Risk
6/2/2010
02:06 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Google Windows Ban Prompts Microsoft Defense

Microsoft stands by its operating system insisting Windows' security leads the industry.

Google's decision to phase out Windows for its employees has prompted Microsoft to come to the defense of its operating system.

Following a Financial Times report on Monday that Google, as a security measure, now requires CIO approval for new Windows installations, Microsoft Windows communications manager Brandon Le Blanc published a blog post rebutting the Financial Times' claim that "Windows is known for being more vulnerable to attacks by hackers and more susceptible to computer viruses than other operating systems."

That's simply not the case, insists Le Blanc. "When it comes to security, even hackers admit we're doing a better job making our products more secure than anyone else," he said. "And it's not just the hackers; third party influentials and industry leaders like Cisco tell us regularly that our focus and investment continues to surpass others."




Image Gallery: 10 Drivers For Microsoft Surge In 2010
(click for larger image and for full photo gallery)
Indeed, Microsoft's investment in and commitment to security is widely acknowledged in the industry. The fact is that just about every substantial software application or operating system contains programming errors that may present vulnerabilities. Linux and Mac OS X have flaws, as do Google Chrome and Apple's Safari.

However, it's also fair to say that presently more malware targets Windows and Windows applications than the competition. That's because 90% or so of the world's personal computers run Windows.

"Mac and Linux are not more secure than Windows," said Mickey Boodaei, CEO of security company Trusteer, in an e-mailed statement. "They're less targeted. There is a big difference. If you choose a less targeted platform then there is less of a chance of getting infected with standard viruses and Trojans that are not targeting you specifically. This could be an effective way of reducing infection rates for companies that suffer frequent infections."

Abandoning Windows may provide security through obscurity in the short term, but security through obscurity ultimately is not enough. If cyber criminals choose to target Google specifically, as they did last year, there will be other vulnerabilities unrelated to Windows to exploit.

"In a targeted attack where criminals decide to target a specific enterprise because they're interested in its data assets, they can very easily learn the type of platform used (for example Mac or Linux) and then build malware that attacks this platform and release it against the targeted enterprise," explained Boodaei.

Even when technical flaws may prove hard to find, there are always people to dupe or subvert. People have always been vulnerable to clever social engineering tricks and will probably always be so. Fraud, bribery, and espionage motivated by nationalism predate the computer. Limiting the use of Windows at Google won't address those risks.

Google's decision to leave Windows behind had to happen, for marketing reasons if nothing else. A ban on Windows has the convenient effect of reducing the chance that incoming Google employees will choose to use an operating system other than Chrome OS, once it's released.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.