The idea that Windows is an enterprise operating system that can ever be made secure — or at least secure enough — has always been contentious. The events of the last two weeks have made the idea even harder to entertain.
Take events like October’s monster Patch Tuesday, Microsoft’s biggest patch day ever. It involved no fewer than sixteen security bulletins addressing a staggering fifty vulnerabilities — the majority of which could lead to remote code execution. This update broke the record for the most bulletins announced and the most vulnerabilities fixed on a Patch Tuesday, and that record was hardly long-standing: it was set just two months ago.
On the positive side, you could argue that when Microsoft fixes fifty vulnerabilities that means there are fifty less to exploit, and the fact that Microsoft has fixed so many in recent months shows that the company is “on the case” and taking its customers’ security very seriously indeed. Does that make enterprises that rely on Windows feel any better? Probably not.
The truth is that Microsoft may not really be “on the case” at all. If it was, then it most certainly wouldn’t be helping Russian criminals fleece unsuspecting Americans, as Ronald Guilmette, a security researcher concludes. He pointed out this month that criminals have been using two IP addresses which belong to Microsoft to host the authoritative name servers for over 1,000 fraudulent websites, The Register reported, and he is convinced that can only have happened if Microsoft’s own machines have been hacked. “I’m a paranoid kind of person,” Guilmette said. “There’s no other immediately apparent, reasonably plausible explanation for the facts that I’m looking at.”
When the company that many organizations rely on for secure operating systems is unwittingly running machines that have been pwned by criminals, that should be cause for huge concern. But at least enterprises can turn to specialist security companies to bolster their defenses to compensate for any failings on Microsoft’s part. After all, even if Microsoft doesn’t, security companies know what they are doing. Don’t they?
Apparently not. At least not some very well known ones. International hacker group Team Elite recently found a cross site scripting error in security vendor Symantec’s business support page on the company’s website, as well similar errors on the websites of highly regarded anti-virus vendor ESET, and Panda Security. To be fair it should be said that cross site scripting errors are very common indeed in Web applications, but they can still put visitors to the sites in question at risk. It’s not exactly encouraging when the security vendors that many organizations turn to can’t keep their own computer systems in good shape any more than Microsoft can.
It’s especially worrying for enterprises when hackers such as those behind the Zeus banking Trojan may soon be using malware which exploits all kinds of weaknesses in Windows to carry out corporate espionage. According to Gary Warner, director of research in computer forensics with the University of Alabama at Birmingham, hackers have been tailoring Zeus to generate fake bank login screens which prompt victims for details of the place where they work, such as the name and phone number of their organization. “They want to know where you work. Your computer may be worth exploring more deeply because it may provide a gateway to the organization,” Warner warned. Zeus may be fairly well known to most anti-malware systems, but the point to remember is that malware writers learn from each other. Newer and even more sophisticated malware — such as Bugat and Carberp — has sprung up over the last few months, and if there is a market for information that allows hackers to target particular organizations then there’s little doubt that the malware writers will start including corporate espionage functionality in future offerings.
The good news is that Adobe seems to be having a fundamental rethink about the way Reader is designed, and before the end of the year it plans to release Reader 10, which will have a sandbox architecture designed to isolate the application. That means that if the application is attacked hackers won’t be able to get out of the sandbox to attack the rest of the system. That’s the theory, any way, though in practice these things never quite work as well as they are supposed to, as Brad Arkin, Adobe’s director of product security and privacy, admitted to InfoWorld: “Bad guys and researchers won’t give up because this is an exciting challenge,” Arkin said. “The reward for finding out a flaw is quite high. We think there is going to be lots of attention here… it is still possible that someone may be able to find something,” he said.
Which is pretty much tantamount to admitting defeat before the product is launched, and accepting that Windows systems can never be made secure. It’s refreshingly honest, and goes a long way to explaining why, according to a Linux Foundation report, far more large companies are planning to implement Linux servers rather than Windows servers in the near future, and why more migrations to Linux will come more from Windows shops than Unix ones next year.
Still, it could be worse for Microsoft: Oracle unleashed a patching frenzy on its customers this month, featuring fixes for over eighty bug fixes. What’s the betting that Microsoft will beat that figure by the end of the year?