Why Microsoft is to Blame

These days 'securing' a Windows PC requires antivirus software, anti-spyware software, a software firewall, a hardware firewall, email filters, monthly security updates, and daily browsing of security portals. Even assuming the monetary cost of all these precautions to be zero, there still is the problem of installing, configuring, maintaining, and updating security tools.

Even the most trivial Windows Update can require 10 minutes or more to download and install, and the big ones can take hours. Similarly virus definitions, and spyware definitions have to be updated several times a week, and scanner programs need to be run regularly. Even the personal firewall demands attention, without proper configuration it can become useless. All these activities use up time. If the average person was to strictly follow just the common sense security guidelines pertaining to Windows, he/she will likely need to spare 10 or more hours of time each month.

Ten hours of time is not insignificant even to someone who uses a computer 100 hours or more per month, but to someone who spends only 20-40 hours on a computer the cost is simply staggering. The worst part is that the time needed to secure Windows is increasing steadily with time.

Ten years ago maintaining a 'reasonably secure' Windows PC required just a virus scanner and some obvious commonsense precautions. In those days 1-2 hours a month sufficed to keep Windows 'secure'. Even five years ago personal firewalls were unheard of, and the big security threats were email viruses and the like. Clearly more precautions were needed to keep a PC secure, but the situation was nothing like we have now.

Unfortunately, nowadays one cannot even exercise one's birthright of reinstalling Windows without going through reams of instructions. People not only need to know that reinstalling Windows can be a problem, but they also have to come prepared beforehand with update CDs and the like. Furthermore, the precautions needed to deal with such scenarios change as new attacks are discovered. Things are already beyond control for most users. A recent survey of 1 million Windows PCs by Earthlink found spyware on a third of them.

It is not just the average user who is getting hit. Even well-trained computer security professionals are falling victim to malware. A recent PCWorld article contained an interesting anecdote about ZoneAlarm's (firewall vendor) VP, Frederick Feldman, getting hit by the Sasser Worm.

Surprisingly a lot of smart people still believe that computer security is best addressed by educating users, applying patches and installing scanners. On top of this a blame the victim philosophy is also prevalent. Of course, Microsoft is also doing its part to promote such views, as it shifts blame away from Microsoft.

The historical trend of increasing Windows security costs suggests that such views represent sheer ignorance. The user would be to blame if there were some clear and concise instructions that could be followed to secure a Windows PC. But, it is obvious no such instructions exist. The average person no longer has the time to learn about all the relevant security issues, and individuals who do have the time won't have it in the future. The only way Windows security is going to improve is by Microsoft making Windows more resistant against malware.

Microsoft is not helping matters by pretending that it is doing all it can do to address security problems. In a recent interview with PC Magazine, Mike Nash the head of Microsoft's security business and technology unit said, "I think that if you look at the relative security of Microsoft versus anything else that's out there, the evidence shows that there are fewer vulnerabilities in Windows than in other platforms."

What the heck is 'relative security' anyway, and what good is a 'relatively secure' OS if anyone who cares to break into it can do so? Appealing to nonsense like 'relative security' is just plain disingenuous, and shows that Microsoft does not care about its customers, and it does not care about security. It is like a drunk-driver claiming innocence by arguing that all the people he knows drive drunk; therefore, driving drunk is no crime, and he should go free.

Microsoft has to accept blame because it is following extremely poor practices with regards to security. It is totally irrelevant whether other OS vendors are doing the same. When someone buys Windows the money goes to Microsoft's coffers and not Linus Torvalds' pocket. Windows users are not being unreasonable in expecting a reliable product from Microsoft.

Microsoft needs to get rid of all employees with a 'relative security' mindset. There can be no improvements to Windows security if the people in control are not interested in taking initiative. Such people are symptomatic of the sick security culture prevalent at the company.

A culture change will be a tremendous help, but let's focus on some concrete steps Microsoft can take to improve Windows security. The first thing Microsoft needs to address is the C programming language. Microsoft is using C and its unsafe derivatives to do systems programming. This practice has to be STOPPED IMMEDIATELY!

It has been known forever that C is an insecure language. An OS written in C simply cannot make any assurances about security. C code is prone to buffer overflows, dangling pointer errors, and many other problems which can lead to security vulnerabilities.

Security vulnerabilities resulting from the use of C are uncovered routinely. Actually, a huge chunk of vulnerabilities found in Windows are a consequence of the use of C. These types of vulnerabilities (especially buffer overflows) are the bread and butter of crackers. They are well-understood, easy to exploit, and in abundant supply. The infamous Blaster worm and more recently the Sasser worm exploited such vulnerabilities to compromise Windows systems.

