Feeds

Ballmer on why Windows is more secure than Linux

A trip to Disneyland

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Microsoft chief executive Steve Ballmer yesterday defended the company's record on security, arguing that, contrary to popular opinion, Windows was easier to secure than its open source rivals.

During a showpiece Interview with analysts during Gartner's ITXpo in Orlando, Ballmer went as far as suggesting data from security clearing house CERT supported his controversial assertion that Windows was subject to fewer vulnerabilities than popular Linux distros, such as Red Hat.

According to Ballmer, four critical vulnerabilities were discovered in the first 150 days after the release of Windows 2003, compared with 17 found in the same time following the release of Win2000.

"The first 150 days of Red Hat 6, go check the number, just go check the number. It's five to ten times higher than what we are showing," Ballmer said.

But vulnerabilities in Red Hat include flaws with the applications that run and top of the distro as well as the distro itself, so Ballmer has latched onto a misleading comparison. In absolute terms, the number of Microsoft security alerts is decreasing. But this doesn't tell the whole story either, as the seriousness of particular problems and how widely they are exploited are not taken into account.

Blame game

Academics believe that the security of open and closed source platforms to be roughly equivalent. Sysadmins says that patching Windows for security updates is more problematic than is the case with Linux. Despite this, Ballmer continues to find fault with open source security.

"There's no roadmap for Linux. There's nobody to hold accountable for security issues with Linux. There's nobody sort of, so to speak, rear end on the line for issues; it may or may not be an issue," he said.

And what of Microsoft's own Trustworthy Computing initiative, now approaching its second birthday? Ballmer admits that Redmond's effort to address patching issue are overdue but he points to the progress the company has made thus far.

"Since we embarked on what I might call the trustworthy computing release process, we've made dramatic strides; maybe not good enough, four critical vulnerabilities, still not good enough, but we've made dramatic strides," Ballmer said.

"We put a lot of effort and energy into improving our patching process, probably later than we should have and now we're just gaining incredible speed. Our patching process needs to be more predictable, people want smaller patches, we need one simple installation process for patches, which we haven't had, we need rollback on patches, we need a more consistent patch policy, people want more predictability about when they come out, and people want better patch management tools."

"There's a whole set of things that people absolutely want and we've been raising our game," he added, referring to Microsoft's plans to provide improved "inspection and shield" technologies.

Security is 'top priority' for Redmond

Ballmer gave one of his strongest statements to date that giving people confidence in the security of Microsoft's products is "absolutely our top priority.

"We've got our best brains on it. We've told people anything we need to do - acquiring new technologies, people, approaches - we should put our heads down and go get that stuff done. And we're not going to let anything stand in the way.

"We understand this is an issue of customer satisfaction. It could slow down progress on IT for the whole industry."

The last remark is telling. Ballmer's sees security as a difficult stretch of water to be navigated or a roadblock to "innovation", not as a process that needs to be continual, with trade-offs made to manage risks within business requirements.

Gartner analysts correctly identified one of the key security problems Microsoft has yet to address. Whatever the compamy is doing now in terms of improving its code quality most of the problems ("probably 95 per cent") are from code that was written six, seven, eight years ago.

Ballmer was asked if Microsoft was going to rewrite some of this code over time or start over in a few years?

His reply was far from convincing: "There are some things that, in the 20-year time horizon, I'm sure we will redo, and perhaps others will as well," he said, before moving on to discuss new security models based on XML technology.

This is not good enough and touches the heart of the problem, namely the lack of compelling commercial incentives for Microsoft to improve older software.

A transcript of Ballmer's interview ishere. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Microsoft to bake Skype into IE, without plugins
Redmond thinks the Object Real-Time Communications API for WebRTC is ready to roll
Mozilla: Spidermonkey ATE Apple's JavaScriptCore, THRASHED Google V8
Moz man claims the win on rivals' own benchmarks
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
FTDI yanks chip-bricking driver from Windows Update, vows to fight on
Next driver to battle fake chips with 'non-invasive' methods
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Ubuntu 14.10 tries pulling a Steve Ballmer on cloudy offerings
Oi, Windows, centOS and openSUSE – behave, we're all friends here
Apple's OS X Yosemite slurps UNSAVED docs into iCloud
Docs, email contacts... shhhlooop, up it goes
Was ist das? Eine neue Suse Linux Enterprise? Ausgezeichnet!
Version 12 first major-number Suse release since 2009
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Business security measures using SSL
Examines the major types of threats to information security that businesses face today and the techniques for mitigating those threats.