When the US Army announced earlier this month that it was moving its Web sites to the Mac operating system (OS) from Windows NT because of major security breaches, confidence in Microsoft software's security capability appeared to hit rock bottom.
Of particular concern to technologists are NT, Internet Explorer (IE) and Hotmail, all of which had major security holes publicised in the past few weeks.
Now Microsoft and its critics are at polar ends of a debate about how significant and avoidable Microsoft's security problems are. Critics believe Microsoft unnecessarily sacrifices security for functionality. Microsoft officials say the company gives customers what they want -- ease-of-use and more features. Microsoft also says that its software is as secure as anyone else's but that hackers attack it more and journalists publicize its breaches more because of Microsoft's high profile.
The controversy outlines the issues for Microsoft's business customers, who must decide whether they are happy trading security for functionality, should pressure Microsoft for tighter default security settings, or dump Microsoft products and move to products that are more secure, as the Army did.
Not Just Hegemony
Without question, Microsoft's dominance in the OS market plays a big part in the security-breach headlines. The sheer number of Microsoft users makes the company a target for hackers, both increasing the chances that security flaws will be discovered and heightening the virus's impact.
Many experts, analysts and hackers believe Microsoft's hegemony isn't the only problem. They say the software simply has too many interfaces that malicious programmers can exploit.
"There are so many holes in the Microsoft environment that any (worthy) hacker ... is going to figure out how to break in," says Anne Thomas, a senior analyst at the Patricia Seybold Group, in Boston, echoing the sentiments of experts contacted for this article.
COM Opens the Door
Among the top Microsoft technologies that experts say lead to security problems is the Component Object Model (COM) specification for running application components on multiple platforms.
For instance, Thomas says that COM's integration with Microsoft Word allowed the prolific Melissa virus to spread as quickly as it did in March.
Specifically problematic are ActiveX controls. Java applets minimise security violations by executing in a "sandbox" -- a secure area of the computer that isolates applets and keeps them from damaging files. In contrast, ActiveX controls rely on the applet being signed by the creator, whom the user will, ideally, know and trust.
The most dangerous ActiveX controls are those that are preinstalled, because they run without digital signatures. These controls can automatically launch when a user goes to an HTML page or clicks on an e-mail attachment. Programmers can use them to run programs on a user's computer, read system files, and create files, among other things, according to Richard M. Smith, a security expert and president of Phar Lap Software, a Cambridge, Massachusetts-based company that makes real-time OSes for embedded systems.
"I don't think anybody right now, frankly, has a handle on the scope of the (ActiveX) problem," Smith says.
Experts generally agree that Microsoft works hard to correct problems once they are publicised. The company has released an average of two to three security patches a month over the past year, Smith says.
But Smith also suspects that most Microsoft users probably have not downloaded the patches because there are so many of them. Within the past year, Microsoft's IE has had 10 separate bugs that enable code in messages to read files, while Netscape Navigator has had only one bug, he says.
Insecure By Default
Two related factors that come under heavy criticism are macros in Microsoft Office products and the default installation security settings for Windows NT, which leave users vulnerable unless they change the settings to a higher security level.
Critics contend that Microsoft's lax default settings endanger users. Eric Schultz, director of Microsoft Content for SecurityFocus (www.securityfocus.com), says Windows NT's default installation can let hackers obtain blank administrator passwords, disable security policies, and break through weak permissions over critical system files.
Tweety Fish, a member of the Cult of the Dead Cow (CDC) hacker group, says macros in Microsoft Word can run any DOS executable code and access any system function.
"(The macros pose) a massive security hole, and for Microsoft to claim anything else is a specious marketing spin," Tweety Fish says.
Scott Culp, security product manager for Windows NT Server at Microsoft, argues that Microsoft allows users to configure their software to give them a balance of functionality and security.
For instance, users can disable macros and ActiveX controls, and a new security patch for Office lets users choose whether to allow Office documents to launch automatically when they're hosted on Web sites, Culp says.
"We don't force anybody into a particular stance," Culp says. "We provide tools to allow you to make that decision."
Some users agree with Culp.
"Microsoft is providing us with tools that will help us, but at the same time, we as consumers are not taking the responsibility ... to learn the basics about using this stuff," says Russ Cooper, editor of the NT Bugtraq mailing list (www.securityadvice.com).
But experts argue that Microsoft has a responsibility to provide better default security, even if it takes more time and money to develop products with greater security.
"Setting the default to 'dangerous' doesn't work in any other industry," says Bruce Schneier, author of Applied Cryptography and founder and chief technology officer of Counterpane Internet Security, in Minneapolis, Minnesota.
Additional problems stem from tight integration between Microsoft's applications and its OS and loose administration control in the OS, which allow applications and macros to execute other programs.
Also, experts say hidden and/or undocumented APIs give hackers backdoors into Microsoft applications and are not subject to public scrutiny.
