Microsoft prepares security assault on Linux

infoworld.com ^ | 11/11/03 | Kieren  McCarthy

[Salo]

Microsoft prepares security assault on Linux Company will criticize Linux for taking too long to fix bugs

By Kieren  McCarthy, Techworld.com November 11, 2003 

Microsoft Corp. is preparing a major PR assault over Windows' perceived security failings in which it will criticize Linux for taking too long to fix bugs, we have learned.

In a sign that the inroads made by the Open Source community are starting to rattle the software giant, Microsoft has hired several analysts to review how fast holes are patched in the open source software and is expected to announce that Windows compares favorably.

The strategy, called "Days of Risk," measures the number of days it takes programmers to release a public patch after a vulnerability is revealed. While high-profile holes in Linux and associated software tend to be swiftly dealt with, less prominent problems -- which could be just as potentially damaging -- can take weeks or even months to appear.

Microsoft's aim is to undermine critics and place a question mark over Linux's security by revealing that, on average, Windows poses less of a security risk. By turning attention away from its own software bugs while at the same time launching several security initiatives, it hopes to be able to tackle one of main worries business has with its proprietary operating system.

Windows security is a club constantly used by Linux advocates to beat Microsoft over the head -- made all the more relevant following the extremely damaging Blast worm and SoBig virus that spread rapidly thanks to vulnerabilities in Microsoft's software.

Microsoft Chief Executive Officer Steve Ballmer is known to have made security a top priority. Last week, the company announced a $5 million reward program aimed at bringing virus writers to justice. Although it is unlikely to reap any tangible results, the message was clear: Microsoft is taking security seriously.

And at the end of October, Ballmer gave the audience at Gartner's autumn symposium a taster of what was to come when he attacked Linux's assumed security superiority. "In the first 150 days after the release of Windows 2000," he said, "there were 17 critical vulnerabilities. For Windows Server 2003, there were four. For Red Hat Linux 6, they were five to ten times higher."

He also questioned the notion that the open source's community approach to fixing problems was superior to Microsoft's. "Why should code submitted randomly by some hacker in China and distributed by some open source project, why is that, by definition, better?"

A spokeswoman for Red Hat was undaunted by the prospect of a full frontal security assault by Microsoft however. "We just don't have viruses," she told us. "Our problems are located and fixed more proactively. Because the source code is open, we find there is a patch before there is even a problem."

She also denied there was an issue of professionalism: "We have dozens of Fortune 500 customers we have to report to. We would never let a bug go unfixed."

However, Microsoft is thought to have pulled out all the stops to prove its security case. That means it should have something more tangible than the questionable reports it has sponsored in the past in an attempt to show Windows has a comparable or lower total cost of ownership than Linux.

"There is always some assertion by Microsoft," the spokeswoman told us. "And its example is always on a very small part of Linux. But when you look at Linux as a whole, it is very reliable and our customers considerable it superior."

Microsoft failed to respond to our questions, although its law and corporate affairs spokeswoman told us that she didn't think the company intended to launch a security attack on Linux and that it would be "odd" if the company used strong comparative information to state its case. It would be more odd if it didn't.

[Salo]

MS is going to lecture *anyone* else about security? I mean, it's nice the town whore done got religion and all, but letting her lead the choir?

[Salo]

Dr. Penuin, pinging Dr. Penguin.

[Salo]

Aces up!

[Salo]

Your levity and wit is needed.

[JoJo Gunn]

"Microsoft Corp. is preparing a major PR assault over Windows' perceived security failings in which it will criticize Linux for taking too long to fix bugs, we have learned."

Dang! Is Gore their PR queen? This sounds like a Democrap tactic.

[stylin_geek]

What is with you rabid anti-Microsoft people and your language? Way to set the tone for debate.

[phalynx]

The only problem with their comparison is comparing Windows 2003 with RedHat Linux 6.. Red hat is currently on 9.0. Comparing RH 6.0 to a Windows products would be NT4.0.

[Salo]

It's all in fun: let's just say I find MS lecturing anyone on security to be as ironic as the French offering military advice to anyone other than the Italians.

[Pearls Before Swine]

Regardless of the perceived merits of MS' argument, I think that this is going to come across as sour grapes. Maybe it works as a long term strategy if MS can make an ongoing continuing case, but not as a publicity blitz offensive.

[MD_Willington_1976]

I run Knoppix & Puppy Linux from a CDR..can MS do that other then on an embedded NT or CE system?

My embedded NT system cost over $2k, Knoppix & Puppy were maybe $1-$2, had to burn it to a CDR...

[Wonder Warthog]

"It's all in fun: let's just say I find MS lecturing anyone on security to be as ironic as the French offering military advice to anyone other than the Italians."

Why would the Italians take military advice from the French---Rome conquered Gaul, not 'tother way round :^)!!

[ShadowAce]

I currently administer a Windows 2000 network with 3 servers and over 100 clients (with associated printers, etc). However, I think I've got my administration to agree to look into Linux. With all the hassles and headaches we've had in the past year alone, I could have been doing much more productive tasks, and they see that.

[phalynx]

I am a senior admin for 500+ servers and 9000+ users,,,, we are looking at a linux solution. Probably not Redhat. They want a packaged hardware/software vendor..

[Egon]

...it will criticize Linux for taking too long to fix bugs...

Someday, I'm going to have to sit down and list all the bugs in various MS products that I've reported to them (some since VB 2.0 and Windows 3.0) and have yet to be fixed...

[Salo]

We're in the process of migrating from Netware to linux. Sort of. Well, we were. Novell's new direction has changed a few things for us. Unfortunately, our PHBs keep finding these wonderful "solutions" that only run on MS. Every time we think we've made our point about how high-maintenance MS is, some doofus comes in from a PowerPoint presenation thinking he has seen God and we end up with another MS server. Of the 4 apps we have running that are MS-only, we only have one real success. The others are bloated apps spattered out on disks by Indian Code Monkeys that never work as advertised and cost us more money and time than they are worth.

[Bush2000]

"We just don't have viruses," she told us. "Our problems are located and fixed more proactively. Because the source code is open, we find there is a patch before there is even a problem."

RedHat is being used on servers, not desktops; consequently, it doesn't have to deal with the scores of poorly trained users who inadvertently infect themselves and redistribute viruses to others.

[Dominic Harr]

Microsoft Corp. is preparing a major PR assault over Windows' perceived security failings in which it will criticize Linux for taking too long to fix bugs, we have learned.

Marketing people, I think, surpass even lawyers and politicians in their willingness to bald-facedly lie to your face to fleece you.

[Dominic Harr]

Oh, and Ping . . .

[Poser]

We run a mixed Unix/Linux/Windows/Solaris/Mac campus with over 17,000 computers. The guys who run it complain as much about Linux as Windows. They don't complain much about Unix. The Macs are all desktops and their aren't enough Solaris systems to evaluate the ease of use.

Microsoft making an assault on a free operating system is ridiculous. They need to reevaluate their market position.

[Question_Assumptions]

If Microsoft wants to convince people that they are serious about security, they can (A) replace Outlook with something more secure and (B) make their default settings secure.