Feeds

Ballmer on why Windows is more secure than Linux

A trip to Disneyland

  • alert
  • submit to reddit

The smart choice: opportunity from uncertainty

Microsoft chief executive Steve Ballmer yesterday defended the company's record on security, arguing that, contrary to popular opinion, Windows was easier to secure than its open source rivals.

During a showpiece Interview with analysts during Gartner's ITXpo in Orlando, Ballmer went as far as suggesting data from security clearing house CERT supported his controversial assertion that Windows was subject to fewer vulnerabilities than popular Linux distros, such as Red Hat.

According to Ballmer, four critical vulnerabilities were discovered in the first 150 days after the release of Windows 2003, compared with 17 found in the same time following the release of Win2000.

"The first 150 days of Red Hat 6, go check the number, just go check the number. It's five to ten times higher than what we are showing," Ballmer said.

But vulnerabilities in Red Hat include flaws with the applications that run and top of the distro as well as the distro itself, so Ballmer has latched onto a misleading comparison. In absolute terms, the number of Microsoft security alerts is decreasing. But this doesn't tell the whole story either, as the seriousness of particular problems and how widely they are exploited are not taken into account.

Blame game

Academics believe that the security of open and closed source platforms to be roughly equivalent. Sysadmins says that patching Windows for security updates is more problematic than is the case with Linux. Despite this, Ballmer continues to find fault with open source security.

"There's no roadmap for Linux. There's nobody to hold accountable for security issues with Linux. There's nobody sort of, so to speak, rear end on the line for issues; it may or may not be an issue," he said.

And what of Microsoft's own Trustworthy Computing initiative, now approaching its second birthday? Ballmer admits that Redmond's effort to address patching issue are overdue but he points to the progress the company has made thus far.

"Since we embarked on what I might call the trustworthy computing release process, we've made dramatic strides; maybe not good enough, four critical vulnerabilities, still not good enough, but we've made dramatic strides," Ballmer said.

"We put a lot of effort and energy into improving our patching process, probably later than we should have and now we're just gaining incredible speed. Our patching process needs to be more predictable, people want smaller patches, we need one simple installation process for patches, which we haven't had, we need rollback on patches, we need a more consistent patch policy, people want more predictability about when they come out, and people want better patch management tools."

"There's a whole set of things that people absolutely want and we've been raising our game," he added, referring to Microsoft's plans to provide improved "inspection and shield" technologies.

Security is 'top priority' for Redmond

Ballmer gave one of his strongest statements to date that giving people confidence in the security of Microsoft's products is "absolutely our top priority.

"We've got our best brains on it. We've told people anything we need to do - acquiring new technologies, people, approaches - we should put our heads down and go get that stuff done. And we're not going to let anything stand in the way.

"We understand this is an issue of customer satisfaction. It could slow down progress on IT for the whole industry."

The last remark is telling. Ballmer's sees security as a difficult stretch of water to be navigated or a roadblock to "innovation", not as a process that needs to be continual, with trade-offs made to manage risks within business requirements.

Gartner analysts correctly identified one of the key security problems Microsoft has yet to address. Whatever the compamy is doing now in terms of improving its code quality most of the problems ("probably 95 per cent") are from code that was written six, seven, eight years ago.

Ballmer was asked if Microsoft was going to rewrite some of this code over time or start over in a few years?

His reply was far from convincing: "There are some things that, in the 20-year time horizon, I'm sure we will redo, and perhaps others will as well," he said, before moving on to discuss new security models based on XML technology.

This is not good enough and touches the heart of the problem, namely the lack of compelling commercial incentives for Microsoft to improve older software.

A transcript of Ballmer's interview ishere. ®

Securing Web Applications Made Simple and Scalable

More from The Register

next story
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
Apple: We'll unleash OS X Yosemite beta on the MASSES on 24 July
Starting today, regular fanbois will be guinea pigs, it tells Reg
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.