Feeds

Ballmer on why Windows is more secure than Linux

A trip to Disneyland

  • alert
  • submit to reddit

Protecting against web application threats using SSL

Microsoft chief executive Steve Ballmer yesterday defended the company's record on security, arguing that, contrary to popular opinion, Windows was easier to secure than its open source rivals.

During a showpiece Interview with analysts during Gartner's ITXpo in Orlando, Ballmer went as far as suggesting data from security clearing house CERT supported his controversial assertion that Windows was subject to fewer vulnerabilities than popular Linux distros, such as Red Hat.

According to Ballmer, four critical vulnerabilities were discovered in the first 150 days after the release of Windows 2003, compared with 17 found in the same time following the release of Win2000.

"The first 150 days of Red Hat 6, go check the number, just go check the number. It's five to ten times higher than what we are showing," Ballmer said.

But vulnerabilities in Red Hat include flaws with the applications that run and top of the distro as well as the distro itself, so Ballmer has latched onto a misleading comparison. In absolute terms, the number of Microsoft security alerts is decreasing. But this doesn't tell the whole story either, as the seriousness of particular problems and how widely they are exploited are not taken into account.

Blame game

Academics believe that the security of open and closed source platforms to be roughly equivalent. Sysadmins says that patching Windows for security updates is more problematic than is the case with Linux. Despite this, Ballmer continues to find fault with open source security.

"There's no roadmap for Linux. There's nobody to hold accountable for security issues with Linux. There's nobody sort of, so to speak, rear end on the line for issues; it may or may not be an issue," he said.

And what of Microsoft's own Trustworthy Computing initiative, now approaching its second birthday? Ballmer admits that Redmond's effort to address patching issue are overdue but he points to the progress the company has made thus far.

"Since we embarked on what I might call the trustworthy computing release process, we've made dramatic strides; maybe not good enough, four critical vulnerabilities, still not good enough, but we've made dramatic strides," Ballmer said.

"We put a lot of effort and energy into improving our patching process, probably later than we should have and now we're just gaining incredible speed. Our patching process needs to be more predictable, people want smaller patches, we need one simple installation process for patches, which we haven't had, we need rollback on patches, we need a more consistent patch policy, people want more predictability about when they come out, and people want better patch management tools."

"There's a whole set of things that people absolutely want and we've been raising our game," he added, referring to Microsoft's plans to provide improved "inspection and shield" technologies.

Security is 'top priority' for Redmond

Ballmer gave one of his strongest statements to date that giving people confidence in the security of Microsoft's products is "absolutely our top priority.

"We've got our best brains on it. We've told people anything we need to do - acquiring new technologies, people, approaches - we should put our heads down and go get that stuff done. And we're not going to let anything stand in the way.

"We understand this is an issue of customer satisfaction. It could slow down progress on IT for the whole industry."

The last remark is telling. Ballmer's sees security as a difficult stretch of water to be navigated or a roadblock to "innovation", not as a process that needs to be continual, with trade-offs made to manage risks within business requirements.

Gartner analysts correctly identified one of the key security problems Microsoft has yet to address. Whatever the compamy is doing now in terms of improving its code quality most of the problems ("probably 95 per cent") are from code that was written six, seven, eight years ago.

Ballmer was asked if Microsoft was going to rewrite some of this code over time or start over in a few years?

His reply was far from convincing: "There are some things that, in the 20-year time horizon, I'm sure we will redo, and perhaps others will as well," he said, before moving on to discuss new security models based on XML technology.

This is not good enough and touches the heart of the problem, namely the lack of compelling commercial incentives for Microsoft to improve older software.

A transcript of Ballmer's interview ishere. ®

The next step in data security

More from The Register

next story
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.