Practical Technology

for practical people.

Why Windows security is awful


A friend of mine suggested that I should include as boilerplate in my security stories, a line like: “Of course, if you were running desktop Linux or using a Mac, you wouldn’t have this problem.” She’s got a point. Windows is now, always has been, and always will be insecure. Here’s why.

First, desktop Windows stands firmly on a foundation as a stand-alone PC operating system. It was never, ever meant to work in a networked world. So, security holes that existed back in the day of Windows for Workgroups, 1991, are still with us today in 2009 and Windows 7.

Most of these problems come down to Windows has IPCs (interprocess communications), procedures that move information from one program to another, that were never designed with security in mind. Windows and Windows applications rely on these procedures to get work done. Over the years they’ve included DLLs (dynamic link libraries), OCXs (Object Linking and Embedding (OLE) Control Extension), and ActiveX. No matter what they’re called, they do the same kind of work and they do it without any regard to security.

Making matters worse is that they can be activated by user-level scripts, such as Word macros, or by programs simply viewing data, such Outlook’s view window. These IPCs can then run programs or make fundamental changes to Windows.

It also doesn’t help any that Microsoft’s data formats can be used to hold active programming code. Microsoft Office formats are commonly used to transmit malware. Microsoft’s latest Office 2010 tries to deal with this by blocking all but read access to documents or ‘sandboxing’ them.. Since you can’t edit a sandboxed document, I’m sure that’s going to go over really well. Of course, what will actually happen is that users won’t use the sandbox utility, and they’ll just spread malware instead.

This data format ‘functionality’ and easy ‘application-to-file-to-application’ IPC is in Windows because it makes it simple for Windows programs to share data. That’s great in a stand-alone PC when you may want to have your PowerPoint chart automatically change to reflect the new information in an Excel spreadsheet. But, that same power is a permanent security hole in a PC that’s hooked up to the Internet.

Besides that, Windows, again harking back to its single-user, stand-alone ancestry all too often defaults to requiring the user to run as the all-powerful PC administrator. Microsoft has tried to rid Windows of this, with such attempts as UAC (user account control) in Vista. They’ve failed. Even in Windows 7, it’s still easy to bypass all of UAC’s security. Microsoft has claimed they fixed some of those bugs.

In addition, there are other problems like Windows 7’x XP mode, which bypasses all the improvements made in Vista and Windows 7. Again, it all comes down to all of Windows security improvements amounting to being just layer over another of security over its fatal single-user, non-networked genetics.

That’s why Linux and Mac OS X, which is based on BSD Unix at its heart, are fundamentally safer. Their design forefathers were multi-user, networked systems. From their very beginning, they were built to deal with a potentially hostile world. Windows wasn’t. It’s really that simple.

On top of all that is the reason that Windows apologists always give: Windows is more popular so it gets attacked more often. That’s true. But, so what? You’re still going to get hacked.

For you, as a user, running Windows means that your PC will be attacked on an almost daily basis. Hacked Web sites, spam carrying malware, it’s almost all meant for little old you and your Windows PC. Even with constant patching and added security programs, you’re always going to be in danger of having your PC hijacked.

In short, to return to the beginning, Windows security is now, always has been, and always will be, bad. If you want a secure computer, you’ll be better off trying with either a Linux desktop or a Mac. Like it or lump it, that’s just the way it is.

A version of this story first appeared in IT World.