[This was originally published on attrition.org.]
Infoworld broke a story on Microsoft’s plans for waging a public relations war against “linux” over taking too long to fix security vulnerabilities. The article by Kieren McCarthy outlines Microsoft’s planned smear campaign against its biggest rival, Linux, currently dubbed “Days of Risk”.
With the decision to smear Linux in the media, Microsoft has once again validated the open source operating system as competition, despite repeated attempts in the past to boldly claim “Linux is not competition”. In the last few years, Microsoft has begun to lose high dollar customers such as the Norwegian government and the city of Munich, who are turning to alternate solutions such as Linux.
McCarthy’s article along with Microsoft’s recent behavior once again prove that while they claim security is important, they are oblivious to the steps required to achieve security. Misguided policy, diversionary tactics and wasted money are leading the company down a perilous road that the software giant is all too familiar with, a road leading to insecure software and lack of customer trust. While touting “trustworthy computing initiative”, Microsoft’s actions tell us of their real agenda, and it has nothing to do with their customers enjoying a secure operating system. Reading the Infoworld article, many points and comments stand out and deserve more attention.
In a sign that the inroads made by the Open Source community are starting to rattle the software giant, Microsoft has hired several analysts to review how fast holes are patched in the open source software and is expected to announce that Windows compares favorably.
The fact that Microsoft has to pay analysts to study an issue and make a point almost speaks for itself. With large companies such as Gartner and the Meta Group routinely doing studies on various aspects of computing, there should be no need to hire analysts to make or support a point. Given the blurry nature of defining an operating system, rating the severity of vulnerabilities and comparing two disparate operating systems in any capacity, such studies are easy to manipulate in order to produce results that support your argument. When the reports are finally shrunk down into news fragments, the entire study has lost all meaning and relevance and becomes a glorified product advertisement.
More distressing is the amount of money Microsoft is choosing to waste on the pursuit of futile goals when the money would be more suited to auditing and securing their products. Consider that Microsoft recently offered up to a $5,000,000 dollar bounty for information leading to the arrest and prosecution of malicious code writers behind the Blaster and SoBig worms. This new bounty program was immediately questioned by anti-virus companies. The money being spent on pocket analysts and worm writer bounties could be better used to hire security companies that specialize in source code auditing, which would eliminate vulnerabilities in Microsoft products.
The strategy, called “Days of Risk,” measures the number of days it takes programmers to release a public patch after a vulnerability is revealed. While high-profile holes in Linux and associated software tend to be swiftly dealt with, less prominent problems — which could be just as potentially damaging — can take weeks or even months to appear.
The most glaring contradiction in this mindset comes in the form of Microsoft’s recent announcement that they will release their own security bulletins on the second calendar Tuesday of every month. This new policy instantly produces a potential 30 day window of risk for any vulnerability they announce. Despite this large window of risk, Microsoft sees this as acceptable so as not to inconvenience administrators already beleaguered by countless security patches. Even more disgusting is the fact that a 30 day window would be an improvement over current “windows of risk”, since Microsoft takes months to address security vulnerabilities.
Perhaps the most ironic part of this campaign decrying Linux “for being slow to address patching vulnerabilities” is that this news article circulated to over 40,000 information security professionals on various mail lists within 24 hours of Microsoft Security Bulletin 03-051 which lists “Public disclosure on November 11, 2003” and “Discovered and advised to Microsoft January 30, 2003”. This vulnerability allows malicious users to remotely execute commands on Windows 2000 and Windows XP machines, and has been present for over 10 months while Microsoft struggled to remediate the problem.
For those who think this may be an isolated case, think again. Thor Larholm of PivX Solutions maintained a page summarizing every publicly reported vulnerability in Microsoft Internet Explorer that had not been patched. The page (recently removed, but mirrored locally) showed 31 unpatched security vulnerabilities in Internet Explorer as of September 11, 2003. More disturbing is that some of these unpatched vulnerabilities affecting millions of users date back to June 6, 2000: over three years ago. The “window of risk” Microsoft creates for their customers is extremely negligent. With the demise of Thor’s well documented page, Liu Die Yu has begun to carry the torch and set up a new page to monitor unpatched vulnerabilities. Fortunately for Microsoft customers, there are only 22 unpatched vulnerabilities as of November 11, 2003.
Microsoft Chief Executive Officer Steve Ballmer is known to have made security a top priority. Last week, the company announced a $5 million reward program aimed at bringing virus writers to justice. Although it is unlikely to reap any tangible results, the message was clear: Microsoft is taking security seriously.
Unfortunately for Ballmer, his message was not as clear as he imagined. Offering money to catch virus writers diverts the public’s attention from the real matter, that of Microsoft’s insecure software that shows no sign of improvement over the last decade. Paying to catch the bad guys while ignoring the problem of insecure software is no different than a pharmaceutical company selling drugs that treat symptoms of a disease while ignoring or not divulging their cure to the disease. The bounty does make several other messages clear to us: Microsoft is taking their reputation seriously, bounty programs are cheaper than end user education, and they value free press.
And at the end of October, Ballmer gave the audience at Gartner’s autumn symposium a taster of what was to come when he attacked Linux’s assumed security superiority. “In the first 150 days after the release of Windows 2000,” he said, “there were 17 critical vulnerabilities. For Windows Server 2003, there were four. For Red Hat Linux 6, they were five to ten times higher.”
Given time, some security professionals could write an entire book outlining the fallacies in this paragraph. Ballmer is once again engaging in a clever set of lies, self serving definitions and statistic mangling to suit his purpose. Looking past this blatant spin doctoring, you will find Ballmer’s comments deceitful and unfounded.
