Risk
6/2/2010
02:06 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Google Windows Ban Prompts Microsoft Defense

Microsoft stands by its operating system insisting Windows' security leads the industry.

Google's decision to phase out Windows for its employees has prompted Microsoft to come to the defense of its operating system.

Following a Financial Times report on Monday that Google, as a security measure, now requires CIO approval for new Windows installations, Microsoft Windows communications manager Brandon Le Blanc published a blog post rebutting the Financial Times' claim that "Windows is known for being more vulnerable to attacks by hackers and more susceptible to computer viruses than other operating systems."

That's simply not the case, insists Le Blanc. "When it comes to security, even hackers admit we're doing a better job making our products more secure than anyone else," he said. "And it's not just the hackers; third party influentials and industry leaders like Cisco tell us regularly that our focus and investment continues to surpass others."




Image Gallery: 10 Drivers For Microsoft Surge In 2010
(click for larger image and for full photo gallery)
Indeed, Microsoft's investment in and commitment to security is widely acknowledged in the industry. The fact is that just about every substantial software application or operating system contains programming errors that may present vulnerabilities. Linux and Mac OS X have flaws, as do Google Chrome and Apple's Safari.

However, it's also fair to say that presently more malware targets Windows and Windows applications than the competition. That's because 90% or so of the world's personal computers run Windows.

"Mac and Linux are not more secure than Windows," said Mickey Boodaei, CEO of security company Trusteer, in an e-mailed statement. "They're less targeted. There is a big difference. If you choose a less targeted platform then there is less of a chance of getting infected with standard viruses and Trojans that are not targeting you specifically. This could be an effective way of reducing infection rates for companies that suffer frequent infections."

Abandoning Windows may provide security through obscurity in the short term, but security through obscurity ultimately is not enough. If cyber criminals choose to target Google specifically, as they did last year, there will be other vulnerabilities unrelated to Windows to exploit.

"In a targeted attack where criminals decide to target a specific enterprise because they're interested in its data assets, they can very easily learn the type of platform used (for example Mac or Linux) and then build malware that attacks this platform and release it against the targeted enterprise," explained Boodaei.

Even when technical flaws may prove hard to find, there are always people to dupe or subvert. People have always been vulnerable to clever social engineering tricks and will probably always be so. Fraud, bribery, and espionage motivated by nationalism predate the computer. Limiting the use of Windows at Google won't address those risks.

Google's decision to leave Windows behind had to happen, for marketing reasons if nothing else. A ban on Windows has the convenient effect of reducing the chance that incoming Google employees will choose to use an operating system other than Chrome OS, once it's released.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8921
Published: 2015-03-01
The IBM Notes Traveler Companion application 1.0 and 1.1 before 201411010515 for Window Phone, as distributed in IBM Notes Traveler 9.0.1, does not properly restrict the number of executions of the automatic configuration option, which makes it easier for remote attackers to capture credentials by c...

CVE-2014-9676
Published: 2015-02-27
The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free.

CVE-2014-9682
Published: 2015-02-27
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

CVE-2015-0655
Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184.

CVE-2015-0884
Published: 2015-02-27
Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.