C is used for systems programming because it has a few features which are required for systems programming. C gives programmers control over low-level data representations, and allows explicit memory allocation/deallocation.

Some systems programming tasks also require performance, and C is good at that too. However, efficiency is no longer critical for OS code. Basic OS design hasn't changed much in the last 20 years, and the algorithms used inside operating systems have only improved in efficiency. Efficient algorithms are the key to better performance, and the choice of language used to implement the algorithms is largely irrelevant. Also, operating systems of 20 years ago (Unix and not DOS implied here) used to work fine on hardware that was thousands of times slower. Clearly C's efficiency is not too relevant for OS development these days.

The few positives C has going for it are totally negated by the unacceptable compromises it makes on security. These compromises on security were not acceptable in the past and are not acceptable now. The honest truth is that because of security problems C was never suitable for systems programming. Systems programming demands extreme attention to security, but security is missing from C by design. C is over thirty years old, and has stayed more or less static over its entire lifespan. Computer science is a young and evolving field and a lot of things have changed for the better in the last thirty years; the compromises that were necessary thirty years ago are no longer needed.

All of the requirements of a systems programming language can now be met without compromising safety. The Cyclone programming language demonstrates just that. Cyclone is a C-like language and was designed to preserve the syntax and semantics of C as much as is possible without compromising safety. Cyclone protects against buffer overflows, dangling pointers, bad casts, and the rest of C's menagerie of security caveats. Its similarity to C facilitates painless migration, and ensures easy porting of legacy C code.

Microsoft needs to drop C in favor of a home developed systems programming language which is safe, reasonably efficient, and makes full use of the research done in the last 30 years. Actually, Microsoft needs two new systems programming languages: one for porting legacy code, and one for new development. The programming language for porting legacy C code can be a hack like Cyclone, but for new development a thoroughly modern systems programming language is required. The modern systems programming language must address everything from C's ugly, inconsistent, and error-prone syntax to its impoverished semantics. For syntax Cambridge Polish Notation is the only choice, as it is uniform and eliminates precedence rules. However, the issue of semantics is completely open, and there are plenty of interesting options (no OO please!).

Microsoft does have the design talent to pull this off, but not the will. Microsoft's management seems to lack a good grasp of technology. The company is literally throwing away a source of huge competitive advantage. New well-designed systems programming languages can significantly speedup systems development, and dramatically reduce maintenance costs. These benefits are on top of the security features which Microsoft desperately needs.

If Microsoft moves Windows code to a safe systems programming language, crackers will be immediately deprived of their favorite cookbook style exploits. This will raise the bar for malware authors. Malware won't go away but Windows users will certainly get a massive respite. Moreover, the new code will form a solid base for all future security initiatives. This is extremely important as without a solid base to build upon there simply is no hope for Windows security.

If Microsoft cared about security, it would have developed such a language 10 years ago. But, at that time the company was busy formulating the security nightmare named Windows Registry; security was a complete non-issue for Microsoft then. Sadly, things haven't changed much. Even now a new systems programming language is not a priority at Microsoft. Instead of decisively dealing with C, the company wants to train programmers so that they are able to write secure C code.

In the previously mentioned interview with PC Magazine, Mike Nash, responding to a question about the steps Microsoft is taking to reduce vulnerabilities in Windows code, said, "We're training developers across the company on how to write secure code."

Developer training is a very good thing, but developer training cannot solve the problems resulting from the use of C. The vulnerabilities resulting from C code are often fairly subtle bugs, and no one has found a way to write software which is free of even the not so subtle bugs. Switching to a safe programming language will eliminate an entire class of security vulnerabilities, and the same cannot be guaranteed by developer training.

Microsoft's reluctance to move away from C is really a consequence of its adherence to the 'principle of relative security'. As long as the theoretical security of Windows is no worse than the competition's, Microsoft is content to wait and watch. Any move to a new systems programming language will certainly entail short-term costs, and products delays. This is something Microsoft does not want. Unfortunately, Microsoft's short-term savings don't come free. The tradeoff is the tens of billions in productivity losses incurred by Windows users each year.

Being optimistic, let's assume that Microsoft will eventually move to a safe systems programming language. Obviously, all malware won't die because of this. Can something be done to reduce the ever spiraling costs of Windows security or are we all condemned to using PCs? (public computers)

Part II of this article will discuss why Microsoft deserves even more blame for the Windows security situation.

by Usman Latif  [Jul 18, 2004]

Related Links:

Q&A with Mike Nash
Why Windows is a Security Nightmare
Spyware on a 3rd of PCs surveyed
ZoneAlarm VP hit by Sasser
The Cyclone programming language
Subtyping, Subclassing, and Trouble with OOP