Is Microsoft Windows Insecure by Design.
Microsofts Ongoing Battle
Windows users have grappled with security challenges for the past two decades. These include the Chernobyl Virus and Back Orifice Trojan attacks in the 1990s and the Nimda, Blaster worms, and Sobig virus in the early 2000s. The resurgence of the Back Orifice 2000 and the Nation-State attack Midnight Blizzard 2024 are stark reminders of the persistent nature of these issues.
Windows: A Perpetual Security Battle
Since its inception with the release of Windows 1.0, an MS-DOS extension, in 1985, MS-DOS has been known for its vulnerability to viruses and other security threats. Even though malware didn't even exist when Microsoft started with MS-DOS, the company has been constantly battling security issues in Windows. MS-DOS initially supported a maximum of 1MB of RAM and 16-bit processors, but transitioning to 32 bits allowed it to address up to 4GB of RAM. Windows 9x added support for long filenames, but with limitations. Transitioning to an NT platform allowed native NTFS filesystem support, providing advanced permissions and a built-in security model.
Although seemingly more secure alternatives like the Unix desktop operating system and Linux desktops are available, Microsoft has consistently worked to improve Windows's security. The main challenge is that Windows was not initially designed for network environments but as a standalone PC operating system.
The Development
MS developers at Redmond may claim to have rewritten the Windows code from the ground up to improve its security, but years of evidence suggest otherwise. Even after 37 years, the same security issues from the pre-internet era persist, highlighting the ongoing battle to strengthen Windows's security.
The infamous Internet Explorer (IE) was retired in June 2022 and replaced by Microsoft Edge. Why are all Windows versions vulnerable to an IE attack in late 2022? Wasn't IE removed from Windows 11? Regardless of your Windows version, the IE engine is still present and capable of running JavaScript attacks.
Introducing Patch Tuesday
The Nimda worm's rapid spread in 2001, which exploited vulnerabilities in Windows and other software, catalysed a more efficient system for distributing security patches. Microsoft, which had been releasing updates on an ad-hoc basis, making it challenging for IT departments to plan and deploy updates, responded to the Nimda attack by instituting a predictable release schedule for security patches and updates. Since its inception on October 15, 2003, Patch Tuesday has become a regular event, effectively managing security updates and patches for Microsoft products.
Never-Ending Security Patches
According to Dark Reading, Microsoft patched 147 CVEs in April this year, the most significant number of CVEs patched in a month since they began tracking this data in 2017. The last time there were over 100 CVEs patched was October 2023, when Microsoft addressed 103 CVEs. The previous high was in July 2023, with 130 CVEs patched. Microsoft recently released security updates for 61 vulnerabilities in its May 2024 Patch Tuesday rollout. Two zero-day vulnerabilities were patched, and one Critical vulnerability was patched. This constant stream of security patches underscores the ongoing and urgent nature of Microsoft's security challenges.
No Real Change
Beyond Trust reported that Windows Desktop and Server categories are the primary sources of critical vulnerabilities. This is understandable as they share a similar codebase, reflecting the ongoing development of the Windows NT Kernel. When Microsoft blocked office macros by default, we saw the shift from macros to MS Office exploits. According to HP Wolf Security, in Q4 2023, at least 84% of attempted intrusions involving spreadsheets and 73% involving Word documents aimed to exploit vulnerabilities in MS Office applications. Macro-enabled attacks still exist, leveraging cheap commodity malware like Agent Tesla and XWorm.
领英推荐
Continuing Pressure
Cybersecurity teams dealing with Microsoft systems are constantly pressured to adapt to rapidly changing cybercriminal tactics. They must stay ahead of new attack strategies and consider factors such as AI, generative AI, geopolitical dynamics, changing regulatory compliance requirements, and the growing ransomware threat. Additionally, these teams are often understaffed and overworked, affecting their ability to make sound judgments when handling complex security issues.
So why Microsoft?
Due to its extensive usage, the prevailing theory is that Windows is the primary target for cyber-attacks. Nevertheless, millions of individuals also use Mac OS and Linux, creating a substantial market for legitimate software developers. Authors of viruses and worms rarely target these systems; even though this is changing, and attackers turn to Mac OS and Linux, Windows remains the more vulnerable?target.
Is it the Final Nail?
Microsoft reported that in January, a Russia-backed group called Midnight Blizzard gained access to emails and sensitive information from top executives and federal agencies. In April, a report revealed that Microsoft failed to prevent a 2023 hack of its Exchange Online environment, resulting in the theft of 60,000 State Department emails. The Cybersecurity and Infrastructure Security Agency recently issued an emergency directive for federal agencies to secure their networks and Microsoft Azure accounts. Critics argue that these events reflect Microsoft's disregard for product security and practices. Many critics of Microsoft have concluded that the company, which has dominated the market for decades, ignored years of warnings about its product security and practices that fail to meet even the most basic standards. Microsoft's competitors are lining up to take advantage. The potential impact on Microsoft's dominance in the market is a significant concern, highlighting the gravity of the situation.
“The malware landscape has evolved tremendously, while the Windows Operating System is stuck with its basic design and ever-more complex?bolt-ons”. Alex Shipp-Imaginer
Final Though
Microsoft has to support a massive range of software with various hardware configurations, known as 'Backwards Compatibility'. Whilst each new version of Windows sometimes has something to do with old software, in general, Microsoft put a considerable amount of work into ensuring that older software in the wild can still run on modern versions of Windows. However, as users, we are left with systems that have accumulated what we call 'bloatware '. This term refers to software that has grown in size and complexity over time, often due to adding unnecessary features and dependencies. This bloated software creates maintenance and security challenges. As the codebase expands with unnecessary features and dependencies, it becomes harder to identify vulnerabilities. This complexity makes maintenance difficult and delays the integration of essential security updates. The dense structure of bloated software can hide security flaws, making it difficult to detect vulnerabilities. In today's rapidly evolving threat landscape, these delays are particularly risky. We must address these issues promptly to mitigate potential risks. Moreover, extensive testing is crucial to ensure that patches do not disrupt existing functions, introduce new issues, or delay security updates. Delayed security patches expose the software to known threats, leading to data breaches, system failures, or unauthorised access to sensitive information. This increases the risk of potential breaches and can have severe consequences for the software and its users. The urgency of optimised continuous integration and deployment (CI/CD) practices to bridge the security gap cannot be overstated.
Addressing these issues is a necessity and a responsibility that falls on the developers. Code quality should be prioritised, minimise unnecessary features, and meticulously manage dependencies in software design, and by leveraging automated testing and deployment tools within a CI/CD framework, you can streamline the update process and significantly enhance the software's defence against cyber threats.
Having said all that, Microsoft is not the only culprit in this "bloatware" scenario; many large tech companies are guilty of the same.
References: