AOH :: ISN-3000.HTM|
IT Wrestles with Microsoft Monoculture Myopia
IT Wrestles with Microsoft Monoculture Myopia
IT Wrestles with Microsoft Monoculture Myopia
Site design & layout copyright © 1986-2014 CodeGods
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Content-Type: TEXT/PLAIN; CHARSET=UTF-8
By Ryan Naraine
September 10, 2006
When Microsoft announced in March 2006 that it would add code-scrambling
diversity to make Windows Vista more resilient to virus and worm
attacks, you could almost visualize a wry smile from Dan Geer.
Geer, a computer security guru with a doctorate in biostatistics from
Harvard University, lost his job as chief technology officer of
consulting company @Stake in 2003 after co-authoring a report that
blamed Microsoft's operating system monopoly and complex code base for
the frailty of the Internet.
Exactly three years later this month, Geer insists that the risks
associated with Microsoft's virtual monoculture remain the same, but a
quick glance at the future direction of the world's largest software
maker gives Geer a sense of "total vindication."
Indeed, three years ago on Sept. 24, Geer penned "CyberInsecurity: The
Cost of Monopoly," a 25-page report he co-authored with a who's who of
computer security experts, including celebrated cryptographer Bruce
Schneier and intrusion detection systems specialist Rebecca Bace.
The crux of the report was that software diversity was core to securing
The group cautioned that the only way to prevent "massive, cascading
failures" was to avoid the Windows monoculture.
"Because Microsoft's near-monopoly status itself magnifies security
risk, it is essential that society become less dependent on a single
operating system from a single vendor," the report said.
In many ways, Geer's report was prescient, as Microsoft has become a
huge target for hackers. Meanwhile, Microsoft has adopted some of the
tactics recommended to diversify code.
"In just under three years, the idea went from something you can get
fired for to a research priority for [the U.S. government] and a product
plan at Microsoft," Geer, of Cambridge, Mass., said in an interview with
"You look at what they're doing with randomizing Vista and all the signs
around virtualization, [and] it's real vindication for us."
He was referring to the addition of ASLR (Address Space Layout
Randomization) to Windows Vista, a security feature that randomly
arranges the positions of key data areas to prevent malicious hackers
from predicting target addresses.
The technique, known as memory-space randomization, will block the
majority of buffer overflow tricks used in about two-thirds of all worm
attacks and, even more importantly, will effectively create software
diversity within a single operating system.
Despite wide recognition that software diversity is important, progress
is slower than expected.
Ten days after the Geer report garnered publicity, the U.S. House of
Repre-sentatives held a hearing that included an interrogation of the
Department of Homeland Security on the subject of monoculture, and the
National Science Foundation, an independent federal agency, pumped
$750,000 into a study on cyber-diversity for computer systems as a way
to fend off malicious viruses, worms and other cyber-attacks.
The result? Despite all that talk, the DHS remains a Windows shop and
Microsoft's flagship operating system still commands a whopping 97
percent share of the desktop security market. Businesses dabble with
alternatives such as Linux but remain tethered to Windows. Why?
Despite the initial hubbub over the report, businesses are betting that
the costs associated with diversification are greater than the returns
from implementing technology that could be more secure yet potentially
harder to manage.
"We haven't changed much. I'd argue that we're at even more risk today
than we were in 2003," said Schneier, chief technology officer and
founder of Counterpane Internet Security, in Mountain View, Calif. "We
have a culture of ignoring serious warnings until it's way too late."
Schneier, who did stints at the Department of Defense and Bell Labs,
said the monoculture risk exists beyond the desktop. "Windows has pushed
into mobile devices, into embedded systems, into noncomputer CPUs. The
threat of that cascading failure is even truer today," he said.
Even though the argument made in the report remains as valid as ever,
diversity has been elusive because, as Schneier put it, "monoculture is
attractive because it is cheaper."
"It's hard and it's expensive [to diversify]. Yes, it's less secure, but
you only have to support one thing when you embrace monoculture. It
always boils down to economics," he said.
Geer said there are two options available to government and enterprise
security systems: Embrace monoculture and get consistent risk management
because everything is the same, or run from monoculture in the name of
"Today, we're relying on picking up the pieces," Geer said, adding that
it's much cheaper for a CEO to invest in anti-virus, anti-spyware,
anti-spam and patch management solutions.
"We've committed all our eggs to a basket named 'patch management,' or
we're looking to virtualization to help wipe and reinstall after
[malware] infection," he said.
For Andre Gold, director of information security at Continental
Airlines, monoculture and security became a hot topic in 2003 after the
SQL Slammer worm disrupted operations at the Houston air carrier.
"From a pure-play security perspective, we had to answer that question.
Do we want to diversify to keep things running when another attack came
along or stay with the monoculture and invest in securing it," Gold said
in an interview with eWeek.
"It came down to economics. It's not easy to click your fingers and say,
'Windows is a liability; let's just switch.' You soon realize you have
to spend even more to get specialized staff for each computing
environment," Gold said.
Several CISOs (chief information security officers) interviewed by eWeek
echoed Gold's sentiments, stressing that budgeting considerations always
play into security decision making.
"I can't spend my entire budget trying to diversify and not have
resources to secure them all. That's not practical," said one security
executive affiliated with a high-profile financial institution.
Gold's situation rings true for John Pescatore, an analyst at Gartner,
in Stamford, Conn. "The cost of ownership skyrockets because of
diversity," Pescatore said. "The economics says to standardize,
Pescatore said that the debilitating network worm attacks of 2003 and
2004=C2=97Slammer, Blaster and Sasser=C2=97forced businesses to think seriously
about the monoculture risk but that the combination of Microsoft
security improvements, a predictable update release cycle and patch
management tools makes it "much cheaper to deal with a single platform."
Richard Stiennon, founder and chief research analyst at IT-Harvest, of
Birmingham, Mich., said the monoculture issue remains a front-burner
topic in his discussions with clients. "I always recommend different
platforms for different purposes, even with all the economic
considerations associated with that," Stiennon said.
"We have not done much to heed [Geer's] warning other than spend a lot
of money to protect the monoculture," he said.
However, there are signs of progress. Even today, beyond the desktop
operating system, Gartner's Pescatore said that there is more
heterogeneity in Internet-facing applications.
"Firefox continues to gain market share, and the Apache Web server has
higher market [share] than [Microsoft's] IIS," Pescatore said, arguing
that the threat landscape has changed significantly from the days when
malicious attackers were launching disruptive network worms.
As network administrators ponder the end of the worm era, for-profit
malware attacks have grown dramatically. According to information culled
from Microsoft's MSRT (Malicious Software Removal Tool), the biggest
threat on the desktop comes from bots and Trojans that hijack computers
for use in botnets.
David Cole, a senior director in Symantec's security response unit, in
Santa Monica, Calif., said his unit's virus hunters are seeing about 800
botnet command-and-controls daily, each commandeering as many as 25,000
infected machines. "The order of magnitude of the botnet problem is
immeasurable," Cole said in an interview.
Using Symantec's numbers, Geer estimated that more than 15 percent of
all desktop computers are controlled by malicious hackers.
"You can look at it two ways. We're not seeing worms because the
protections are getting better. Or, the people who were writing worms
have figured out they can own the machine forever and make money from
it," Geer said. "I think the botnet operators already have all they can
Given that businesses have been slow to diversify, security fully rests
with Microsoft's ability to secure Vista, and the early signs are
As part of an ambitious mission to make Vista the "most secure operating
system ever," Microsoft made a series of significant tweaks to help
thwart the spread of malware.
The most important change, called UAC (User Account Control), is a
default setting that separates standard user privileges and activities
from those that require administrator access, making it nearly
impossible for virus writers to execute harmful code in sensitive parts
of the operating system.
Microsoft also summoned the cr=C3=A8me de la cr=C3=A8me of the hacking community
to its Redmond, Wash., campus to launch simulated attacks against Vista
and implemented a new strategy called Windows Service Hardening that
aims to reduce the risk of wormable flaws through improved testing and
Independent security researchers=C2=97including some of Microsoft's harshest
critics=C2=97have given Vista's security makeover a big thumbs up. "There's
no doubt that Microsoft is trying to step up to the plate," said Rick
Fleming, chief technology officer at San Antonio-based security company
"They made huge strides with [Windows XP] SP2, and I think Vista will
push the envelope even more."
Dave Aitel, a staunch open-source advocate and vulnerability researcher
at penetration-testing company Immunity, of Miami, said he believes the
most vital security upgrades will come from advancements in computer
Aitel cited the NX (No eXecute) technology being built into chips from
Intel and Advanced Micro Devices that will effectively prevent code
execution within data pages such as default heaps, stacks and memory
John Quarterman, a risk management expert at InternetPerils who co-wrote
the report with Geer in 2003, was dismissive of any suggestion that the
Internet has become safer because of Microsoft's software security
"We have criminal entrepreneurs doing big, big business on the Internet,
using computers that are not secure. This is not rocket science; this is
an effect of the monoculture," said Quarterman in Austin, Texas.
Rebecca Bace, another co-author of the monoculture warning, said she
sees Microsoft's aggressive push into virtualization technology and gets
the feeling that the company "is coming around."
Citing a recent Gartner report that predicted Vista will be the final
version of Windows in the current, monolithic form, Bace said it's clear
that Microsoft understands that virtualization can help to break the
"They're now saying, 'Perhaps this is a way we can defend ourselves,'"
said Bace in Scotts Valley, Calif.
Cyber-insecurity: Then and now
Three years ago, a report, "CyberInsecurity: The Cost of Monopoly,"
was released. Here's a look at what the report concluded and what has
* Then "Most of the world's computers run Microsoft's operating systems,
thus most of the world's computers are vulnerable to the same viruses
and worms at the same time."
* Status No progress. The world still runs Microsoft, and the malware
* Then "Because Microsoft's near-monopoly status itself magnifies
security risk, it is essential that society become less dependent on a
single operating system from a single vendor if our critical
infrastructure is not to be disrupted in a single blow. The goal must
be to break the monoculture."
* Status Slow going. Technology executives are dabbling with Linux, but
the monoculture is here to stay.
* Then "A monoculture of networked computers is a convenient and
susceptible reservoir of platforms from which to launch attacks."
* Status Status quo. That convenience of one platform means less
management expense. So far, companies are going with lower costs over
* Then "Governments must set an example with their own internal policies
and with the regulations they impose on industries critical to their
societies. They must confront the security effects of monopoly."
* Status Little progress. Capitol Hill hearings and studies into
"cyber-diversity" haven't prodded the government to change its
reliance on Windows.
Source: "CyberInsecurity: The Cost of Monopoly"; eWEEK reporting
Content-Type: text/plain; charset="us-ascii"
HITBSecConf2006 - Malaysia
The largest network security event in Asia
32 internationally renowned speakers
7 tracks of hands-on technical training sessions.
Register now: http://conference.hitb.org/hitbsecconf2006kl/