Thursday, March 15, 2007

Why is Windows Insecure?

Consider the following quote for a minute:
Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted.
— Gene Spafford (in e-mail to organizers of a workshop on insider misuse)

I' say reactions for this statement cove the whole range. From "Them's fight'in words" to laughter to agreement.

The fact of the matter is that Windows was born at a different time. To a proud papa that wanted the whole world to love his offspring. Windows was taught to be polite and play with others. Even if Windows had to play dumb so that they could understand it.

Now back to reality. Windows was designed to be backwards compatible, who wants to buy something that breaks everything else, and easy to setup and use. Ever break out of the password prompt on a Windows 9X machine and do what ever you want. How about break out of an kill the password protected screen saver on the same machine? Both these where trivial exploits that only required physical access.

Windows Vista is the first attempt to drop the legacy weakness and create a secure operating system from the start Microsoft.

I consider XP Service Pack 2 to be Microsoft's first real attempt to secure any Windows version, and XP is still the most exploited abused operating system know to man.

XP Service Pack 2 was a step in the right direction. The jury is still out on Vista, although it may shape up into a hanging jury. ;-)

No comments: