Image Image Image ImageImage
Creative Services for
Roughly Drafted
Daniel Eran

Image Image

Five Architectural Flaws in Windows Solved In Mac OS X
Flaw 4 - No signal of privilege escalation

An administrator in Mac OS X can act as root by authenticating. When a user installs an application that requires special privileges, they are prompted to enter an administrative password. This also reminds the user that they are delegating important security privileges to that application.

That level of trust is not required unless an application needs to install background services that run as privileged daemons, or installing to system level folders such as /Applications or /Library.

Not only is it excessively difficult to run Windows as anything but an administrator (as noted in the previous point), but once logged in as an administrator, Windows users are not prompted to authenticate when performing a root level administrative task.

Since everyone is running Windows as an administrator, malicious code has no problem getting installed, without Windows ever flagging the user that important security permissions have been handed out, particularly during an installation.

The result of multiplying flaws two, three, and four explains the current plague of viruses, adware, malware, spyware and other flavors of malicious code that are so easy for spam-based marketers to foist upon vulnerable Windows users. Unfortunately, these flaws are all deeply rooted both in Window's architecture and culture.

That's right, Windows has flaws that are not just technical problems (which are usually straightforward to solve), but are tied to Microsoft core nature. Microsoft is, and has always been, a marketing company that sells software products, or more precisely, sells ideas that may become products.

Bill Gates sold IBM the idea of MS DOS, then rushed to deliver it, and his company has been selling vaporware ideas for the last twenty five years. Microsoft only attempts to deliver a product when the licensing market cycle requires it. The company sells placeholder-ware; products described to fit a solution. Once the sale is made, then work on delivering the product is begun.

Windows itself was placeholder-ware; Microsoft wanted Apple to license the Mac system software for PCs; when they didn't, Microsoft announced they would themselves. Microsoft fudged a graphical analog on top of DOS, and ported their existing Mac Office apps to run on it, but they delivered Windows 95 over a decade after the Mac, despite starting Windows prior to the initial release of the Macintosh.

Windows NT was also placeholder-ware to solve a gap: the lack of a real operating system for Windows 3. After abandoning OS/2 development with IBM, Microsoft hired a technically savvy operating system guru and delivered Windows NT 3.5.

Microsoft avoids competition by pitting its placeholder-ware product definition against real products for sale in new and emerging markets. By instilling fear, uncertainty and doubt surrounding the threat of Microsoft's entry into the market, kowtowed market analysts advise customers to wait for Microsoft to fill in placeholder products. Meanwhile, the competition dies of starvation, and Microsoft begins work on developing, or buying, an acceptable product that rarely meets the originally promised feature set.

The security problem related to Microsoft's marketing driven focus is that the company is only interested in a market position until they own it. After establishing a monopoly, they lose interest in (and motivation for) ongoing development, particularly in the area of security flaws which do not result in features that drive the next version of their product.

For example, after leveraging their monopoly position to destroy Netscape as a competitor, Microsoft left internet Explorer to rot. The Mac version was entirely canned, and the Windows version grew stagnant.

Conversely, technology-driven companies seek to provide customers with solutions that fit their needs, and security is an important consideration. Microsoft's leading market position may make its products a more obvious security target, but the real problem is that Microsoft doesn't need to care about security because the are insulated from market realities.

Hopefully, serious competition from Linux on the server side, and Mac OS X on the desktop, will prompt Microsoft to take serious steps toward delivering not only technology fixes for its security problems, but also make the company reevaluate the value of its reputation as well, and make a business case for caring about the quality of the software they market.


| | Digg

Flaw 5 - Windows' expensive processes


More Journal Entries | More Tech Articles | Get Tech Support | My Resume | Links | Contact RoughlyDrafted

Articles Copyright © 2006 Daniel Eran. All rights reserved.
Suggestions and comments welcome. Contact RoughlyDrafted.

Read more about:
Click one of the links above to display related articles on this page.