Guest Blog: Bill Claybrook, Market Analyst for Novell

By: Bruce Lowry [ ]

January 24, 2006

Today we're launching the first of periodic guest blogs from folks associated with Novell who have something to say on important issues that touch Novell's world. Today's post is from Bill Claybrook, who handles market analysis on open source and operating environments for Novell. Some of you many know Bill from previous incarnations, including stints at Compaq and EMC, as well as with the Aberdeen Group and Harvard Research Group. Here's Bill's take on the latest Microsoft security issues:

"On December 27, 2005, Microsoft acknowledged that malicious attacks were taking place on some of its customers' Windows 98, Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 systems. The attacks involved an unknown security vulnerability in the Windows metafile (WMF) code area. After saying that it would issue a patch on January 10, 2006, Microsoft gave in to user pressure and issued a patch on or about January 5, 2006.Last week Microsoft indicated that it has issued a critical patch for the same or similar security vulnerability (WMF) for the beta version of Windows Vista. The WMF vulnerability allows an attacker to gain complete control of a Windows system. That such a security vulnerability would affect Windows Vista should not be surprising to the computing community. Much of the code in Windows Vista is the same Windows code that has been full of security vulnerabilities for the past 10 or more years. Even though Microsoft has indicated, to customers, that Windows Vista will be a much more secure operating system than previous versions of Windows, this security vulnerability is an indication that Windows Vista will suffer from the same security vulnerabilities as the older Windows operating systems. Microsoft has been touting its new code development processes, and its spending on developing more secure code (about $2 billion per year) as an indication that Windows Vista (and Windows Longhorn Server) will be significantly more secure than even Windows XP SP2. But Microsoft does not get it. Basic secure operating system research, from the 1970's and early 1980's, indicate that security must be built into an operating system from day one, and the operating system must be modular — Windows is neither. Adding code on top of an inherently insecure operating system, which is what Microsoft is doing and has been doing since it got security religion two years ago, will never make Windows a secure operating system. Windows now has about 50 million lines of code, and a large percentage of the code was written in the Windows 9x, NT 4.0, 2000, and XP time frame when Microsoft had virtually no focus on security. And tightly integrating Windows applications with the Windows kernel greatly reduces modularity. This is the reason, along with little Microsoft understanding of basic security techniques, that Internet Explorer, IIS, etc., which are vulnerable to security attacks, allow an intruder to bring down entire Windows systems. Microsoft's approach to security is like trying to plug holes in a dike. Customers that continue to deploy Windows operating systems for Web- facing and other mission critical applications will be plagued with a plethora of security vulnerabilities even with Windows Vista and Longhorn Server. The reasons are simple: Windows was not designed with security in mind and a very large percentage of the code in Windows Vista was copied from the older, highly insecure Windows operating systems. We expect that Windows Vista will be a frequent target of security intruders as soon as it is released. And security vulnerabilities in the older versions of Windows will have to be patched in Windows Vista just like the WMF vulnerability."

12:04 pm

Copyright 2006