All Things Microsoft > Microsoft as a Company

Microsoft's Security Chief Says Windows Safer Than Linux

(1/6) > >>

AXIOM:
yeah, right. Microsoft once again has used another companies hard work and inovation to bolster their own success instead of creating something themselves. Anyway, here is the link to the article:

http://www.informationweek.com/story/showArticle.jhtml?articleID=60300220

 Microsoft's Security Chief Says Windows Safer Than Linux Feb. 10, 2005  

Microsoft's top security honcho insists that Microsoft "is making progress on security using any reasonable metric."
By Gregg Keizer
TechWeb News

Microsoft's top security honcho insisted Thursday that Microsoft "is making progress on security using any reasonable metric."
Mike Nash, the company's chief security executive, made the comment during an online chat session just days after Microsoft rolled out its biggest bunch of Windows patches since April 2004.

Nash staunchly defended the Redmond, Wash.-based developer's progress, and compared Windows' flaws with those in open-source Linux operating systems from Red Hat and Novell's SuSE.

"Even with the relatively large number of bulletins we released this week, we compare favorably," he said. "Year-to-date for 2005, Microsoft has fixed 15 vulnerabilities affecting Windows Server 2003. In the same time period, for just this year, Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities and SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities."

Nash also said that the number of patches shouldn't be the only criteria users apply to tell if Microsoft's doing its job. "Note that this is just one measure, and doesn't take into consideration all of the other progress we're making, with security guidance for customers, improving security manageability and introducing innovative security solutions and technologies," he said.

When asked if Microsoft would consider refining its four-step severity rating system to give additional guidance to enterprises wrestling with deciding which of the 10 critical vulnerabilities of Tuesday to patch first, Nash said that for 2005, the rankings will remain as is.

Nash also took questions about this week's acquisition of Sybari Software, a maker of enterprise-oriented anti-virus and anti-spam add-ons for messaging platforms such as Microsoft Exchange and Lotus Notes. In particular, he said that the anti-virus scanning engine acquired in 2003's purchase of Romania-based GeCAD would be supported by Sybari's products this year.

"One of the engines we will be supporting soon after the deal closes is the GeCAD engine," said Nash.

That move may put additional pressure on third-party vendors whose engines are currently supported by Sybari, which include those from Sophos, Computer Associates, and Kaspersky Labs.

And Nash talked up Microsoft's work on a desktop anti-virus product.

Although he refused to get specific about when Microsoft will release desktop AV software, the company is "working hard on it." It will be based on the GeCAD technologies, he said, but with numerous enhancements.

"GeCAD was very solid when we acquired it . . . That said, there were some things we wanted to improve. We feel very good about the progress we have made [and] know we have to have great technology before we ship our own desktop AV solution."

The combination of the Sybari purchase and the looming entry of Microsoft into the desktop anti-virus market has investors in major security firms like Symantec and McAfee worried.

As well they should, wrote three Gartner analysts Wednesday. "The Sybari architecture will also enable Microsoft to plug in its own AV engine," Gartner analysts Neil MacDonald, Arabella Hallawell, and Maurene Caplan Grey wrote. "Gartner believes Microsoft AV engine, along with its signature service, will be the foundation of Microsoft's forthcoming desktop offering."

The AV engine would be the one developed from GeCAD, the same that Sybari's products will support when the acquisition closes sometime before the end of the second quarter.

"We have not announced the availability date of our desktop AV solution at this point," said Nash. "That said, we do expect to have the GeCAD engine available on the Sybari platform soon after the deal closes. I would certainly expect that to be this year."

Nash also repeatedly said that it would be important for Microsoft to tie its various security tools together in the enterprise. "We do think that there needs to be a management capability to allow enterprises to both control and monitor their security technologies like anti-spam and anti-virus," he said. "We're currently working through specific requirements."

In a final note, Nash said that Windows AntiSpyware, the tool acquired during its December 2004, purchase of Giant Company Software, will go through at least one more beta version before it's released. In related news, Microsoft's anti-spyware product has been targeted by virus writers, in what experts believe is the beginning of what will be a salvo of malware attacks on Microsoft security products.

As other Microsoft executives have said in the past, Nash wouldn't reveal whether AntiSpyware would continue to be offered free (as the beta is now), or whether fees would be charged. "We have not yet finalized the packaging/licensing, but will communicate that as soon as it's determined, so stay tuned," he said.

Orethrius:
Allow me to reply in like kind to the largest batch of misinformation I've seen come out of a major American multinational since "so easy to use, no wonder we're number one."  Point-by-point analysis of the quoted article:


--- Quote ---Microsoft's Security Chief Says Windows Safer Than Linux
--- End quote ---


By what standard, pray tell?  Perhaps we'll find out more as we go on...


