[ISN] Microsoft prepares security assault on Linux

From: InfoSec News (isn@private)
Date: Wed Nov 12 2003 - 04:16:06 PST

  • Next message: InfoSec News: "[ISN] Crime gangs extort money with hacking threat"

    http://www.infoworld.com/article/03/11/11/HNmsassault_1.html
    
    By Kieren McCarthy
    Techworld.com 
    November 11, 2003   
    
    Microsoft Corp. is preparing a major PR assault over Windows' 
    perceived security failings in which it will criticize Linux for 
    taking too long to fix bugs, we have learned.
    
    In a sign that the inroads made by the Open Source community are 
    starting to rattle the software giant, Microsoft has hired several 
    analysts to review how fast holes are patched in the open source 
    software and is expected to announce that Windows compares favorably. 
    
    The strategy, called "Days of Risk," measures the number of days it 
    takes programmers to release a public patch after a vulnerability is 
    revealed. While high-profile holes in Linux and associated software 
    tend to be swiftly dealt with, less prominent problems -- which could 
    be just as potentially damaging -- can take weeks or even months to 
    appear. 
    
    Microsoft's aim is to undermine critics and place a question mark over 
    Linux's security by revealing that, on average, Windows poses less of 
    a security risk. By turning attention away from its own software bugs 
    while at the same time launching several security initiatives, it 
    hopes to be able to tackle one of main worries business has with its 
    proprietary operating system. 
    
    Windows security is a club constantly used by Linux advocates to beat 
    Microsoft over the head -- made all the more relevant following the 
    extremely damaging Blast worm and SoBig virus that spread rapidly 
    thanks to vulnerabilities in Microsoft's software. 
    
    Microsoft Chief Executive Officer Steve Ballmer is known to have made 
    security a top priority. Last week, the company announced a $5 million 
    reward program aimed at bringing virus writers to justice. Although it 
    is unlikely to reap any tangible results, the message was clear: 
    Microsoft is taking security seriously. 
    
    And at the end of October, Ballmer gave the audience at Gartner's 
    autumn symposium a taster of what was to come when he attacked Linux's 
    assumed security superiority. "In the first 150 days after the release 
    of Windows 2000," he said, "there were 17 critical vulnerabilities. 
    For Windows Server 2003, there were four. For Red Hat Linux 6, they 
    were five to ten times higher." 
    
    He also questioned the notion that the open source's community 
    approach to fixing problems was superior to Microsoft's. "Why should 
    code submitted randomly by some hacker in China and distributed by 
    some open source project, why is that, by definition, better?" 
    
    A spokeswoman for Red Hat was undaunted by the prospect of a full 
    frontal security assault by Microsoft however. "We just don't have 
    viruses," she told us. "Our problems are located and fixed more 
    proactively. Because the source code is open, we find there is a patch 
    before there is even a problem." 
    
    She also denied there was an issue of professionalism: "We have dozens 
    of Fortune 500 customers we have to report to. We would never let a 
    bug go unfixed." 
    
    However, Microsoft is thought to have pulled out all the stops to 
    prove its security case. That means it should have something more 
    tangible than the questionable reports it has sponsored in the past in 
    an attempt to show Windows has a comparable or lower total cost of 
    ownership than Linux. 
    
    "There is always some assertion by Microsoft," the spokeswoman told 
    us. "And its example is always on a very small part of Linux. But when 
    you look at Linux as a whole, it is very reliable and our customers 
    considerable it superior." 
    
    Microsoft failed to respond to our questions, although its law and 
    corporate affairs spokeswoman told us that she didn't think the 
    company intended to launch a security attack on Linux and that it 
    would be "odd" if the company used strong comparative information to 
    state its case. It would be more odd if it didn't. 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Nov 12 2003 - 08:18:05 PST