The Huge Hidden Cost of Microsoft Software

Justan Admin said on Tuesday, 30 June 2009

So if they had applied the security patch available back in October they wouldn't be paying anyone to 'clean up'.

Glyn Moody said on Tuesday, 30 June 2009

@Justan: well, part of the problem is keeping up with the flood of patches...

Ian Jones said on Tuesday, 30 June 2009

Justan Admin ought to know that every time you patch you risk busting something elsewhere in your operation. People aren't stupid. Patches don't get applied because IT administrators or are lazy. They aren't applied because they risk screwing up your day-to-day business systems. There msut be a better way. I don't think open source is a guaranteed way to improved security because as cybercrime becomes more focussed on high value targets, open source systems and products will get the same unwelcome attention as Microsoft products. The fix might be quicker coming through community collabopration, but damage will be done.

Glyn Moody said on Tuesday, 30 June 2009

@Ian: I'm not suggesting the open source is a panacea, but at least it possesses the virtue of being a rich ecosystem: part of the problem with Microsoft's products is that they are a monoculture, which makes them more vulnerable to catastrophic infections.

Ian Jones said on Tuesday, 30 June 2009

Fair point

Mauricio Sougarret said on Tuesday, 30 June 2009

So in Open Software you don't have patches? and if you have them they don't screw up my production systems?

Glyn Moody said on Tuesday, 30 June 2009

@Mauricio: certainly, there are patches. But they are applied transparently. If anything goes wrong, you can undo the mess (modulo enough hacking skills). You can't do that with closed code. You just have to wait, and hope the next patch solves the problem (or re-install...)

what the? said on Tuesday, 30 June 2009

So, you are claiming that the only platform affected by mal-ware is Windows?? Sounds like a one eyed view.
Think about what the malware would be targetting if another OS had 90% market share. Now go look at the patches released for Windows compared to Ubuntu, RHEL and even MacOSX for the last 2 years. Windows had the least number and severity of flaws. To claim that Microsoft is responsible for a customer not applying good practice to managing, patching and securing their environment is ridiculous and irresponsible journalism. If they roled out another OS, didnt patch it or secure it and got owned, would you be advocating they toss that out too?
What you may be missing is that the council is very unlikely to suffer such a compromise again, and Microsoft or their partners probably spent most of their time on process and capability to reduce the risk of re-occurance, or are you suggesting they went in and re-coded Windows to make it somehow more secure. Sheesh...

Glyn Moody said on Tuesday, 30 June 2009

The analyses that purport to show that open source has more and more serious flaws than Windows are based on apples and oranges comparisons: distros typically come with hundreds of programs, and *all* flaws are included in these analyses. It's a skewed comparison, just like the TCO ones.

And as for the old canard that it's just because nobody uses open source, consider Apache: it still runs over 60% of the public Internet, which makes it the prime target for crackers. Do we have the kind of catastrophic problems that Windows suffers from? I don't think so.

The problem is Windows: it's a program that has been patched together from early DOS days, Win 3.1, Win95 and beyond so many times that it is simply insecure. I've been writing about Microsoft for nearly 30 years now, so I've seen the evolution of Windows close up. It's not pretty.

Phil Martin said on Tuesday, 30 June 2009

@Anonymous: You cannot compare just the number of updates between Windows and Linux in order to figure out which one is more problematic.

Linux distributions deal with each issue separately which increases considerably the total amount. With Windows, Microsoft issues accumulative updates, concealing the true number of vulnerabilities.

The base Linux system covers significantly more software than Windows does, increasing the attack surface. To get the true number for Windows, you need to factor in the vulnerabilities of third-party tools that a typical user would have.

Albert said on Tuesday, 30 June 2009

Hi Sheesh..

Why should I think about what the malware would be targetting if another OS had 90% market share?

In fact the nature of Windows is different from Linux. The fact thta there is a hughe market share for Linux in servers reveals that there is no shuch risk as you mentioned. think of Goolgle using Linux by millions of people around the world, it works, nothing happens.
Why?

Bernard Swiss said on Tuesday, 30 June 2009

There is a considerable difference between
(a) pro-active searching out -- and promptly fixing -- even small, potentially or theoretically exploitable flaws, and
(b) tardily addressing known, significant security flaws, often only after they are publicized, and sometimes only after that flaw has been actively exploited on large enough a scale that dismissing it as a minor issue is no longer tenable.

Greg Eames said on Tuesday, 30 June 2009

Anybody looking for a good laugh go here http://www.microsoft.com/windows/internet-explorer/get-the-facts/browser-comparison.aspx

For the follow up on the good laugh go here http://lifehacker.com/5296936/microsofts-browser-comparison-chart-offends-anyone-whos-ever-used-another-browser and a quote from linuxtoday.com at http://www.linuxtoday.com/n "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted...Gene Spafford."

Windows is the only operating system and company that will install software onto your machine that will make it more vulnerable to malware. Look up oneclick on the net and see what you find for the fans of microsoft. This particular piece of software was installed on all windows machines that have automatic updates enabled. Useful for developers and such at large companies AND ANY MALWARE AUTHOR that wants to infect your machine.

