[TriLUG] [ISN] Microsoft prepares security assault on Linux (fwd)

Dan Monjar daniel.monjar at na.biomerieux.com
Wed Nov 12 14:00:43 EST 2003 


---------- Forwarded Message ----------
Date: Wednesday, November 12, 2003 06:16:06 AM -0600
From: InfoSec News <isn at c4i.org>
To: isn at attrition.org
Cc:
Subject: [ISN] Microsoft prepares security assault on Linux

http://www.infoworld.com/article/03/11/11/HNmsassault_1.html

By Kieren McCarthy
Techworld.com
November 11, 2003

Microsoft Corp. is preparing a major PR assault over Windows'
perceived security failings in which it will criticize Linux for
taking too long to fix bugs, we have learned.

In a sign that the inroads made by the Open Source community are
starting to rattle the software giant, Microsoft has hired several
analysts to review how fast holes are patched in the open source
software and is expected to announce that Windows compares favorably.

The strategy, called "Days of Risk," measures the number of days it
takes programmers to release a public patch after a vulnerability is
revealed. While high-profile holes in Linux and associated software
tend to be swiftly dealt with, less prominent problems -- which could
be just as potentially damaging -- can take weeks or even months to
appear.

Microsoft's aim is to undermine critics and place a question mark over
Linux's security by revealing that, on average, Windows poses less of
a security risk. By turning attention away from its own software bugs
while at the same time launching several security initiatives, it
hopes to be able to tackle one of main worries business has with its
proprietary operating system.

Windows security is a club constantly used by Linux advocates to beat
Microsoft over the head -- made all the more relevant following the
extremely damaging Blast worm and SoBig virus that spread rapidly
thanks to vulnerabilities in Microsoft's software.

Microsoft Chief Executive Officer Steve Ballmer is known to have made
security a top priority. Last week, the company announced a $5 million
reward program aimed at bringing virus writers to justice. Although it
is unlikely to reap any tangible results, the message was clear:
Microsoft is taking security seriously.

And at the end of October, Ballmer gave the audience at Gartner's
autumn symposium a taster of what was to come when he attacked Linux's
assumed security superiority. "In the first 150 days after the release
of Windows 2000," he said, "there were 17 critical vulnerabilities.
For Windows Server 2003, there were four. For Red Hat Linux 6, they
were five to ten times higher."

He also questioned the notion that the open source's community
approach to fixing problems was superior to Microsoft's. "Why should
code submitted randomly by some hacker in China and distributed by
some open source project, why is that, by definition, better?"

A spokeswoman for Red Hat was undaunted by the prospect of a full
frontal security assault by Microsoft however. "We just don't have
viruses," she told us. "Our problems are located and fixed more
proactively. Because the source code is open, we find there is a patch
before there is even a problem."

She also denied there was an issue of professionalism: "We have dozens
of Fortune 500 customers we have to report to. We would never let a
bug go unfixed."

However, Microsoft is thought to have pulled out all the stops to
prove its security case. That means it should have something more
tangible than the questionable reports it has sponsored in the past in
an attempt to show Windows has a comparable or lower total cost of
ownership than Linux.

"There is always some assertion by Microsoft," the spokeswoman told
us. "And its example is always on a very small part of Linux. But when
you look at Linux as a whole, it is very reliable and our customers
considerable it superior."

Microsoft failed to respond to our questions, although its law and
corporate affairs spokeswoman told us that she didn't think the
company intended to launch a security attack on Linux and that it
would be "odd" if the company used strong comparative information to
state its case. It would be more odd if it didn't.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo at attrition.org with 'unsubscribe isn'
in the BODY of the mail.

---------- End Forwarded Message ----------



-- 
Daniel Monjar
IS Manager, Technical Services
bioMérieux, Inc.
Durham, NC US
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20031112/b7d6f5ba/attachment.pgp>

More information about the TriLUG mailing list