Security Affecting Microsoft's Bottom Line

kidlinux writes "The Globe and Mail has an article discussing the impact of viruses and security flaws in Windows. Apparently Microsoft has bounties out on virus writers. 'The campaign reveals just how much of a threat to Microsoft's bottom line security flaws now represent.' The effects of various worms and security issues are becoming visible in financial terms - having to deal with the security issues keeps Microsoft from closing new deals, and governments and businesses are starting to look at the alternatives, such as Linux. 'For the first time, it seemed, flaws in Microsoft's software were translating into flaws in the company's business model.'"

About. Bloody. Time!

[hbo]

Truth and Justice cannot be forever denied!

Seriously, now is when we find out which model of software development really is more secure. Results like these will energize Microsft's management to try and address security even more forcefully. My money is on FOSS, but we'll actually get to see how it plays out in the real world.

Re:Maybe that's why they coneived .NET

[JVert]

Using .net doesn't eliminate your exploit capabilities, it places your vulnerabilities in their hands. Things like this can be patched but as they add more features they will add more flaws. Suddenly MS's ability to prove secure code is more important. If .net has an issue, all applications written with it will have an issue.

Re:For Pete's sake

[BuckaBooBob]

Its more the Corprate Market they are worried about... You know the Corps that buy preinstalled machines and then change the OS to thier corp standard so they have paid for multiple licences...

If the Corp world switches from MS products people will start learning and wanting to use the same in thier home environment so a migration will start toi occur.. This will take a long time.. but its a threat that needs to be dealt with from MS's perspective...

For the most part... People hear Linux is more secure and is making up alot of ground on MS's products.. But they don't see it first hand... once they are exposed to it.. the likely hood of a user switch is greater once they are exposed.

I am glad MS is starting to feel threats poping out at them from many angles.. I hope it continues as well... They are attacking the the symptoms of the problem.. not the problem itself... I am sure after a while they will realise that its cheaper and easier to fix thier secuirty model than to use the legal system to fix thier problems for them.

Re:Maybe that's why they coneived .NET

[leerpm]

Well, managed code (both .Net and Java) protects against most of these errors. Array bounds and most types of naughty input crashing the application are protected against in .Net and Java. What it doesn't protect against, is stupid programmer errors like SQL Injection attacks.

Re:Yes, but

Stop with the silliness. Mandrake 9.2 was the only distro where it happened to my knowledge, because the code causing it isn't even in the main kernel tree. Also, it was a standard ATAPI command - yes, useless for the regular CDROMs that were affected, but that is irrelevant - which triggered a self-destruct BUG in the drives' firmware.
Please correct me if I'm wrong with anything.

Re:They really are far overreacting about this.

[IANAAC]

Think of a PDA/Laptop combo. Thinking about tabletPC? What OS is on that?

Not just MS products: http://www.lycoris.com/products/tablet/
Think of a games console. Thinking Xbox? What OS is on that?

Actually, I wasn't thinking of XBox at all. If PS2 and the Gamecube didn't exist, I may have, though.

VIRUSES is the correct spelling

[spineboy]

There is no such word as virii.
The computer usage of this word stems from the medical word virus and the correct pluralization is VIRUSES - Dorlands 28th ed Medical dictionary.
No doctor that I know uses the word virii..we all use viruses.

Re:It's the home users...

[ericman31]

Please show me this "properly designed network", that allows an unpatched Active Directory domain and blocks traffic on RPC ports.

I've been hearing this bit of FUD for a while now about how it's not Microsoft's fault. If only all of these incompetent network and system administrators would patch their systems and maintain their firewalls how there wouldn't be any problem.

Well, I'm here to tell you that I work for an organization with about 1500 employees. We process over a hundred million transactions annually in our systems. Our average system administrator or network engineer has about 7.5 years of experience in the IT industry, our security staff (I'm the security director) has an average of 9 years of IT industry experience. Except for the Windows administrators (our office automation network is Windows based), everyone comes from either a Unix or mainframe or both background. We know what we are doing, have a very good network and well maintained servers and appropriate security levels.

