Microsoft's Security Chief Says Windows Safer Than Linux

TechWeb ^ | February 10, 2005 | Gregg Keizer

[Eagle9]

Microsoft's top security honcho insisted Thursday that Microsoft "is making progress on security using any reasonable metric."

Mike Nash, the company's chief security executive, made the comment during an online chat session just days after Microsoft rolled out its biggest bunch of Windows patches since April 2004.

Nash staunchly defended the Redmond, Wash.-based developer's progress, and compared Windows' flaws with those in open-source Linux operating systems from Red Hat and Novell's SuSE.

"Even with the relatively large number of bulletins we released this week, we compare favorably," he said. "Year-to-date for 2005, Microsoft has fixed 15 vulnerabilities affecting Windows Server 2003. In the same time period, for just this year, Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities and SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities."

Nash also said that the number of patches shouldn't be the only criteria users apply to tell if Microsoft's doing its job. "Note that this is just one measure, and doesn't take into consideration all of the other progress we're making, with security guidance for customers, improving security manageability and introducing innovative security solutions and technologies," he said.

When asked if Microsoft would consider refining its four-step severity rating system to give additional guidance to enterprises wrestling with deciding which of the 10 critical vulnerabilities of Tuesday to patch first, Nash said that for 2005, the rankings will remain as is.

Nash also took questions about this week's acquisition of Sybari Software, a maker of enterprise-oriented anti-virus and anti-spam add-ons for messaging platforms such as Microsoft Exchange and Lotus Notes. In particular, he said that the anti-virus scanning engine acquired in 2003's purchase of Romania-based GeCAD would be supported by Sybari's products this year.

"One of the engines we will be supporting soon after the deal closes is the GeCAD engine," said Nash.

That move may put additional pressure on third-party vendors whose engines are currently supported by Sybari, which include those from Sophos, Computer Associates, and Kaspersky Labs.

And Nash talked up Microsoft's work on a desktop anti-virus product.

Although he refused to get specific about when Microsoft will release desktop AV software, the company is "working hard on it." It will be based on the GeCAD technologies, he said, but with numerous enhancements.

"GeCAD was very solid when we acquired it . . . That said, there were some things we wanted to improve. We feel very good about the progress we have made [and] know we have to have great technology before we ship our own desktop AV solution."

The combination of the Sybari purchase and the looming entry of Microsoft into the desktop anti-virus market has investors in major security firms like Symantec and McAfee worried.

As well they should, wrote three Gartner analysts Wednesday. "The Sybari architecture will also enable Microsoft to plug in its own AV engine," Gartner analysts Neil MacDonald, Arabella Hallawell, and Maurene Caplan Grey wrote. "Gartner believes Microsoft AV engine, along with its signature service, will be the foundation of Microsoft's forthcoming desktop offering."

The AV engine would be the one developed from GeCAD, the same that Sybari's products will support when the acquisition closes sometime before the end of the second quarter.

"We have not announced the availability date of our desktop AV solution at this point," said Nash. "That said, we do expect to have the GeCAD engine available on the Sybari platform soon after the deal closes. I would certainly expect that to be this year."

Nash also repeatedly said that it would be important for Microsoft to tie its various security tools together in the enterprise. "We do think that there needs to be a management capability to allow enterprises to both control and monitor their security technologies like anti-spam and anti-virus," he said. "We're currently working through specific requirements."

In a final note, Nash said that Windows AntiSpyware, the tool acquired during its December 2004, purchase of Giant Company Software, will go through at least one more beta version before it's released. In related news, Microsoft's anti-spyware product has been targeted by virus writers, in what experts believe is the beginning of what will be a salvo of malware attacks on Microsoft security products.

As other Microsoft executives have said in the past, Nash wouldn't reveal whether AntiSpyware would continue to be offered free (as the beta is now), or whether fees would be charged. "We have not yet finalized the packaging/licensing, but will communicate that as soon as it's determined, so stay tuned," he said.

[chilepepper]

War is Peace. Freedom is Slavery. Ignorance is Strength

[ken21]

ha ha.

[blastdad51]

Mr Nash ... please clarify " compare favorably"

[ccmay]

How comical.

