Vista Security in the News Today
I blogged a short while ago on a Defense Department study that recommended that the government increase its reliance on open-source software, as a way of avoiding vulnerabilities that are associated with what has come to be known as the software monoculture. There are a lot of facets to the monoculture problem, but in the simplest terms, it’s this: the ubiquity of the Windows platform running Microsoft applications magnifies the security risks posed by worms, viruses, and the like. Those risks would be more manageable, the story goes, if there were more diversity with respect to operating systems and key applications among the PCs connected to the internet. Just as Microsoft’s dominance reduces its incentives to improve ease of use, so too does it reduce Microsoft’s incentives to improve the security of its products, to everyone’s detriment.
Those issues are back in the news today, with developments on a couple of fronts. First, Microsoft today launched a preemptive PR strike against the European Union’s antitrust enforcers over the putative security improvements in Windows Vista. The linked Reuters report seems to say that the EU is worried that Microsoft is improving Vista’s security by bundling in capabilities that could be provided by third-party applications, much as it previously did with its Internet Explorer browser and Windows Media Player. (More coverage is available at Ars Technica and Slashdot.)
Is this a legitimate concern? Unfortunately, the media coverage makes it very difficult to tell — we learn virtually nothing from the EU reports about just what new security capabilities Microsoft is proposing to include in Vista or what markets might be adversely affected if those capabilities were “bundled” in to the operating system. My general sense is that adding security improvements to an operating system is much less objectionable than, say, requiring users of your operating system to also use your Web browser. The former seems much more intimately connected with the capabilites users are entitled to expect an OS to provide, although it’s hard to articulate a more specific reason than that. In a way, the problem is that Windows has been so bad for so long that it has invited a whole ecosystem of third-party suppliers to spring up to patch security holes that should never have existed in the first place. True, improving the security of the core OS itself may have adverse effects on those suppliers. But it would be odd indeed, it seems to me, to declare that competition policy requires a company to ship a defective product so that third parties can continue to make money fixing it.
We learn a little more about just what security improvements to expect from Vista from eWeek’s new piece, IT Wrestles with Microsoft Monoculture Myopia (also linked from Slashdot here). The story revisits some of the earliest critiques of the Windows monoculture, and finds that Microsoft itself seems to have recognized the problem and begun to address it. From the eWeek piece:
In many ways, Geer’s report was prescient, as Microsoft has become a huge target for hackers. Meanwhile, Microsoft has adopted some of the tactics recommended to diversify code.
“In just under three years, the idea went from something you can get fired for to a research priority for [the U.S. government] and a product plan at Microsoft,” Geer, of Cambridge, Mass., said in an interview with eWeek.
“You look at what they’re doing with randomizing Vista and all the signs around virtualization, [and] it’s real vindication for us.”
He was referring to the addition of ASLR (Address Space Layout Randomization) to Windows Vista, a security feature that randomly arranges the positions of key data areas to prevent malicious hackers from predicting target addresses.
The technique, known as memory-space randomization, will block the majority of buffer overflow tricks used in about two-thirds of all worm attacks and, even more importantly, will effectively create software diversity within a single operating system.
My take, as a non-engineer, is that this sounds like an interesting improvement, but isn’t likely, standing alone, to address the problems identified in the DoD report. As I understand it, the monoculture problem isn’t a problem of Windows alone, but of the entire Microsoft ecosystem. Windows and the Microsoft applications are knitted together so tightly that security flaws in any part of the chain can propagate through the entire system. It’s not clear, for example, how the improvements mentioned in the eWeek article will impair the execution of Visual Basic macro viruses, malicious ActiveX controls, or malware scripts attached to an e-mail message in Outlook. Perhaps they will, but the problem is almost certainly larger and more complicated than any single fix, such as the memory-shuffling technique highlighted in the eWeek piece, can cure. Ultimately, I suspect that the authors of the DoD report may have the better of the argument — the monoculture’s vulnerabilities are more likely redressable through true platform diversity rather than an ersatz diversity created within the monoculture itself. But I would love to hear what people who are more informed about software design think.