--- Quote ---Microsoft's top security honcho insisted Thursday that Microsoft "is making progress on security using any reasonable metric."
--- End quote ---


Would "any reasonable metric" include independent review of clear-box code?  No?  Why is that?  Oh, that's right, Windows is black-box, making such analysis - for all practical intents and purposes - IMPOSSIBLE.
 

--- Quote ---Mike Nash, the company's chief security executive, made the comment during an online chat session just days after Microsoft rolled out its biggest bunch of Windows patches since April 2004.
--- End quote ---


If that isn't the pot calling the kettle black.  You mean these vulnerabilites are at least a year old?  How many others JUST LIKE THEM are we unaware of because of the propietary procedures used to guard the Windows source?  Better yet, how is keeping the kernel closed - when malicious hackers are doing their damnedest to decompile it - keeping it secure?  Where's the logic to the conclusion that's being drawn here?


--- Quote ---Nash staunchly defended the Redmond, Wash.-based developer's progress, and compared Windows' flaws with those in open-source Linux operating systems from Red Hat and Novell's SuSE.
--- End quote ---


You can't do that.  You really CANNOT.  A mass of root-level security breaches, that took 365+ days to fix, versus a handful of root accesses that were fixed within weeks, if not days, of being noticed by a number of independent coders in the kernel sources?


--- Quote ---"Even with the relatively large number of bulletins we released this week, we compare favorably," he said. "Year-to-date for 2005, Microsoft has fixed 15 vulnerabilities affecting Windows Server 2003. In the same time period, for just this year, Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities and SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities."
--- End quote ---


Of which, how many were critical flaws?  How many on each system?  Last I checked, there were maybe five common vulneabilities among the Linux distros, and those were all fixed within moments of being noticed.  How many were root-level flaws on Windows?  Last I checked, by design, most - if not all - of them.   Nash, you're also making a faulty comparison by rationalizing each patched vulnerability as a known root-level exploit.  You can't do that and expect an honest outcome, particularly when your OWN product has what is likely a GREATER number of exploits that nobody - save a handful of coders that can't read their own source because of the lack of comments, for design "efficiency" - can find, let alone comprehend.  Just because nobody robs the house, that doesn't mean the door was closed and locked.  Likewise, just because the door was closed and locked, that doesn't mean nobody robbed the house (by climbing in the Windows, :D).  It goes both ways.


--- Quote ---Nash also said that the number of patches shouldn't be the only criteria users apply to tell if Microsoft's doing its job. "Note that this is just one measure, and doesn't take into consideration all of the other progress we're making, with security guidance for customers, improving security manageability and introducing innovative security solutions and technologies," he said.
--- End quote ---


I'm going to give him the benefit of the doubt here.  He may be delusional, but he brings up a valid point, despite the fact that he fails to practice what he preaches.  If your source was open, you wouldn't HAVE to guide customers to security fixes (well, not the majority, at any rate), they'd find the patches and/or fix them themselves.  Oh, and Windows Security Center is nothing to be proud of by any stretch of the imagination.  You should have done that when XP first came out, if not sooner.  Don't say you "introduce innovative security solutions and technologies" either, most of those can be backtraced to companies you either bought out or drove out of business by swiping their open-source code and closing it, in flagrant violation of the LGPL.  That being said, at least you didn't claim you "invent security solutions and technologies."


--- Quote ---When asked if Microsoft would consider refining its four-step severity rating system to give additional guidance to enterprises wrestling with deciding which of the 10 critical vulnerabilities of Tuesday to patch first, Nash said that for 2005, the rankings will remain as is.
--- End quote ---


That's the first sensical thing I've heard yet, although I still think "Root / Negligible" would be simpler than the current four-level severity ranking.  That is to say, you either can get root access with the exploit, or you cannot.


--- Quote ---Nash also took questions about this week's acquisition of Sybari Software, a maker of enterprise-oriented anti-virus and anti-spam add-ons for messaging platforms such as Microsoft Exchange and Lotus Notes. In particular, he said that the anti-virus scanning engine acquired in 2003's purchase of Romania-based GeCAD would be supported by Sybari's products this year.
--- End quote ---


Thanks for the insight Sherlock.  An acquired corporation's engine being supported by said corporation's products?  What a novel concept.  Microsoft should look into it some time.


--- Quote ---That move may put additional pressure on third-party vendors whose engines are currently supported by Sybari, which include those from Sophos, Computer Associates, and Kaspersky Labs.
--- End quote ---


That would be precisely why I use BitDefender, SpywareBlaster, and Ad-aware SE almost exclusively on systems where my client insists on using Windows.


--- Quote ---Although he refused to get specific about when Microsoft will release desktop AV software, the company is "working hard on it." It will be based on the GeCAD technologies, he said, but with numerous enhancements.

