Google and the Windows security debate

Following an article in the Financial Times where Google states they’re dropping Windows all across the company, out comes the response of the Windows Team, on their official blog. In short, Google are blaming Windows for the China attacks in January, and they’re ditching it in favor of Linux and MacOS. But is really blaming a 9-year-old browser the way to go?

To be honest, I find that the biggest security problem with Windows is actually it’s popularity: in the long run, using Linux or MacOS might in fact be less secure if attacked directly, even if there really are more known attacks/viruses/worms/trojans built  for Windows than there are for MacOS or Linux. After all, the security of a computer system depends very much on it being up to date and properly configured, while also running latest versions of any software being used. Having an outdated and/or badly configured version of any OS is a dangerous thing to do, no matter which OS it is. And switching to another OS simply because you can’t properly and securely configure the previous one is a really dumb move.

In any case, both links above are worth a read. :)

Later edit: Google have also announced that ChromeOS will be out “later this fall” -  do you really think this is just a coincidence?

2010
06/03
CATEGORY
Microsoft
Security
Windows
9 comments
  • Dan Serban

    I love how you bail yourself out of addressing the real issue by saying “might in fact be less secure if attacked directly”.
    There are several categories of criminal cyber-attacks and you don’t bother breaking down into these categories and distinguishing by OS.
    The categories are:
    - social engineering attacks (“Girls gone wild, install this program to view” – infected);
    - technical attacks of the targeted variety (rootkits being injected into improperly secured servers);
    - technical attacks of the untargeted variety (browser exploits, XSS, XSRF);
    - technical attacks of the untargeted variety (drive-by downloads);
    Windows, Mac OS and Linux are potentially equally vulnerable to the first three, I would agree with that.
    But drive-by downloads are a specialty of Windows, and they make up more than 40% of the infections out there.
    Why? Because home users run their Windows PCs with full administrative privileges. I expect you to say that they shouldn’t do that, but face reality, they do, it’s in the “cultural DNA” of using Windows.
    So unless those 40% somehow magically go away, Windows remains the less secure option.
    By the way, everybody that I know who’s using Windows is using WinXP Professional, but with a browser other than the default Internet Explorer.

  • http://www.tudy.ro Tudy

    You’ve got a very good point there, Dan!

    And on a side note, I would also tend to think that the first category (social engineering) is also a bit more present on the Windows side – since Windows users are usually not as technically-savvy as their Linux/MacOS counterparts. So you could even add something more to that 40%…

    However, the “run as admin” thing only applies to Windows XP. Major changes were made in Vista/7 when it comes to user account security (see UAC, service hardening, and the like). Now, if users disable UAC – it’s again, a matter of culture. But that doesn’t really make the OS itself insecure, now does it?

    And this brings me back to my original point: you can’t really blame a 9-year-old OS and browser for not being secure (WinXP was launched in October 2001). A lot has changed since then, even when it comes to how Microsoft does security. And the past failures have really enabled Microsoft to take a step further… :)

    And I’ll give you just an example – people say MacOS is more secure than Windows. I don’t really see this happening to Windows:

  • Dan Serban

    Judging from your links, you seem to be passionate about pointing out flaws in Mac OS.
    Please read (and comment on) the following two articles. They compare and contrast security in Windows vs. Mac OS, but much of the analysis on Mac OS security applies to Linux as well.
    http://www.roughlydrafted.com/2009/01/29/the-mac-malware-myth/
    http://www.roughlydrafted.com/2008/04/01/the-unavoidable-malware-myth-why-apple-wont-inherit-microsofts-malware-crown/

  • http://www.sszecret.wordpress.com Sszecret

    Very interesting subject. Actually I think that all the OSes out there are secure, and the only one to blame for most of the attacks is in the end, the user.
    Yeah, go ahead, disable UAC in Win7. That doesn’t mean that the system is insecure. It’s how the user protects himself and the computer from the viruses that counts.
    That’s just my opinion. No matter how many security patches will be released, no matter how many updates, there will always be something to make the hacker’s task easier.
    Why blame the user you might say. Well, because if the user doesn’t use the PC in a responsable way, he gets viruses and other sorts of problems. That is the main reason why I blame the users.

    Any OS is built with productivity and entertainment in mind, along with responsable usage of it by the user.

    That’s what I think
    (ok, it’s …a bit off-topic but I had to say that :D )

  • http://www.tudy.ro Tudy

    No, Dan, I’m not an avid MacOS hater, I was just giving an example, and it wasn’t supposed to be neither exhaustive nor definitive… If you want to “hack” an OS, it’s just a matter of time until you do it. There’s no bug-free software, just software with bugs that haven’t been discovered yet. :)

    And in the end, the malware target will always be the OS that is most widespread and has less tech-savvy users, making it – if you want – possible “botnet zombie material”.

    In any case, the bottom line is this: an educated user = a secure OS. With Windows, it’s easy: a fully patched/updated genuine Vista/7, a decent antivirus/antimalware and an active firewall gets the infection risk very close to zero.

    I myself haven’t had a virus/worm/trojan on my Windows computer ever since Windows XP SP1 (which was back when I shared it with my family, and when XP didn’t even have a firewall); and it’s not rocket-science.

    But when you have many illegal/pirated copies of Windows out there (so no updates, except the critical/security ones), a culture that tells you to fully disable the firewall if you want a particular program/game to work, and an always-run-as-admin development trend – it all leads to PEBCAK errors, more than an OS architecture/security ones. :)

  • Dan Serban

    Ubiquitously everywhere, premium priced, secure – pick any two.
    An OS cannot be all three at the same time.
    Mac OS – premium priced, secure.
    Windows – Ubiquitously everywhere, premium priced.
    Linux – secure as heck.

  • http://www.tudy.ro Tudy

    :D

    I still say Windows is a secure system in itself, and it’s long history of malware/security issues is more down to its users’ technical prowess (or lack thereof) than to it’s architecture. Of course, this is only valid from Vista (or XP SP2, if you really want to push it) onward.

  • Dan Serban

    Anyway so, you know, your blog is aggregated on planet.linux360.ro, and declaring to an audience of Linux enthusiasts that you think Windows is more secure than Linux is easily construed as either flamebaiting or (even worse) trolling.
    Here’s an idea: maybe you should disaggregate your blog from linux360, I’m a Linux enthusiast and I don’t think your postings add any value to that feed.

  • http://www.tudy.ro Tudy

    Dan, let’s get some things straight over here:

    1. I just said I don’t consider Windows to be less secure than either Linux or MacOS but that instead I blame most of the security issues on the users themselves, which means you’re misinterpreting my words in your favor. An educated user won’t have security issues on Windows.

    2. It was never my desire or intention for my blog to be aggregated anywhere, so I fail to see how my blog being aggregated (without my consent) can be considered trolling. Point 1 above might put you in a position of flamebaiting/trolling, though.

    3. I stand by my opinions, and I see no reason to change them just because they’re “unacceptable” (even if they’re misinterpreted or misused – see points 1 and 2 above).