If you go back six years to Windows NT and Windows ME, and take the state of Microsoft security then and compare it to what it is now, and visualize the line of improvement you’d see what looks like a reverse hockey stick: a slow ramp at first with a near vertical ramp over the last few years.
Granted the exposures have increased as well, but arguably not as quickly, and now you can at least argue that Microsoft’s security is adequate in many ways if not exemplary.
Security improvements with Apple haven’t been as pronounced as that platform was already seen as relatively secure as it’s based on UNIX which traded off ease of use for security early on and Apple, wisely, didn’t break the security model.
Firefox was largely protected by its obscurity, few used it and, at least initially, those taking advantage of exploits seemed more interested in making a statement than in getting access to personal information. That has clearly changed with the focus of many of the most damaging attacks now focused on identity theft and the criminals are now targeting both Apple and Firefox.
Symantec: Firefox and Apple Less Secure
As reported in news, Symantec has taken the formal position that Firefox is less secure today and OSX may be less secure in the future as attacks against those two products are projected to significantly increase over the next few years.
The security vendor pointed out that there may, in fact, be a focus on OSX users and called out the OSX/Weapox as a potential example of that. Our sense is that this is because, as a group, Apple users are generally more affluent then your average PC user.
Apple users generally don’t use security products and, since they haven’t had the security problems in the past, they are likely more vulnerable to certain kinds of attacks (phishing for instance) that Windows users are now wearier of due to experience. The combination of wealth and vulnerability apparently isn’t lost on the criminal element.
Firefox users simply don’t have the level of aggressive patch protection provided by Microsoft and many took the Firefox browser because they mistakenly thought it was a security product. As a result they probably don’t have levels of security they need.
Even Symantec admits that at the back-end Linux is not getting the level of attention with regard to attacks that Microsoft platforms are getting. This is probably due to two things: Linux still is perceived to be comparatively secure and as a Web site platform more then a repository for sensitive information.
In other words, people believe it is more secure and not used for the kinds of things that would connect to the financial information the criminals are after.
Even if Microsoft were to make their servers as secure as Linux is today, something that is, in fact possible with the proper multi-level protections in place, the increased attack rate would continue to make the information on the Windows platform more vulnerable. In short, Microsoft has to be vastly more secure with their server platform then the open source folks do to reach some level of parity or the attack rate needs to become more balanced.
The next big move in this space will be with the Longhorn server release in 2007 that will apply enhancements to the Windows Vista model to Microsoft server platforms. This will be the near-term test for Microsoft and their biggest problem is overcoming human error and internal theft –both that remain the biggest security exposure for the foreseeable future.
If they can better address these exposures, something that by its nature open source platforms have more exposure to, Windows servers could move ahead of Linux enough to be perceived as superior. Currently I am unaware of any such move.
Microsoft’s recent reorganization into three operating units greatly increases its efficiency and focus on platforms like Windows and should, if done correctly, further accelerate their qualitative improvements that include security.
Jim Allchin has made this his personal mission and looks at Vista as his legacy. It is partially why we’re seeing what appears to be an uncharacteristically massive improvement over what is, for Microsoft, a relatively short period of time.
Part of the problem at Microsoft has been the attrition of key people and the dissatisfaction of those remaining.
Bureaucracy has been highlighted as the core problem and the reorganization coupled with Ray Ozzie’s promotion into the spot behind Bill Gates should address this issue very well. Ozzie is as well regarded as Linus Torvalds and is known as someone who takes care of his people.
This should result in a transition, over time, for Microsoft into a better place to work and it also showcases a change in the firm from one that was more IT-executive focused to one that is more developer-focused.
This is a return to Microsoft’s early roots in a way and positions the company much better against the open source threats it is facing. In effect, it puts a person who understands the key benefits of open source in a position to change the company to better provide similar benefits to developers.
This connection improves the entire .Net platform and goes well beyond Windows over time, once again focusing on Microsoft’s sustaining competitive advantage which has more to do now with the entire .NET platform then it does just the OS.
With Windows Vista’s benefits largely surrounding its improved security it isn’t hard to picture a time in the not-to-distant future when we may conclude that Windows and IE are secure enough and that the other platforms are once again wanting.
We can recall that the original Netscape browser was light years ahead of IE but that IE passed it within a couple of years. Netscape no longer exists as a company largely as a result of that and some incredibly foolish executive decisions.
While far from perfect, Microsoft has shown an impressive ability to focus on threats to its future and its ability to trounce IBM, Novell, and Netscape over the years has been showcased over and over again.
This time it is all about security and, if Microsoft can keep up the pace, they have every possibility of hitting this goal and once again set the pace for their competitors.
In short, we are seeing the result of Microsoft being mad and focused and as IBM, Novell, Sun, and Netscape have learned; when Microsoft is both mad and focused they do get the job done.
Rob Enderle is an analyst specializing in emerging personal technologies. He heads the Enderle Group, and has been an IT analyst since 1994. He spends his free time building computers and playing with personal technology prototypes. He can be reached at [email protected]