On Jan. 15, 2002, Bill Gates, the chairman of Microsoft, sent his staff a remarkably candid e-mail outlining his thoughts on the company's products: Our software isn't secure enough, he said, and we need to make it stronger. In the memo, which Microsoft quickly made available to the public, Gates lamented that computers -- unlike telephones or the water and electricity system -- do not meet the level of "trustworthiness" that the public expects of them.
"Every week there are reports of newly discovered security problems in all kinds of software, from individual applications and services to Windows, Linux, Unix and other platforms," Gates wrote. "We have done a great job of having teams work around the clock to deliver security fixes for any problems that arise. Our responsiveness has been unmatched -- but as an industry leader we can and must do better."
But a year and a half since Gates sent his memo, it doesn't seem as if Microsoft is doing much better. Its software appears as vulnerable to security threats as it's ever been; indeed, August 2003 may be the worst month for viruses on record.
First came the Blaster worm, a bit of code that squirmed into Windows XP and 2000 machines through a hole that Microsoft discovered in July. After that, in the sort of twist you sometimes see in the underground virus-writing world, a good-guy variant of the Blaster worm appeared online. This worm, which some people call Welchia and others call Nachi, attempted to remove the Blaster worm from infected computers and to inoculate machines against further attack. (Because it was poorly programmed, though, many experts say it ended up doing more harm than good.)
Then, on Aug. 19, the Sobig e-mail virus -- the one responsible for all those messages from friends exhorting you to check out a purportedly wicked screensaver -- began shooting through in boxes. The virus, which only infects Windows machines, has been around before; its first incarnation, Sobig-A, appeared in January. But for reasons that are somewhat unclear, the current version, Sobig-F, has spread at an extraordinary rate -- according to some experts, it's the fastest-replicating virus of all time.
The surge in viruses has given Microsoft's detractors much to crow over. Many see the multiple plagues as proof that the company doesn't care about securing its code, Gates' memo notwithstanding. But is that really what we ought to conclude? Does the spread of Blaster, Welchia and Sobig -- not to mention Melissa, ILOVEYOU, Nimda, KLEZ, Code Red and the countless other Microsoft-dependent viruses and worms that have attacked most of the world's machines during the past five years -- prove that Redmond's code is shoddier that everyone else's?
Well, not really. "There have been many serious vulnerabilities found in Linux and Macintosh as well," explains Graham Cluley, a virus expert at Sophos. Microsoft even believes that, in terms of security flaws, "we're actually running below some of the competing platforms," according to Steve Lipner, Microsoft's director of security engineering strategy.
If Windows seems to suffer more for its holes, that's because virus writers find it a significantly more attractive target than the other operating systems, experts say. "They want to infect the world, and the easiest way to do that is to target Windows," Cluley says. And because Windows is the platform most malicious programmers devote themselves to damaging, causing havoc is a well-documented endeavor. "With 85,000 computer viruses in existence, it's not difficult to find out how to write a new virus for Windows. There's a lot of information out there," Cluley says.
There's one other reason why attackers might have more success with Windows -- its users. Not only do a lot of people use Windows, but a lot of tech-unsavvy people use Windows -- just the sort of folks who'd click on a message advertising a wicked screensaver, a virus-writer's dream.
Not that any of those factors should get Microsoft off the hook. Experts say that today's viruses illustrate, once again, the mistakes Microsoft routinely makes when it builds its software -- it adds in too many features, making its systems unnecessarily complex; it keeps safety add-ons, like the firewall it built into Windows XP, turned off by default; and it tightly integrates many of its applications, making it easy for a virus aimed at one kind of program to wreak havoc across your whole system.
"Microsoft likes to talk about vulnerabilities like they're the weather, like they just happen," says Bruce Schneier, the founder and chief technical officer of Counterpane Internet Security. "But in fact it's a mistake -- it's a programming mistake based on decisions they make, and it doesn't just happen."
But why does Microsoft make these mistakes? The company won't say this, but at least part of the reason could be that programs that are less than fully secure have been good for its business. "The average user of Windows does not want secure code," says Mike Sweeney, a security expert at Packetattack.com, a tech consulting firm. Typical computer users find maintaining their systems a pain; running an anti-virus program or a firewall, or making sure you're fully patched-up, is an inconvenience people would rather not deal with. "The trouble is, a computer's a commodity -- there's no license, there's no training, you don't need permission to use it. On the one hand that's a good thing, but on the other it leaves us open to all these viruses like Sobig."
Sweeney doesn't place the blame entirely on users -- "The fault's all around," he says, a sentiment most experts agree with. Microsoft and its users seem to deserve each other; the company makes dumb mistakes when it's building its software, and the users make many dumb mistakes when they're running it -- and everytime something blows up, nobody does anything differently.
How can Microsoft address this situation and realize Gates' vision of a computer that is "so fundamentally secure that customers never even worry about it"? You start, experts say, in the obvious way -- you stop making dumb mistakes.
In the wake of the latest threats, Microsoft purchased full-page ads in major newspapers exhorting its customers to visit a Web site to find out how to protect their machines. The page asks users to perform three relatively easy tasks -- install an Internet firewall (which is included in Windows XP), download the latest software patches from Microsoft, and run an up-to-date anti-virus program. Steve Lipner says that these steps can protect most consumers from many of the current threats.
But some experts aren't satisfied with Microsoft's efforts. "That's called blaming the victim," says Richard Smith, the security researcher who helped lead police to the coder behind the Melissa virus. "It's like that old saying, 'An ounce of prevention is worth a pound of cure'" -- in the case of some of the latest worms, Smith says, you can tell that Microsoft didn't put much effort toward prevention.