Though it must be said, I found "only" 44 spyware programs last time I ran Ad-Aware on my Windows 2000 system. Usually there are several hundred.

Of course, I have never had even one on my Macs.

-ccm

[rlmorel]

Hehe, okay...if he says so then it must be true!

[explodingspleen]

ROTFL, first half of the peace is about Microsoft being "secure", second half is about Microsoft trying to combat the massive numbers of viruses it products are susceptible to (virus: something linux is not susceptible to!).

[The Red Zone]

Winders is plugging holes faster than Linux, because Winders has more holes to plug.

[Light Your World]

"Year-to-date for 2005, Microsoft has fixed 15 vulnerabilities affecting Windows Server 2003. In the same time period, for just this year, Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities and SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities."

This is the key statement -- Red Hat and SuSE actually patch their vulnerabilities right away, whereas Microsoft waits quite awhile and sometimes doesn't fix known problems at all.

[clee1]

Add to that the fact that there are very few people actively trying hack Linux. Every punk with a VB compiler is busy trying to screw MicroShiite.

[Nick Danger]

Microsoft's Security Chief Says Windows Safer Than Linux

What's next, "Joe Isuzu says Toyotas suck"?

[AFreeBird]

Hackers Quickly Target Newly Disclosed Microsoft Flaw

[hiredhand]

As always, we'll just have to take their word because unless you're a developer for M$, you aren't going to get to even peek at their source code.

The argument has never really been whether it was "safer" or not, but rather the advantage of speed and dynamics of bug fixing with the open source model.

I wonder if M$ is brave enough to make the same claim against OpenBSD? :-)

Also, if memory serves me correctly, the busiest web servers on the planet do NOT run M$ operating systems, nor do they run a M$ webserver (IIS). I'm pretty certain they run FreeBSD and Apache....which M$ fails to mention.

Now why do you suppose this is? It's because Linux is a threat to M$ and that's where they are focusing.... Which actually means that Linux is probably a pretty good operating system!

As a matter of fact, I know it's a good operating system. I work for a major global telecom provider, and in the next several years we're going to be making substantial investments in Linux....particularly RedHat on account of their partnering with Oracle. In fact, our CIO is VERY unhappy about the losses we've suffered both in terms of revenue and customer satisfaction on account of worms which simply couldn't have happened if not for Microsoft operating systems. There was talk of supplying Linux to desktop computers, but I'm not sure they'll ever get around to doing that.

I trust M$ about as far as I can throw my truck across the parking lot. ...and lest we forget, they don't have a good track record with being honest to their customer base.

[The Red Zone]

Also, Windows Server isn't the main target anyhow. It's Windows desktops.

[ohCompGk]

"Even with the relatively large number of bulletins we released this week, we compare favorably," he said. "Year-to-date for 2005, Microsoft has fixed 15 vulnerabilities affecting Windows Server 2003. In the same time period, for just this year, Red Hat Enterprise Linux 3 users have had to patch 34 vulnerabilities and SuSE Enterprise Linux 9 users have had to patch over 78 vulnerabilities."

Doesn't mention how much larger the RH and SUSE packages are in comparison to 2003.

GeCAD was very solid when we acquired it . . . That said, there were some things we wanted to improve.

Yeah, like RAV's Spam control algorithms were written to run on a linux mail server and their windows AV client was OK at best. I always thought they bought it to pull it from the linux market. Not releasing it under a MS name in over a year reinforces that opinion.

[djf]

You hear news like this and can't help but wonder...


how many roomfuls of coders does MS have, anxiously coding away like a million monkeys on a million keyboards, trying to perfect a couple good hacks into Linux..

They would never release them, of course.

[Poser]

I like Windows better than Linux but this is ridiculous.

[ohCompGk]

...doesn't fix known problems at all.

Hey, setting the default value of opening email attachments with Outlook Express to "don't allow" is a fix to the vulnerability isn't it?

[rockrr]

Is there something in the water around here?

First our King County Chief Mo-ron (Ron Sims) announces the single most f'd up election contest of the 2004 season had "An accuracy that bankers would be proud of", then this.

These people are demented!!!

[Griptilian]

I never get spyware with IE.
Haven't had any on my system until I started using Firefox.

Maybe you should evaluate your surfing habits and system set up...... and\or knowledge of.