Microsoft Monoculture

The crux of the CCIA paper pretty much lies in this statement:

"Because Microsoft's near-monopoly status itself magnifies security risk, it is essential that society become less dependent on a single operating system from a single vendor if our critical infrastructure is not to be disrupted in a single blow."

Essentially, if everyone has Microsoft Windows and a severe or critical flaw is found in that operating system, every one of those computers will be vulnerable to having that flaw exploited. If a malicious programmer develops a virus or worm to automate the propagation of the exploit, tens of thousands or possibly even millions of computers can be impacted or wiped out in a very short timeframe.

In January of 2003 the SQL Slammer worm spread around the world in 15 minutes and effectively shut the Internet down. SQL Server is a separate application- not part of the Windows operating system- but its a good illustration of just how fast a threat can spread.

In August of 2003 the MSBlast / Nachi worms hit the Internet. They did not propagate as quickly as SQL Slammer, but the vulnerability being exploited was in the operating system itself and many more computers were susceptible.

Microsoft basically has a stranglehold on marketshare for operating systems. Their server marketshare may rise and dip, but in the desktop and home user market Windows is almost exclusively the operating system of choice.

This effectively means that every time Microsoft adds a new "feature" which can be twisted and used with malicious intent, and every time Microsoft releases flawed software, that virtually every desktop computer in the world is potentially vulnerable to exploit.

The team of highly respected security experts who co-authored the CCIA paper find these facts alarming and believe that something should be done- fast- to upset that balance and get more diversity into the operating system market.

I think that the following paragraph from Marcus Ranum really captures the essence of his argument against the Microsoft Monoculture hype:

"There is no "monoculture" here. My system isn't just Windows. My security is effected (and affected) by a bewildering combination of default settings, software patch levels, default firewall rules (I just plugged it in, honest!), browser settings, and antivirus signature sets. We're not in anything like danger of becoming a "monoculture" unless every system was running the same software load-out, security policy, antivirus product, and patch level. In spite of the dearest wishes of countless system administrators, that simply isn't going to happen! So, as much as I hate to say it, Sun's marketing people may have been right, "The network is the computer" - and the network sure as hell isn't going to become a "monoculture" unless Microsoft builds all the firewalls, all the routers, all the switches, all the web accellerators, all the SQL databases and establishes everyone's security, routing, DNS, and update policies."

The fact is that even if everyone had Windows XP Home on their home desktop computer, they would be connecting through different ISP's who run different routers, switches and hopefully some filtering or protective measures. If they have a home network they will have a different router than their neighbor and both of them will most likely contain some sort of basic firewall to block unauthorized traffic. They will have different antivirus software programs and personal firewalls installed. One person may be running IIS (Internet Information Service) to host a web site while his neighbor may have IIS disabled, but be running an FTP (File Tranfer Protocol) server to share files instead.

The bottom line from Ranum's point of view is that the CCIA argument works great in their fantasy world where a monoculture does exist, but that in reality there are too many factors and, in fact, no such monoculture to worry about.