Dennis Muczak said on Tuesday, 30 June 2009

"Think about what the malware would be targetting if another OS had 90% market share."

@what the?: The malware would target... Windows. Even in segments where Windows has a minority share, it is the only system regularly hacked and busted in trivial ways. Linux easily makes up for the vast majority of internet facing devices - so tell me, where are the virii?

Tom Mathews said on Tuesday, 30 June 2009

About the medieval plague. I read or heard somewhere that during the Black Death, the Jews didn't get it. Everybody else suspected a conspiracy. Hundreds of years later they figured out that the Jews, who were required to live in the ghettos, were diligent about separating themselves from their garbage. The plague was carried on fleas which were carried by rats, who went to where the garbage was. We can also separate ourselves from the cyber-garbage.

rich said on Tuesday, 30 June 2009

People assume that, because when you're single user on a single machine, you deal with a single license, A single license is simple enough to manage. When you deal with many licenses, as in proprietary software, that implies a way to keep track of them, a license tracking system.That means more software to install, more complexity. And the software management system needs a management system of its own when you're at the enterprise level. More people should made aware of this.

Some Guy said on Tuesday, 30 June 2009

As Linux runs most of the internet, and is installed on millions of desktops around the world, it is obvious that someone would have a lot to gain by trawling these machines for useful data (credit card numbers mainly). But it hasn't happened yet. Why not?

Or, how about this? An active piece of malware tagetting Linux operating systems. Name one.

Anybody?

Microsoft trolls, please refer to Feynman before posting this pathetic meme again.

"Reality must take precedence over public relations, for nature cannot be fooled."

kthxbi

Alan said on Tuesday, 30 June 2009

Your particular example can be debated as to whether it's Microsoft's fault or not, but the point stands that when people talk about the "cost" of FOSS they often talk as if the same hidden costs don't exist on proprietary software. It's assumed that people drop out of the womb knowing how to install, use, repair, and maintain Microsoft or other proprietary software, whereas they'll require inordinate amounts of training and consulting monies to use FOSS as effectively. Silly.

Dilbert Cartoon said on Tuesday, 30 June 2009

http://joeindie.com/blog/?p=50

Ted said on Tuesday, 30 June 2009

This article is biased. The assumption that open source software doesn't have bugs, or fewer bugs than proprietary software. The assumption that open source software is more secure and trustworthy than proprietary software, and Microsoft's products in particular.

I am not opposed to people/cities/governments using open or closed software. People are free to choose. Reporting like this is counter-productive. The cost differences between open/closed software are different. The argument that people would not have to pay for bug/system fixes from open source software is also misleading. You get the level of service written into the contract. If you do not have a contract then you are left to fix the issue yourself. If you can find someone to fix it for you for free then great - Free Labor. Odds are you will want something more consistent and confident and will have to sign a contract with some entity/experts to fix any issues uncovered.

Lee Ball (http://www.leenukes.co.uk) said on Tuesday, 30 June 2009

Manchester is my home town, its a shame that despite having the first Linux Distro ever (well done Owen, I'll remind you again next time I see you) and having the first LUG ever, we get into the free software news due to Conficker and Microsoft. Oh dear.

Yonah said on Tuesday, 30 June 2009

"consider Apache: it still runs over 60% of the public Internet, which makes it the prime target for crackers. Do we have the kind of catastrophic problems that Windows suffers from?"

Consider not using comparisons that are invalid. Apache is an application that runs on multiple Operating Systems. Windows is an entire Operating System, not an application. Not to mention the security threats a web server at the hands of a technician faces are vastly different from that of a desktop system operated by your mother-in-law.

Glyn Moody said on Tuesday, 30 June 2009

@Yonah@ OK, I'll rephrase things. Consider the Apache/GNU/Linux stack, which runs most of the public Web servers, which makes it a prime target for crackers: do we have the kind of catastrophic problems that the IIS/Windows stack suffers from?"

Glyn Moody said on Tuesday, 30 June 2009

@Ted: I'm not making assumptions about bugs, I'm making (justified) assumptions about the malware that feeds off them. The fact is that there are relatively few worms and viruses in the GNU/Linux world; that may be due to fewer bugs, it may be due to faster patching, or other factors. It doesn't matter: my argument is that using Windows has this extra cost of cleaning up that GNU/Linux doesn't.

Bernard Swiss said on Wednesday, 01 July 2009

In their monthly tabulation of malware to be found in the real world (aka "in the wild") Wildlist.org used to tabulate Linux malware in a separate section titled "Other", but that section appears to have been long discontiued for lack of use.

Yea Apache is really secure LOL said on Wednesday, 01 July 2009

http://www.bing.com/search?q=apache+servers+defaced&form=IE8SRC&src=IE-SearchBox

http://news.cnet.com/Apache-site-defaced-in-embarrassing-hacker-attack/2100-1001_3-240174.html

http://www.wired.com/politics/law/news/2000/05/36170

http://matt.bottrell.com.au/archives/192-Tightening-up-public-Apache-web-servers.html

http://drupal.org/node/213320

http://www.securiteam.com/securitynews/5MP031P1FG.html

And make sure you dont upset Boycott Novell LOL said on Wednesday, 01 July 2009

Dont ask them any hard questions, because the cult leader and perpetual student (leach) Roy will ban you. We all know he cant answer realy questions about his precious cult of Novell, anything that gets in the way of his hatred (and in getting a job). He runs away from like a scared little boy.