Microsoft prides itself on the tight integration of its applications with its OS -- a matter that sparked an antitrust lawsuit by the U.S. government. Although this integration allows users to easily work between the programs, it also makes it easy for flaws in one application to affect the entire system, according to Avi Rubin, a principal member of the technical staff at AT&T Labs, in Florham Park, New Jersey, and author of The Web Security Sourcebook.
"The fact that Word macros can access an Excel database and Excel files can launch other programs with a 'call function' " in Outlook, for example, creates a hacker-friendly environment, Rubin says.
Part of the problem is Microsoft's use of so-called "hidden" APIs, which are kept secret from third-party developers, Rubin says. These allow Microsoft developers to take shortcuts, but they lead to security problems because they aren't as highly scrutinized as public ones, Rubin says.
Hacker Tweety Fish accused Microsoft of historically implementing "horribly insecure" APIs. "Both BackOrifice and BO2K (BackOrifice 2000) were built using standard Microsoft APIs," he says. "If these APIs were open to public scrutiny, I doubt such terrible ideas as WNetEnumCachedPasswords, which cheerfully reveals all cached passwords on the system, would exist."
Microsoft's Culp does not categorically deny that the company uses hidden APIs, but in general, he argues that integration is necessary to give advanced products to users.
"Microsoft doesn't believe that the way to provide security is to make our applications incompatible with each other," Culp says. "That's not what our customers want. They want seamless integration."
Tightly integrated applications can still be secured, Culp says. For example, Office 2000 macros can be disabled or allowed to run automatically only when digitally signed.
At least one user agrees. "I would much rather have the control here than have Microsoft saying, 'You can't do anything until you change something,'" says Ty Simone, IS manager at Onsite Sycom Energy, an energy service company in Carlsbad, California.
Yet another security criticism is Microsoft's implementation of the Point-to-Point Tunneling Protocol, which enables the extension of corporate networks via private "tunnels" over the Internet. It is still vulnerable to offline password-guessing attacks from hacker tools such as L0phtcrack, according to Counterpane Internet Security's Schneier.
Windows 2000, Better or Worse?
Although denying that the integration, default settings, macros and hidden APIs pose a significant security risk, Microsoft says that developers are rewriting much of Windows 2000's code, as they did for NT, which should help make Windows 2000 more secure.
For instance, in Windows 2000 Microsoft is using security standards such as the Kerberos protocol, putting the software to heavy testing, including specific attempts to break into it, Culp says.
But Schultze of SecurityFocus predicts that security problems with Windows NT and its predecessors will pale in comparison to security issues that will arise with Windows 2000, which will be much more complex. "There will be more opportunities for things to go wrong," he says.
For instance, Schultze says that Windows 2000 defaults to enable multiple encryption-authentication schemes -- including LanMan, which he says is easy to decrypt. Users must disable any schemes they don't want to use, and the chances that administrators won't tighten systems up are great, he says.
Greener Grass Elsewhere
So, how do the Windows alternatives fare? Dr. Mudge of Boston-based hacker group L0pht Heavy Industries says that Mac OS X add-on programs may be just as vulnerable as Windows. "However, a quick look would imply that the core OS might be much more secure than NT's core components," he says.
The new Mac OSes are really BSD 4.4 (Unix) and Mach memory systems. Both have been around for decades and most of their security flaws have been fixed, Dr. Mudge says.
The most secure platform "out of the box" is OpenBSD, because security is a focus on the project, says hacker Tweety Fish.
"It is not perfect; no OS is, but with OpenBSD, you can guarantee that security is their first priority," Tweety Fish says.
The favored underdog, Linux, is considered experimental at this point, but it may end up giving NT the first good run for its money, according to Winn Schwartau, founder of Security Experts, a consultancy in St. Petersburg, Florida, and author of Information Warfare. Most of his clients -- which include governments, NATO, and other multinational organizations -- use Unix now, he says.
Open-source operating systems are more easily secured than closed-source systems such as NT "because there are more people doing more work to find the holes, and it's easier for researchers to develop patches for exploits they find," Tweety Fish says.
Turning Big Red
Users who want to stick with Microsoft can take heart in the fact that the company often adopts its competitors' best practices.
Borrowing a technique from the open-source community, Microsoft put a Windows 2000 test server online for users to hack. The system has held up, although it got off to a rocky start and was down for several days after lightning hit a router.
But experts agree, the security situation will only improve if Microsoft consumers demand more security in products or place a stake in the ground by switching to Microsoft's smaller competitors.
"Certainly there's been a change in Microsoft in the last two years to do things with far more security in mind," says NTBugtraq's Cooper. "The reality is they're doing it to an extent that consumers will tolerate and to an extent that consumers will demand."
(Elinor Mills Abreu (firstname.lastname@example.org) is a staff writer at The Industry Standard, an InfoWorld affiliate, in San Francisco.)