The Blaster worm is caused by a "buffer overflow" hole in the newest versions of Windows. Such flaws are not uncommon; all OSes suffer them. But with some thorough code review, they're not very difficult to spot -- in fact, Microsoft has long touted methods it developed to search for buffer overflow problems in its software. In October 2001, Jim Allchin, the Microsoft executive in charge of Windows, told eWeek magazine that "we have gone through all code and, in an automated way, found places where there could be buffer overflow, and those have been removed in Windows XP." But as Bruce Schneier pointed out in a January 2002 essay he wrote in his monthly computer security newsletter, Windows XP was out for just a few months when Microsoft urgently announced that it had discovered a critical flaw in the OS -- a buffer overflow error that could have allowed anyone to take control of the machine running the buggy code.
"Microsoft has $40 billion in cash in the bank," says Richard Smith. "Why is it that they can't get rid of buffer overflows in key software areas that could be attacked? Imagine all this trouble for a buffer overflow error that should have been caught! They've really got the bankroll to do this, and they should have done this rather than saying that all of us in the rest of the world should waste our time updating our computers."
Smith believes Microsoft's failure to detect the overflow error in Windows is indicative of a generally lackadaisical attitude toward software flaws. Time and time again, he says, Microsoft has added features into its software that only virus writers seemed to find useful. A good example of this is the Windows Scripting Host, the service that allows Windows to run Visual Basic Scripts. In previous versions of Windows, the scripting host was turned on by default, even though most people had no use for it; indeed, the only time most computers ever ran the scripting host, says Smith, was when they were hit with viruses like Melissa or ILOVEYOU, which ran on top of WSH. "You can turn off the scripting host and most everyone's computers will work perfectly," Smith says. And that seems to be a popular choice -- on Google, the second result for "Windows Scripting Host" is a page titled, "How to disable Windows Scripting Host."
In his memo on security, Bill Gates seemed to recognize the problems created by too many unnecessary features. "In the past, we've made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We've done a terrific job at that, but all those great features won't matter unless customers trust our software," he wrote. "So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve."
There is some indication that Microsoft is already doing a bit of this. Smith notes that the latest version of Outlook, Microsoft's e-mail program, is set -- as a default -- to prevent you from loading executable attachments, the sort of files that allow for viruses like Sobig. But Smith says that he's puzzled that this was not the case for the latest version of Outlook Express, Microsoft's free e-mail program. "This shows that someone at Microsoft realized that attached executables are a bad thing -- but for some reason they didn't address it across the board." Also, if Microsoft is asking all its users to turn on firewall and auto-update software, why didn't it ship Windows with those features turned on already, Smith wonders. That's a good question -- and according to Lipner, Microsoft now plans to do so.
But beyond shipping software with certain features turned on and certain others disabled, it remains unclear to security experts whether Gates' memo calling for a new Trustworthy Computing initiative will lead to dramatically better software from Microsoft. The most cynical Microsoft-watchers, such as the people who congregate on Slashdot, already consider the letter nothing more than a cheap public relations stunt -- the monopolistic software baron attempting to pacify the media with proof that he is at least thinking about the myriad viruses, worms and other digital scourges that plague our hyper-connected world.
Bruce Schneier is just a tad less jaded than that, but you couldn't call him optimistic. "Let's hope that the Gates memo is more than a headline grab, and represents a sea change within Microsoft," he wrote in his newsletter. "If that's the case, I applaud the company's decision. It's a difficult one. Putting security ahead of features is not easy. Microsoft is going to have to say things like: 'We're going to put the entire .NET initiative on hold, probably for years, while we work the security problems out.' They're going to have to stop all development on operating system features while they go through their existing code, line by line, fixing vulnerabilities, eliminating insecure functionality, and adding security features. Security works best when it's designed into the system from the beginning, so a lot of what they've already done is going to have to be rewritten."
But Steve Lipner, of Microsoft, gave no indication that the security review called for by Gates is putting anything at the company on hold. "I believe that it is possible to build systems that are increasingly more secure and still useful and commercially viable," he said. He added that in designing the company's new server operating system -- Windows 2003 Server -- "we made a huge number of changes" in the development process to create an operating system that "is secure by design." But the whole thing was not redesigned from the ground up and most of the code was not rewritten. Still, Lipner says, the server is more secure than previous versions.
Schneier is not especially surprised that Microsoft is not halting development on its main software initiatives in order to focus on security. In combating security threats, the company's most important task is "to convince you the reporter that they're doing a good job, that they're going to fix the problems." For the company to do anything more than pursue a public relations strategy -- like, for instance, for it to actually spend time and money on no-nonsense software -- "that would be dumb," Schneier says.
That's because, according to Schneier, adding strength to your software is not a high-yield proposition: Customers don't go out of their way to pay extra for security, and, as Microsoft's track record has proved, you wouldn't lose much anyway if you shipped software that was hobbled by one or two, or two dozen, major flaws. In the typical software operating license, most software vendors, including Microsoft, disclaim any liability from bugs their software might abet. If Microsoft makes a stupid mistake in its code that makes it easy for someone to come into your home and steal everything you have, Microsoft is not legally responsible for any of your losses. "And until that changes, none of the security will get better," Schneier says.
But Microsoft denies that it has few reasons to make stronger software. "Of course we have an incentive," Lipner said. "The statement that it takes liability to provide us with an incentive to do security right is bunk. We do this because customers insist on it and we do this because it's the right thing to do for our customers. We're a business, and we're driven by what the customers demand -- and that's how this company got to be as successful as we have been."