Ok Roy, if you know all the answers why dont you have the balls to stand up to a fair debate on the subject ??

(I know why, your scared and you have to "protect" you cult of devout followers.)

Roy when you get out of school and find out what the real world is like I hope then you find out why most think you are a waste of oxygen.

Phil said on Wednesday, 01 July 2009

Jeremy Clarkson will love the loss of the bus lane revenue ;o)

Henry said on Wednesday, 01 July 2009

Why don't they say it was Microsoft's problem ? Why do they hide it ? Open source is better because trash code can not hide.

Alexander Patrakov said on Wednesday, 01 July 2009

IMHO, there are two problems here.

1. Admins didn't roll out patches because they (maybe validly) assumed that they can break production software

2. Admins could not verify or disprove their assumption because they had no test setup. And that's the main problem.

Jorge said on Wednesday, 01 July 2009

I guess FUD exists on both sides. This is some horrible spin you put on the facts. Even as a Linux user, I can see the obvious bias here.

First, the reason Windows wasn't mentioned was not because of some irresponsible reporting. It was not mentioned because it is just assumed it is Windows, because 1 it's by far the most used OS, and 2 most people don't even know alternatives exist.

Second, Microsoft did not "create" the problem, they merely created a platform that certain groups of people choose to exploit. Granted, Windows wasn't built as secure as it could have been, but when it was created, it was a different world.

It's articles like this that make all of us who choose to use a different/better OS look bad. Microsoft has MANY faults, you don't have to make up any. (True Story)

Glyn Moody said on Wednesday, 01 July 2009

@Jorge: it seems to me you are arguing against yourself. If most people don't know that alternative exist, and assume that everything is Windows, then a good journalist should point out that this is not the case, especially when there are good reasons for using those alternatives. If they don't, people believe that computing is inherently flawed, and don't start demanding something better.

And I don't see how it could be anyone else but Microsoft that created security weaknesses in its platform. Yes, the people that exploit them bear the responsibility for doing so, but Microsoft could and should have done a better job - as it has been promising to do for years.

You say when Windows was created it was a different world, but Unix - the basis for GNU/Linux - was created even before, and still managed to build in security from the early days.

Rae said on Wednesday, 01 July 2009

What about the lost productivity of non user-friendly open source software? If the average worker can't use a polished and professional OS effectively, how will they use a kludgy one? Also, the only reason Windows is such a virus target is because of its ubiquity; if open source software had the foothold that Windows does, you can be sure there'd be lots of viruses for it too. Whatever the OS, defects ARE a part of life and technology. The whole ordeal just sounds like poor IT management.

Glyn Moody said on Wednesday, 01 July 2009

@Rae: which non-user friendly open source did you have in mind? Ubuntu? Firefox? OpenOffice.org? As for the point about market share, see my comment above referring to the Apache/GNU/Linux stack.

Ron Wilhoite said on Wednesday, 01 July 2009

Another hidden cost I rarely see mentioned is the difference between keeping a Windows computer updated versus a Linux or *BSD computer. One or two commands on a Linux/BSD computer updates everything (I think Macs may work the same way). With Windows, you have to update Windows itself, Office, Java, Adobe, and any other piece of software you have installed; or your company is paying in time and money to have the infrastructure in place to do this for you. End users get update fatigue and often either click "Yes" to anything (including fake antivirus notices) or "Later" because they don't know if "Java update available" is real.

Glyn Moody said on Wednesday, 01 July 2009

@Ron: the "fatigue" factor is an important point. In the end you just give up and acquiesce to everything...

sudo apt-get a clue said on Thursday, 02 July 2009

Reality: the only reason Manchester was cornholed by Conficker is pure negligence. Had the daft gits patched, they wouldn't have suffered. And don't give me that "flood of patches" BS. Month over month there are far more patches for glaring vulnerabilities in *nix systems than in MS products.
Yet the MS market share on the desktop in particular is so far dominant to anything Linux-like that it's really beyond compare. Why? Because your average maroon has a hard enough time opening his browser on a Windows box let alone having to unbugger some ill-coded, QA-lacking "project" managed app on a *nix host.
So please, go play hide the mouse with your stuffed penguin plushy and give this lame argument a rest.

Apexwm said on Wednesday, 05 August 2009

Many companies are still wasting tons of cash on proprietary software. Commercial and proprietary software has had these problems for years. It's time for companies and individuals to realize that Linux wins against Windows, hands down. I'm a systems admin for over 12 years, I've used Windows and Linux side by side during that entire time. Which do I choose? Linux. Why? Because it's safer, more secure, way more stable, and has countless fewer maintenance headaches than Windows. So the choice is clear for me. I use Linux for my personal business and at home, and I couldn't be happier.

<h ref="http://members.apex-internet.com/sa/windowslinux">http://members.apex-internet.com/sa/windowslinux</a>