Is the "Monopoly" Dangerous? The Microsoft
Windows operating system (OS) is fairly ubiquitous. Around
the globe a good percentage of computers in existence
use some version of the Windows OS. In general this is
not a problem. However, when a flaw is discovered in the
Windows operating system or one of its components it provides
a very "target-rich" environment for malicious attacks
or for viruses and worms to spread rapidly.
There are really two parts to the issue. 1) Is it good security practice to have such a large percentage of machines all running essentially the same operating system, and 2) If you are going to run in an operating system "monoculture", should the OS itself be less flawed.
Vulnerabilities that are discovered in Microsoft Windows tend to generate a lot of press. It is necessary to some degree. With so many machines around the world being vulnerable to whatever the newly discovered flaw is, it is imperative to get the word (and the patch or fix for the problem) out as quickly as possible. But, the Microsoft-bashers love to point out how Linux or Apple's OS X are not vulnerable to whatever the exploit du jour is on the Microsoft platform as well.
What they don't generally tell you is that these other platforms have their issues as well. Often the flaws lie in application or utilities that are included in the operating system rather than the operating system itself, and these utilities are often created by 3rd parties not connected with the operating system. So, it would be an accurate statement in my opinion to say that the actual operating systems are more secure or less vulnerability prone than Windows. However, because these utilities are included and installed by default in most cases they still make the overall system vulnerable.
In my opinion- it comes down to the user knowing enough about their own system to keep it protected, regardless of what operating system it is. Read on to see other opinions on this hot topic.
When worms like the MSBlast (and / or Nachi) worm that struck the Windows operating system world in August of 2003 hit, many question the logic of continuing to rely on such a seemingly flawed operating system to run the majority of computer systems worldwide.
The CCIA (Computer & Communications Industry Association) released a paper titled CyberInsecurity: The Cost of Monopoly (How The Dominance of Microsoft Products Poses a Risk to Security). Authored by a group including many highly respected information security experts such as Dan Geer, Rebecca Bace and Bruce Schneier, this paper has drawn quite a bit of attention.
The basic premise of the paper is that because of its near-monopoly position in the world of operating systems, Microsoft Windows poses a significant risk to the security and stability of computing globally. A single virus or worm could impact or even wipe out a significant number of computers.
There are those who oppose this point of view however. That is not to say that they favor everyone in the world running the exact same version of Microsoft Windows- just that they feel that the analogy used in the paper is simplistic and does not represent reality.
Marcus Ranum, "father" of the proxy firewall, Senior Scientist at security firm TruSecure and author of The Myth of Homeland Security, in particular offers a paper which illustrates how an analogy can be used to prove a point, but that the point will only be valid in that analogous world- not reality.
Read on for some excerpts from both the CCIA paper and Marcus Ranum's counter-paper and form your own opinion on the subject. Is Microsoft Monoculture dangerous to the security of the computing world at large? Or, is Microsoft Monoculture really just anti-Microsoft hype aimed at trying to depose the King of the Hill? You can jump into the Forums to discuss your thoughts and opinions here: Microsoft Monoculture.
The crux of the CCIA paper pretty much lies in this statement:
"Because Microsoft's near-monopoly status itself magnifies security risk, it is essential that society become less dependent on a single operating system from a single vendor if our critical infrastructure is not to be disrupted in a single blow."
Essentially, if everyone has Microsoft Windows and a severe or critical flaw is found in that operating system, every one of those computers will be vulnerable to having that flaw exploited. If a malicious programmer develops a virus or worm to automate the propagation of the exploit, tens of thousands or possibly even millions of computers can be impacted or wiped out in a very short timeframe.
In January of 2003 the SQL Slammer worm spread around the world in 15 minutes and effectively shut the Internet down. SQL Server is a separate application- not part of the Windows operating system- but its a good illustration of just how fast a threat can spread.
In August of 2003 the MSBlast / Nachi worms hit the Internet. They did not propagate as quickly as SQL Slammer, but the vulnerability being exploited was in the operating system itself and many more computers were susceptible.
Microsoft basically has a stranglehold on marketshare for operating systems. Their server marketshare may rise and dip, but in the desktop and home user market Windows is almost exclusively the operating system of choice.
This effectively means that every time Microsoft adds a new "feature" which can be twisted and used with malicious intent, and every time Microsoft releases flawed software, that virtually every desktop computer in the world is potentially vulnerable to exploit.
The team of highly respected security experts who co-authored the CCIA paper find these facts alarming and believe that something should be done- fast- to upset that balance and get more diversity into the operating system market.
I think that the following paragraph from Marcus Ranum really captures the essence of his argument against the Microsoft Monoculture hype:
"There is no "monoculture" here. My system isn't just Windows. My security is effected (and affected) by a bewildering combination of default settings, software patch levels, default firewall rules (I just plugged it in, honest!), browser settings, and antivirus signature sets. We're not in anything like danger of becoming a "monoculture" unless every system was running the same software load-out, security policy, antivirus product, and patch level. In spite of the dearest wishes of countless system administrators, that simply isn't going to happen! So, as much as I hate to say it, Sun's marketing people may have been right, "The network is the computer" - and the network sure as hell isn't going to become a "monoculture" unless Microsoft builds all the firewalls, all the routers, all the switches, all the web accellerators, all the SQL databases and establishes everyone's security, routing, DNS, and update policies."
The fact is that even if everyone had Windows XP Home on their home desktop computer, they would be connecting through different ISP's who run different routers, switches and hopefully some filtering or protective measures. If they have a home network they will have a different router than their neighbor and both of them will most likely contain some sort of basic firewall to block unauthorized traffic. They will have different antivirus software programs and personal firewalls installed. One person may be running IIS (Internet Information Service) to host a web site while his neighbor may have IIS disabled, but be running an FTP (File Tranfer Protocol) server to share files instead.
The bottom line from Ranum's point of view is that the CCIA argument works great in their fantasy world where a monoculture does exist, but that in reality there are too many factors and, in fact, no such monoculture to worry about.