Many businesses and home users have decided to skip Windows Vista and wait for Windows 7. Vista's security improvements have been only minor and incremental. Some fundamental changes need to be made to avoid the same mistakes with Windows 7.
There is a lot Microsoft can do to help make its Windows 7 operating system a commercial success. Jason Hiner offered his opinion on how it can do so in Sanity Check: Five things Microsoft has to do for Windows 7 to succeed, and I have my own opinions on the matter as well.
To go beyond immediate commercial success, and deliver on its promises of a genuine, effective focus on security, Microsoft must do more than just appeal to the masses. It must give its operating system design, development, and management policies a complete overhaul. Only time will tell whether MS Windows 7 will meet those requirements, or be found wanting. Five such changes are described here:
- Use standardized, peer reviewed tools and protocols for all security related functionality. Microsoft has one of the best known "not invented here" cultures in the software industry. While Microsoft does use a lot of code that wasn't invented there, it never uses it unchanged and, when possible, buys out the creators before incorporating any of that outside software into what it sells. Even in the rare case that Microsoft uses something whose continued development it doesn't really control, the company takes on code that cannot be taken back, continues development internally, and changes its functionality in some often startling ways that usually break interoperation with other branches of the same code base — as in the case of adopted code like the BSD Unix network stack and MIT Kerberos. This contributes to much of Microsoft's security woes, as it then cannot really share advances with outside developers. It takes on a greater weight of code to maintain, and doesn't add in the additional, free development efforts that could come with it. Because of this, the security characteristics of its remote login tools, encryption functionality, and network protocol implementations has been suspect at best, essentially from day one. Leveraging the tremendous breadth and depth of peer reviewed, best of breed, well tested tools that can be had — freely, in most cases — is key to producing an operating system people can trust.
- Implement true, comprehensive, architectural privilege separation. Microsoft's operating systems have seen significant evolution over the years, from the early days of MS-DOS all the way to MS Windows Vista. Anyone can easily see that major changes have been wrought. One change that seems to happen over and over again is the addition of true privilege separation to the system architecture, protecting key parts of the system from unauthorized access by users who are supposed to be unprivileged. This "seems" to happen over and over again because it has not actually happened yet; some superficial changes are made that appear to address the problem of privilege separation, but by the time the next release of MS Windows hits the market the fact that privilege sepration was never really achieved in the interim has become common knowledge. For such a change to take place, Microsoft is going to have to let its attempts to maintain a stranglehold on how people use their computers slip a little bit, and stop looking for ways to allow Microsoft software to circumvent the security functionality of other Microsoft software.
- Start taking vulnerability patching seriously. Seven years is just too long for a severe vulnerability like the SMB flaw that was first discovered at least as long ago as March 2001. The fastest patch turnaround time for any Microsoft security fix was MS06-001, when Microsoft distributed a patch ahead of schedule only ten days after Microsoft officially learned of the vulnerability. The SQL Slammer worm, which brought much of the Internet to its knees in 2003, was patched by Microsoft long before it became a threat — but if the patches were applied out of the order in which Microsoft intended them to be applied, later patches would uninstall earlier patches, leaving your computer vulnerable (and Microsoft blamed the admins for not effectively patching their systems). Meanwhile, the standard for which Microsoft should be aiming is that of open source projects that routinely produce stable, effective security patches that don't break things in under a week — sometimes in a matter of hours. Before MS Windows 7 security can really be taken seriously by most security professionals, this is a serious problem area that must be addressed. Microsoft recently released a patch for MS Windows 7 pre-beta before the pre-beta was released, which looks like a good sign, but it may also be a one-time aberration. Only time, and attention to Microsoft's behavior in the near future, will tell.
- Don't let backward compatibility trump default security. It's understandable that Microsoft wants to support backward compatibility for its customer base, and I applaud the effort to ensure such compatibility in and of itself. That doesn't mean that misfeatures that compromise security should be allowed to trump default security, however. If something that can compromise security absolutely must be included, it should be a configurable option, and not the default setting. It should also not, under any circumstances, require fundamental compromise of the system's security on an architectural level. A related concern is that of the security of default settings in general — such as the unacceptably high number of unnecessary services running by default in a fresh install of MS Windows. I'd love to no longer have to write articles about things that should be turned off before you even think about connecting a network cable to your computer.
- Change the business model. Yes, really — this is, in fact, a security matter. Microsoft's security model is in essence a financial manifestation of the old security through obscurity fallacy. Not only is that a broken model, but chasing after the mirage of that kind of secured revenue creates a conflict of interest between revenue stream "security" and actual system security, to the detriment of the company's customer base. As the IT industry and software market continue to change in the next few years, the conflict of interest that represents will become even less defensible, because the "traditional" business model will become less and less viable. It's time to make a change. Windows 7 may not be the place to jump headlong into a new business model, but Microsoft definitely needs to make some bold strides in that direction at least. Jason Hiner is on the right track with his admonishment that Microsoft should make MS Windows 7 it's last shrink-wrapped OS. The alternative is to continue to damage Microsoft's reputation amongst home computing consumers and business customers.
Of course, if the last decade has proven anything about software marketing and security, it is that good, secure software design, vulnerability management policy, and other security concerns for software vendors are often of little importance in determining market share. An image of acceptable security seems to be easier to manufacture than actual security is to achieve, and Microsoft has met with great success in manufacturing such an image.
There are those who look past the shiny marketing facade, however, and will not simply take Microsoft's self-serving statements at face value. To satisfy their desire for security, Microsoft will have to do some things differently with Windows 7.