just because Mac and
GNU/Linux viruses are rare doesn't mean it's secure. This mentality is
'security by unpopularity'. The real argument is in how these systems would
protect themselves from viruses that actually ran on them if those viruses
were as prevalent as Windows viruses and the systems were used as much as
Windows. On that, we can only speculate.

My point is that I'm only secure if I know what I'm doing; software is not
built to replace common sense

~~~
pnathan
* I'm only secure if I know what I'm doing; software is not built to replace common sense*

That's an excellent and succinct statement of security; can I use that line?

~~~
Mithrandir
Haha, sure!

------
seivan
BS. Kaspersky and others biggest market is on Windows. They thrive on sold
Windows copies.

~~~
barista
by that logic touting that their biggest market is a secure OS does not help
their bottomline does it?

~~~
epo
Not necessarily, it could mean that one market is saturated and they are
looking to open up new markets.

------
grandalf
I don't understand why in Windows Vista the security escalation dialog box has
several different appearances depending on the context.

~~~
simonbrown
It's explained here:

[http://blogs.msdn.com/b/oldnewthing/archive/2007/03/30/19916...](http://blogs.msdn.com/b/oldnewthing/archive/2007/03/30/1991616.aspx)

~~~
grandalf
interesting! thanks for posting that.

I still think it's bad design b/c it fails to train the average user to avoid
false privilege escalation dialog boxes.

------
ldar15
On the one hand, the evidence provided to back this claim is pretty lame:

    
    
      1. Microsoft vendor says so.
      2. Windows blogger says so.
      3. Person *hired* by Microsoft says so.
    

That said, if Adobe can no longer say "hey, at least we're not as bad as the
people who make the operating system", we may finally see some effort by them.
More public shaming the better.

~~~
olliesaunders
Kapersky sell security software, if anything they’re likely to make claims
about how bad security is so that people will buy their software.

------
aneth
The millions of hijacked Windows XP machines ready to a botnet's bidding might
beg to differ.

Let us never forget that Microsoft Windows is responsible for, among much
else, the transfer of critical trade secrets, diplomatic communications, and
weapons technologies to our competitors and enemies. If China wins World War 3
in 50 years, Windows, albeit indirectly, will be significantly responsible.

Windows 7 may be more secure, but XP is still a major drain on society.

~~~
recoiledsnake
By that same token, Windows was responsible for commoditizing the hardware by
keeping the OEMs in competition with each other, leading to free fall of
computer prices and thus putting a computer on almost every desktop and in
most laps around the world. Even Apple moved to the x86 platform to take
advantage of the scale and prices.

If you think Apple hardware is overpriced now, imagine if they didn't have any
competition from Sony, Dell, HP, Acer, etc.

Back to your argument. Lets see:

[http://www.nytimes.com/2011/06/02/technology/02google.html?p...](http://www.nytimes.com/2011/06/02/technology/02google.html?pagewanted=all)

>She highlighted a fake document titled “Draft US-China Joint Statement” that
was circulated among people with e-mail accounts at the State Department, the
Defense Department, the Defense Intelligence Agency and Gmail. Clicking to
download the document directed users instead to a fake Gmail log-in page that
captured their passwords.

So that attack wouldn't have worked if the user was on an iPad or Droid or a
Macbook Air or running the most hardened Linux computer. Right?

Zero days have been found in every browser/OS combo around. It's hard to see
how OS X would fare better in a very targeted attack as Safari/OS X is usually
one of the first to fall in PWN2OWN where the reward is a Macbook (not a win
in a World War).

Stop getting your news only from places like Boyocott Novell,
Groklaw,Slashdot, HN and the comments there. It warps your mind.

~~~
aneth
You are correct that Windows was responsible for the commoditization of
computing. You are also correct that many hacks occurred through means other
than unpatched Windows machines. Neither of those truths changes the fact that
Windows XP has been and continues to be a serious issue for national and
corporate security.

Almost every computer in China runs a pirated version of XP that can not be
patched and is vulnerable and likely infected with some sort of botnet
software. Many corporations and agencies in the US have been compromised in
this way as well.

