Gartner Web Development, LLC

Many wonder why Microsoft products have so many vulnerabilities while other operating systems experience relatively low incidents of similar issues. Issues ranging from malware and viruses to problems caused by Microsoft issued patches. The answer is three-fold.

Market Share

Black Hats, (that’s the bad guys who write these nasty programs that we all try to avoid getting), want the largest exposure that they can get. It’s only natural to pick on the guy with, by far, the largest market share of software running in the world: Microsoft. Many of these malware programs target systems with the intent of some sort of financial gain. The “browser hi-jacker”, for instance, redirects all internet search queries to sites that pay the site owner every time someone clicks on a link. The more people that they infect, the more money they can make. There is also the DDoS attack. Often, this type of attack is used to extort money or to otherwise damage the victim of the attack financially. In a nutshell, this is how it works: malware or viruses containing “IRC Bots“, (or something similar), infect thousands, or even tens of thousands of machines. IRC Bots, once installed, allow a “master” to control all infected machines remotely. Once a target is picked for a DDoS attack, the master instructs all of the machines to flood the victims servers, or a specific server, depending on target details, with requests that essentially shut the server down by overwhelming it with traffic. If the victim is an online banking site, none of the real customers would be able to get through. If it is a server used by a sales or marketing department, sales and marketing staff would find the site inaccessible during the attack. This can work on mail servers, business critical database servers, you name it. As you can see, this can cause a major disruption for a business. This attack is most effective when many many machines are part of the incoming flood. For maximum effect, the natural choice of machines to infect would again be Microsoft products. The FBI recently announced that over 1 million computers in the USA may be part of these botnets.

Development Model

It is not my intention to introduce the technical differences of various software development models in this article. The treatment of the subject, here, is therefore very superficial. Development: Proprietary (Microsoft) software development models do not lend themselves to particularly speedy response times when it comes to patch development and deployment. In a closed, proprietary development environment, programming code is limited by policies, programming tools, programming technologies, and the homogeneous environment created by things such as hiring practices and corporate culture. Deployment: Microsoft Automatic Updates provide patches to systems once a month. This is affectionately known in the industry as “Patch Tuesday” because these deployments occur automatically on the second Tuesday of each month. One of the obvious problems with this method occurs when a vulnerability is discovered and/or exploited, for example, on the second Wednesday of the month - the next patch cycle is nearly a month away. Rarely have I seen special cases where a patch is released from Microsoft outside of this monthly cycle - although I have seen it happen after a particularly dangerous vulnerability is actively being exploited. While patches are tested internally by Microsoft in controlled environments, any issue that may be caused by flawed patches are not readily evident until they have been deployed to the public.

One such patch made many web sites un-viewable from Internet Explorer until another patch was released. Development: Other software development models (Open Source) tend to have much quicker response times to vulnerabilities and exploits as they are discovered. Even though, in some cases, there may be the same corporate limitations as set forth above, Open Source development models are more organic and flexible. Major Open Source products pool resources and talent from all over the world. Coding standards assure readability and smooth collaboration, while the programmers are left to do what they love to do: program. Many volunteer their time to these products. They make a living through support and consulting fees. Deployment: Patches for most Open Source products are tested in controlled and uncontrolled environments. Often patches are subject to peer review as well. Once tested, they are released to the public, many times within hours of a discovered vulnerability. If the patch causes an inadvertent, or unforeseen problem, like in proprietary environments, another patch is quickly released.

People love to hate Microsoft

Look at most any online IT community and you will discover a widespread disdain for Microsoft. I like to call it “Bill Bashing”. This happens for many, many reasons, one of which is the dominating success of the software giant. Bill Bashing is alive and well in the “black hat” community as well. Vulnerabilities are sought and exploited just for the sake of showing what a kludge Microsoft products are. Focus this disdain on Open Source products and you will see similar results. SCO Linux is a shining example.

If we measure success for Microsoft, or any other company, by product robustness, portability, or security, many fall short. If, on the other hand, we measure success by market share, desktop operating systems are dominated by Microsoft while web servers, and many other back-end products are dominated by Open Source products like the Apache web server. As long as Microsoft has the lion’s share of the desktop market, black hats will continue to seek and exploit it’s flaws -after all they too want market share.