Filed under: Media, Microsoft, Security, Software
The real solution to the monoculture, of course, isn’t open software source but open data standards, so that you can get the widest possible variety of software to interchange data between. Maybe I should grab the MA open standards rules and do an analysis of them for first movers…
Luis above is absolutely correct. The real solution is open standards, and actual compliance. As a software architect/engineer(/law student) the biggest issue I see is the fact that MS works with MS, and MS alone. Daily I have to jump through hoops to make the software I write and design work on MS platforms when simple standards compliance would solve so many problems. True standards compliance would make it such that we could have MS desktop machines (the only place MS belongs) and they could interact with a real robust server infrastructure seamlessly. Of course, MS doesn’t WANT to be standards compliant. By openly subverting standards, and closing its own standards, it corners developers into targeting their platform because it is so ubiquitous. This is the problem of the monoculture, and it is created by MS’s “embrace, extend, break, lock in” cycle…
Unfortunately, true platform diversity is the great white whale that will never be captured so long as there is a need to have MS in the mix (unless of course MS radically changes their ways, but as an engineer who has had to work with their software and their development platforms for the last 10+ years, I am not holding my breath). The real unfortunate bit is that the rest of the OS market isn’t ready to fill that desktop niche yet (as someone who has had linux on the desktop since 1993, I’m in a position to know). Anyhow, round and round we go…
Luis and Chris, you both make very good points about open standards versus open source code. Storing data in open container formats, as the backers of the Massachusetts ODF initiative want, certainly solves one of the problems of the monoculture — specifically, application lock-in (where you can’t read a Word document unless you have Word). Does it solve the other problems, though? I previously noted the particular problems caused by the tight integration of Windows with the core Microsoft application suite, one consequence of which is that the entire system is only as strong as its weakest link (currently, IE). Multiply those weaknesses across a 95% installed base of user PCs and you’ve got a real problem (for example, masses of zombified Windows boxen pumping out spam). That’s the sort of problem that open document formats aren’t well tailored to fix, isn’t it?
From my point of view, open standards are well tailored to solve that very problem. If there are standards which dictate not only the document formats but the message interchange formats (at a programatic/data abstraction level), and the vendors actually comply with those standards, when the system has a critical weak link (in my book its hard to tell whether outlook or ie is that weak link, but thats another story) you can simply replace that weak link with a better alternative, and because everything “speaks the same language” (dictated by the standards), it mostly just works.
At the OS level, with a little trickery, it is entirely possible to swap out any single part of that MS OS stack and have alternatives behave in nearly the same fashion. Where this isn’t the case is where the parts you are “swapping out” don’t obey the current standards. For example, I can “trick” my windows box into using Firefox as its web rendering engine for everything from displaying pages when I click on links in other documents to behaving as the rendering engine when I preview html in Visual Studio. Where this fails is when parts of the system depend on MS’s broken support for standards. For example the lack of compliant support for CSS in IE, which results in problems viewing help files when using firefox as the rendering engine.
My ideal dream world – Open Standards + Real Compliance. What is lacking now is that when a vendor controls that much of the market share, they get to make their own standards as is convenient for them. For example, MS doesn’t have to comply with the CSS2 standards in the latest generations of their browser because frankly developers cannot afford to NOT code for their platform. They can do whatever they want, and to keep our bread coming, we (the developers) will dance to their tune. The really tricky question from my perspective is that real standards compliance requires some sort of enforcement mechanism, and for giants like MS, it has to have teeth, and the enforcement mechanism cannot be simply developers. Whether or not they like it the MS platform is a most developers bread and butter and to simply boycott is not an option.
Anyhow, more food for thought. Open Standards, beyond document standards, but actual message interchange standards, can break not only the application lock in factor but also the OS to application tie in that makes the MS suite what it is.
[...] Now, on this blog I have missed few opportunities on this blog to tweak Microsoft for the failings of its products. And it’s not as if the company isn’t constantly providing a stream of crummy technologies for reviewers to pan. (What made that great internal Microsoft iPod video simultaneously hilarious and bittersweet was that Microsoft applies exactly the same philosophy to product development as it does to packaging design — never develop an elegant solution where a kludgy one will do.) But there’s another culprit here who bears a good deal of the responsibility for the failings of the Zune, and that’s the Supreme Court. [...]
[...] viewing the blog — particularly, it seems, on the new Internet Explorer 7. (Yet another strike against restrictive and metadata-searching Vista…) There is a major upgrade coming soon on [...]