Feeds

Ballmer on why Windows is more secure than Linux

A trip to Disneyland

  • alert
  • submit to reddit

Remote control for virtualized desktops

Microsoft chief executive Steve Ballmer yesterday defended the company's record on security, arguing that, contrary to popular opinion, Windows was easier to secure than its open source rivals.

During a showpiece Interview with analysts during Gartner's ITXpo in Orlando, Ballmer went as far as suggesting data from security clearing house CERT supported his controversial assertion that Windows was subject to fewer vulnerabilities than popular Linux distros, such as Red Hat.

According to Ballmer, four critical vulnerabilities were discovered in the first 150 days after the release of Windows 2003, compared with 17 found in the same time following the release of Win2000.

"The first 150 days of Red Hat 6, go check the number, just go check the number. It's five to ten times higher than what we are showing," Ballmer said.

But vulnerabilities in Red Hat include flaws with the applications that run and top of the distro as well as the distro itself, so Ballmer has latched onto a misleading comparison. In absolute terms, the number of Microsoft security alerts is decreasing. But this doesn't tell the whole story either, as the seriousness of particular problems and how widely they are exploited are not taken into account.

Blame game

Academics believe that the security of open and closed source platforms to be roughly equivalent. Sysadmins says that patching Windows for security updates is more problematic than is the case with Linux. Despite this, Ballmer continues to find fault with open source security.

"There's no roadmap for Linux. There's nobody to hold accountable for security issues with Linux. There's nobody sort of, so to speak, rear end on the line for issues; it may or may not be an issue," he said.

And what of Microsoft's own Trustworthy Computing initiative, now approaching its second birthday? Ballmer admits that Redmond's effort to address patching issue are overdue but he points to the progress the company has made thus far.

"Since we embarked on what I might call the trustworthy computing release process, we've made dramatic strides; maybe not good enough, four critical vulnerabilities, still not good enough, but we've made dramatic strides," Ballmer said.

"We put a lot of effort and energy into improving our patching process, probably later than we should have and now we're just gaining incredible speed. Our patching process needs to be more predictable, people want smaller patches, we need one simple installation process for patches, which we haven't had, we need rollback on patches, we need a more consistent patch policy, people want more predictability about when they come out, and people want better patch management tools."

"There's a whole set of things that people absolutely want and we've been raising our game," he added, referring to Microsoft's plans to provide improved "inspection and shield" technologies.

Security is 'top priority' for Redmond

Ballmer gave one of his strongest statements to date that giving people confidence in the security of Microsoft's products is "absolutely our top priority.

"We've got our best brains on it. We've told people anything we need to do - acquiring new technologies, people, approaches - we should put our heads down and go get that stuff done. And we're not going to let anything stand in the way.

"We understand this is an issue of customer satisfaction. It could slow down progress on IT for the whole industry."

The last remark is telling. Ballmer's sees security as a difficult stretch of water to be navigated or a roadblock to "innovation", not as a process that needs to be continual, with trade-offs made to manage risks within business requirements.

Gartner analysts correctly identified one of the key security problems Microsoft has yet to address. Whatever the compamy is doing now in terms of improving its code quality most of the problems ("probably 95 per cent") are from code that was written six, seven, eight years ago.

Ballmer was asked if Microsoft was going to rewrite some of this code over time or start over in a few years?

His reply was far from convincing: "There are some things that, in the 20-year time horizon, I'm sure we will redo, and perhaps others will as well," he said, before moving on to discuss new security models based on XML technology.

This is not good enough and touches the heart of the problem, namely the lack of compelling commercial incentives for Microsoft to improve older software.

A transcript of Ballmer's interview ishere. ®

Beginner's guide to SSL certificates

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
First in line to order a Nexus 6? AT&T has a BRICK for you
Black Screen of Death plagues early Google-mobe batch
Microsoft adds video offering to Office 365. Oh NOES, you'll need Adobe Flash
Lovely presentations... but not on your Flash-hating mobe
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
prev story

Whitepapers

Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.