The first and most obvious question is where Ballmer gets his figure that Red Hat 6 had 85 to 170 “critical” vulnerabilities. The only way to make such a claim would be through huge assumptions and redefining “critical”. While there may have been up to 170 bugs reported in Red Hat 6, a majority of them certainly were not deemed “critical”, a designation usually attributed to vulnerabilities that allow easy remote access to a machine. When we read of “critical” windows vulnerabilities, they almost always entail default Windows installations being vulnerable to glitches that allow remote attackers to gain full administrative control of the machine. In the world of Linux, these are known as “remote root” bugs. Red Hat 6 was most certainly not vulnerable to even a fourth as many “critical” vulnerabilities as Ballmer claims.
Another fact that Microsoft spokespeople tend to conveniently overlook is that most Linux distributions offer the user choices. When you purchase a copy of Red Hat, you are getting the core operating system (which is fairly minimal by definition) along with thousands of software packages that let you customize the machine to your liking. This often means that instead of getting a single web server (like IIS and Windows), you get a choice between a dozen different web servers. Instead of one email client (like Outlook and Windows), you get to choose from a dozen or more programs such as ‘pine’ or ‘elm’. Just because the user has these options does not mean they are all installed and running. If we read about a “critical” vulnerability in these various web server or e-mail client packages, they don’t necessarily apply to “Red Hat Linux” unless the end user has installed and configured them. To attribute these vulnerabilities to Red Hat is akin to attributing vulnerabilities in Oracle, Citrix, ICQ, PeopleSoft, MS Office, and Adobe Acrobat all to Windows.
The most amusing point of Ballmer’s comparison is between Red Hat 6 and Windows 2003. Red Hat 9 was offered to consumers in March of 2003, while Red Hat 6 was made available around October 1999. Compare this to the belated “Windows 2003,” which was made available some time after April, 2003. Comparing Red Hat 6 to Windows 2003 is comparing apples to automobiles.
Dates and vulnerability numbers aside, we must remember that Microsoft is a multi-billion dollar company while Red Hat wasn’t much more than a large hobby at the time of the Red Hat 6 release. If one were to compare the R&D money spent fixing holes and providing patches for security vulnerabilities between Red Hat and Microsoft, I would hazard a guess Microsoft would drop this as an argument of product superiority.
He also questioned the notion that the open source’s community approach to fixing problems was superior to Microsoft’s. “Why should code submitted randomly by some hacker in China and distributed by some open source project, why is that, by definition, better?”
This may seem like a justifiable concern at first glance, but one has to question Ballmer’s choice in ethnicity of this fictitious evil hacker. Certainly Microsoft of all companies shouldn’t fear the Chinese, since they made source code for the Windows operating system available to the Chinese government. Some question if the bigger threat comes from the Chinese government who may now have unpublished remote vulnerability information for Windows products, or the mythical hacker that may provide code for a linux distribution.
If one were to make an educated guess as to why Ballmer chose the Chinese for his example, one wouldn’t have to dig deep. One of the more embarrassing incidents involved a Chinese written worm dubbed the “Code Red worm” that infected a Microsoft web server dedicated to Windows Updates. As John Leyden of the Register said, “The fact that the Windows Update site, which provides a portal to product updates and security patches along with advice on critical updates, wasn’t itself up to date with the latest security patches is richly ironic.” This doesn’t address a more gruesome scenario of a clever attacker altering the software pushed out to millions of Microsoft customers.
The more devastating source of this Chinese hostility most assuredly stems from the compromise of the Microsoft internal network in late 2000. Subsequent reports suggested that the intruders responsible for this “deplorable act of industrial espionage” were from China. The attackers enjoyed over sixty days of access to the most sensitive parts of Microsoft’s internal network before being detected. Despite conflicting reports from Microsoft employees, it became clear that the attackers were able to access source code to the Windows operating system. Sources close to the investigation of this incident and other more recent internal compromises suggest the intruder was not only Chinese, but likely government sponsored.
However, Microsoft is thought to have pulled out all the stops to prove its security case. That means it should have something more tangible than the questionable reports it has sponsored in the past in an attempt to show Windows has a comparable or lower total cost of ownership than Linux.
As McCarthy points out, Microsoft is not new to paying analysts for favorable reports. In the early months of 2002, a little known think tank named Alexis de Tocqueville Institution (ADTI) released a report titled Opening the Open Source Debate. This lead to an ADTI press release making the grave claim Open Source Software May Offer Target for Terrorists and threw around terms such as “terrorists” and “national security”. In an article exposing this report, Richard Forno goes on to say “Contrary to the promise of the press release, the actual document spoke very little about the role of open source software in the fight against terrorism. However, it did do a magnificent job as a thirty-three page marketing brochure extolling the business value of closed-source, proprietary software.” Shortly after ADTI’s paper was released, security professionals world wide questioned why a think tank that had never published a paper on such a topic suddenly came forth with this “research”. Michelle Delio of Wired dug into the relationship between ADTI and Microsoft and found “.. that Microsoft provides funding to the Alexis de Tocqueville Institution.“
The ADTI report was not the first in which Microsoft paid for favorable results. A company named Mindcraft released a report claiming Windows NT Server 4.0 outperformed Linux in several tests. According to Mindcraft’s page, the company provides the following service: “With our custom performance testing service, we work with you to define test goals. Then we put together the necessary tools and do the testing. We report the results back to you in a form that satisfies the test goals.” So with Mindcraft working hand in hand to develop the tests and shape the results with the paying client (Microsoft), it is to be expected that the results came out as they did. Fortunately for us, Linux Weekly News did further research into this study and found a wide variety of discrepancies that can easily account for the posted results.
Traditional wisdom teaches us not to throw stones if we live in a glass house. Microsoft however, seems to cast this advice aside, no doubt thinking that with their money and power they can always buy a new house and find a think tank to publish a paper on why throwing stones is actually better than the alternatives.