Report: Windows Dominance a Hindrance to Security

A new report from a group of security experts concludes that the ubiquity of Windows is making the Internet more vulnerable to attacks than if there were more diversity of products.

The sorry state of security on the Internet is only going to get worse unless governments, enterprises and home users make a conscious decision to move away from their addiction to Microsoft Corp.s software, according to a new report from a group of renowned security experts. The report, released Wednesday, concludes that the ubiquity of Windows and other Microsoft products has made the worlds computing infrastructure far more vulnerable to attacks and viruses than it would be were there more diversity of products.

"It isnt any one factor, but a combination of factors that makes it hard to ignore this point," said Dan Geer, chief technology officer of @stake Inc., based in Cambridge, Mass., and one of the authors of the report. "[Windows] dominance coupled with its insecurity can no longer be ignored and is a matter of public and private policy."

Windows runs on more than 90 percent of the desktop PCs in the world and also commands a large market share in the enterprise server market. While various versions of Unix and Linux also have significant portions of the back-end enterprise market, Microsoft essentially has no competitors in the desktop arena. Apple Computer Inc. never has been a serious player in the business market, outside of a few niches such as graphic design.


This state of affairs has had a tremendously negative effect on the security of the worlds networks, according to the reports authors.

"Because of Windows ubiquity, you can do awful things to a vast number of machines," said Perry Metzger, an independent security consultant and one of the authors of the report. Among the other authors are Bruce Schneier, CTO and founder of Counterpane Internet Security Inc.; Rebecca Bace, a well-known expert on intrusion detection systems and co-founder of Infidel Inc.; John Quarterman, founder of Matrix NetSystems Inc.; Charles Pfleeger of Exodus Communications Inc.; and Peter Gutmann, a computer researcher at the University of Auckland in New Zealand.

The paper was released by the Computer and Communications Industry Association in Washington.

Although many of the papers authors are frequent critics of Microsoft, they dont all believe that the software giant should shoulder all of the blame for the lack of diversity.

"I wouldnt put any of the blame on Microsoft. Theyre a smart company. What are they going to do? Say that in the name of security theyre only going to sell half as many products?" asked Schneier, who is often at odds with the Redmond, Wash., company and its security policies. "The blame is going to fall mostly with the buyers. Alternative solutions do exist."

But Geer wasnt so willing to let Microsoft off the hook.

"Heroin addicts shouldnt buy heroin. But neither should their dealers sell it," he said. "We wrote this paper for people who are willing to think. Policy changes have to involve people who know something, not just people who have power."

Discuss this in the eWEEK forum.