"GeCAD was very solid when we acquired it . . . That said, there were some things we wanted to improve. We feel very good about the progress we have made [and] know we have to have great technology before we ship our own desktop AV solution."
--- End quote ---


F.U.D.  I'm not certain that this product will ever materialize beyond vaporware dreams of entering the AV/SE market, but if it does, it will almost certainly be broken in myriad ways detectable only to those who break the source and thus void their install rights.  It might be interesting to see whether this detects Alexa, or considers it a "valuable browser add-on."


--- Quote ---The combination of the Sybari purchase and the looming entry of Microsoft into the desktop anti-virus market has investors in major security firms like Symantec and McAfee worried.
--- End quote ---


So invest in Softwin.  Better yet, turn your funds to better use with RedHat or SuSE, or consider financing your neighborhood computer construction shop.


--- Quote ---As well they should, wrote three Gartner analysts Wednesday. "The Sybari architecture will also enable Microsoft to plug in its own AV engine," Gartner analysts Neil MacDonald, Arabella Hallawell, and Maurene Caplan Grey wrote. "Gartner believes Microsoft AV engine, along with its signature service, will be the foundation of Microsoft's forthcoming desktop offering."
--- End quote ---


Yeah, Windows BORG.  Resistance is futile.


--- Quote ---The AV engine would be the one developed from GeCAD, the same that Sybari's products will support when the acquisition closes sometime before the end of the second quarter.

"We have not announced the availability date of our desktop AV solution at this point," said Nash. "That said, we do expect to have the GeCAD engine available on the Sybari platform soon after the deal closes. I would certainly expect that to be this year."
--- End quote ---


So basically, you're admitting to making vaporware claims, and anti-competitive behaviour.  Oh come on, make your OWN product for once.  You might like it.


--- Quote ---Nash also repeatedly said that it would be important for Microsoft to tie its various security tools together in the enterprise. "We do think that there needs to be a management capability to allow enterprises to both control and monitor their security technologies like anti-spam and anti-virus," he said. "We're currently working through specific requirements."
--- End quote ---


To their credit, Windows Security Center doesn't block out competing scanner technologies.  It even lets you set your own.  For now.  That's the part that's of concern to both myself and numerous third-party vendors: will Microsoft use WSC against the consumer once it enters the AV/SE market?  If past behaviour is any indication, it will be possible to install other software, but increasingly difficult and unappealing considering the convenience of having integrated software - despite the inherent danger to the end user of complacency with such measures.


--- Quote ---In a final note, Nash said that Windows AntiSpyware, the tool acquired during its December 2004, purchase of Giant Company Software, will go through at least one more beta version before it's released. In related news, Microsoft's anti-spyware product has been targeted by virus writers, in what experts believe is the beginning of what will be a salvo of malware attacks on Microsoft security products.

As other Microsoft executives have said in the past, Nash wouldn't reveal whether AntiSpyware would continue to be offered free (as the beta is now), or whether fees would be charged. "We have not yet finalized the packaging/licensing, but will communicate that as soon as it's determined, so stay tuned," he said.
--- End quote ---


Oh, I can tell you what the license will read.  "Not for use on more than one computer at a time," it will read.  "Usage on multiple systems will be subject to site license fees, and such software must be removed at the vendor's behest."  So, if your company starts getting any bright ideas about using McAfee on Windows, don't expect their security offering to stay enabled.  In fact, you can expect visits from their "vendor rights" goons, telling you you'll lose your Windows licensor status if you distribute it with anything BUT Microsoft's own AV package.  They've done it to hardware vendors, and they did it to companies that bundled Netscape with their systems by default.  Don't expect them to change that behaviour any time soon.  Last I heard, AntiSpyware was just fine; I suspect Microsoft needs time to remove the comments to befuddle future coders, and to split the classes into black-boxed components.  Yee-haw boys, I look forward to charging users double to remove spyware from their boxes when they happen to be infested with your malware.  If you were to fix the holes in your OS, you wouldn't need to sink your hard-earned (HA!) funds into a spyware/anti-virus engine, but then you'd never sell any upgrades.

The marketing wheels churn on, let's see what FUD the Redmond Boyz release next.

PacKiN 1i1 SoMeThiN 4 BG:
Wow,  has anyone ever seen Anti-Trust?  If you havn't go rent it "Gary Winston" is exactly like Bill Gates in like soo many different ways.. Well atleast the poster of what I read into makes them that much alike!

E-61993:
Ya Right. Even windows employes know that linux is way safer and more STABLE than windows. There are so many different versions out there. If one gets an unfixable flaw just get another version..

Windows is an unfixable flaw.:)

Brandon Paddock:

--- Quote from: E-61993 ---Ya Right. Even windows employes know that linux is way safer and more STABLE than windows.
--- End quote ---

Let me guess, the last time you used Windows was 1996?  Give me a break.
 
Linux is making progress, but it's still playing catch-up to Windows and BSD, especially where security and reliability are concerned.

Navigation

[0] Message Index

[#] Next page