And every damn Windows virus/worm that comes along impacts us, even our mainframes and unix boxes. Why? Cause the stupid things propagate with attack vectors that are ridiculous. Root exploits in a web browser or via an email message and you don't even have to execute the damn thing? RPC worms with multiple attack vectors (browser, file shares, mail, RPC)? Local user exploits using html pages and scripts that can bypass web browser security settings and then execute arbitrary code!

It doesn't matter how well built your network is, if you are not running it like an NSA network, with no connectivity to the outside world, no email, no web browsing, no nothing, these damn Windows attacks are going to get in and cost money. I've lost more than a thousand work hours this year to dealing with SQL Slammer, MS Blaster and SoBig. Even if I got rid of all the Windows systems in my network, I'd still have a problem because the attacks would continue, and continue to affect me, although only at the boundaries, which would be better. Except for all the crap the mail servers have to deal with.

Re:Why is patching systems so hard?

[seb249]

Actually the MS patches do break 3rd party applications fairly often. Eg I have personally had an NT service pack break the exchange server that was the back end to the company PABX. Not good when the company's main business is Call Centre. One of the other issues i have is that quite often these patches require a reboot. On systems where you are contractually obliged to have 99.9% uptime, you have to schedule the reboot - with our clients we have to give 7 days notice. For this reason we have just about completed moving all our critical services to linux boxes. At least when you have to patch a service you dont need to reboot just restart the service. Seb

The real cost of Microsoft software...

[zerofoo]

For every microsoft platform we deploy, we need to purchase centralized anti-virus software, proxy server filtering software, auditing software, intrusion detection software....and the list goes on and on.

Granted, we have never had a hack related outage, because we keep up with patches and anti-virus updates, but the added cost of the security packages certainly does eat into our budgets.

In a k-12 school, we run many 3rd party apps that don't run on Linux, so we really can't switch to that yet (think desktop...not server). We are, however, really considering migrating slowly to OS X to avoid the added "security software tax" that comes with the Microsoft products.

-ted

M$ Security killed a competitor

[ducomputergeek]

I am a tech consultant and we had a client that ran a number of kiosk based advertising and application specific content. He had one competitor in the area with a slightly different product that did basically the same thing. Both ran Kiosk software ontop of Windows 2000 pro. Last spring we switched our client from windows 2000 to the linux based firecastOS since 90% of his special content was written in Flash and Java.

Well this past spring and summer, he said he saw a drop in service calls by an amazing 85%. Those remaining calls were either hardware or the three windows boxes he had to maintain because of that customer demanded it, they owned the kiosks, he just provided service so he was making money on the service call.

When the "Work of the Week" started, the other guy lost at least 30 customers that switch to using our client because they were getting complaints from their ISP that their boxes were being used in DDOS attacks from the competitor's product. In last week business journal, our client's competitor has filed for chapter 11.

Now, chances are they were having cash flow problems, the manufacture of their product is also having problems, however I know that our client has been able to undercut his competor by 20% in price because and he is still reporting increased profits of 10% after slashing prices. That's how much his TCO has lowered on service calls in the last nine months.

I know in our consultancy that using Apples with OS X have lowered our costs and increased productivy over Windows dispite their higher initial cost. Why? most of our units are about 4 - 5 years old and are now in use by administrative staff and going stong. That, and we make about $400 a week from the company on the second and fifth floors for fixing their computers.

Re:Perhaps

[Detritus]

UNIX, by contrast, was designed from the start to exist in communication with other computers.

UNIX was designed to be a timesharing system, a bunch of teletypes and dumb terminals plugged into a minicomputer. UUCP, which isn't real-time networking, was added later. Support for TCP/IP was grafted on to UNIX years later, in the VAX era.