
Microsoft: Third party apps killing our security - nickb
http://blogs.zdnet.com/BTL/?p=10639
======
tptacek
This rings true --- almost obvious --- and I don't think it should surprise
anyone here. Some facts:

* Every major product Microsoft ships gets weeks (or, in the case of core OS components, months) of outside security testing. Look at the past 7 years of Black Hat talks, and the majority of the speakers/researchers now work for firms contracting to Microsoft to pen-test their code.

* Every Microsoft developer working on a major project has been trained for secure programming, and the courseware and objectives for those courses were designed by acknowledged experts in security.

* Microsoft is the single most targeted vendor in all of IT; every security company with a research team spends a significant amount of cash to reverse engineer components and attempt to find flaws in them. Microsoft benefits from this by getting first dibs on almost every new bug class.

Compare this to the third-party software developers; none of these things are
true. Just in terms of external testing; factor out Adobe, Apple, and Mozilla,
and you'd be surprised to find a vendor that _did_ have a policy of third-
party assessments.

The Microsoft Insecurity story was a real issue in 2003. Bill Gates got up and
said they were going to make security a key focus for the company. Normally,
you ignore a statement like that. This time, they meant it, and they had
hundreds of millions of dollars to back it up.

Microsoft is the best commercial closed-source vendor in the industry at
security.

------
brk
Yet linux and OS X don't seem to have this "3rd party apps security issue".

I have personally never bought the "installed base" argument, where Windows
gets the majority of the attention because it has more users. Most computer
virii seem to be clustered around gaining remote control or access to a
machine to either steal data (files, keystrokes, etc) or turn the machine into
a zombie. Thus, the "hackers" (yes, I know) don't really care what OS you're
running, they will exploit whatever is exploitable. Sure, Windows has the
largest installed base, so they would make a logical first choice, but we
would also expect these exploits to be ported to other platforms IF those
other platforms were similarly exploitable.

~~~
tptacek
Think more carefully about your argument. The hackers don't "care" what OS
they're targeting --- that much is true. The aesthetics of POSIX vs. Win32 vs.
Carbon are not a major deciding factor for them.

What is a deciding factor is, "how much money will I make for each line of
code that I write". The answer:

* Linux: Negigible.

* Mac OS X: Very near negligible.

* Win32: Very significant.

Malware authors are only going to move to new platforms when they hit "peak
oil" for Win32 --- when there is so much competition for new desktops that
it's worth it to target an OS that has a 5-10% share. We are nowhere near that
point yet.

The words "similarly exploitable" are slippery and imprecise. The overwhelming
majority of Windows "infections" are not caused by Win32 platform flaws.
They're caused by unsafe user interactions with the web browser and mail
programs. Those exact same unsafe interactions are present on OS X. Are the
two "similarly exploitable"? Well, if writing a Mach-O malware shim is
"similar" to writing a Win32 PE malware shim, then sure. Otherwise, no.

PS: Bona fides: my company is standardized on OS X, I came to OS X by way of
Yellow Dog Linux on a TiBook, and prior to that I'd been FreeBSD since 1994.
I've got an aggregate of 5 months of Win32 "userhood" in my whole career
(though much more exposure at a systems programming level). I'm not an
apologist; I just think the Win32 security haters are wrong.

~~~
teej
I don't see the difference between a Linux "zombie" and a Win32 "zombie". I've
personally seen both platforms get compromised and when it happens the results
are typically the same.

I'm solidly behind the theory of viruses being made for the cheapest platform
available - Windows and Linux.

~~~
tptacek
What does a virus care about how "expensive" the platform is that it infects?

~~~
teej
The person creating the virus cares. Affordability of the platform is a major
issue when the producers are coming from eastern Europe.

~~~
tptacek
I'm thinking that suggesting that Eastern Europeans care about the cost of an
OS license is a really weak argument.

Malware authors care about exactly one number: the ratio of the dollars it
takes to put a malware program out in the field over the dollars collected by
that malware program. That ratio is good for Windows, and extraordinarily
crappy for Linux. If my mom (and all moms like her) switched to Ubuntu, the
ratio would get better.

------
tzury
Just wondering about IIS, IE, MS SQL Server, MS Exchange, NtOsKernel.dll,
OutlookExpress, MS Outlook, MS Office VBA macros, WSH (vbs/js), COM/OLE,
ActiveX, and the list goes on...

All major security holes and vulnerabilities founded so far in these products
are 3rd party?

~~~
tptacek
No, but security defects are found in these bits less frequently than in their
ISV competitors. There's been one remote found in IIS 6 in the last 2 years;
none in IIS 7.

 _[edit]_ lemme correct myself --- there's been one remote _that you heard
about_ found in IIS --- the rest, Microsoft paid a shitload of money to find
privately.

