As I was saying in my other post, I take issue with the claim that Windows is insecure by design.  Is this actually true?  It is a perception that certainly resonates within the software community, particularly among Mac and Linux users.  How true is it?

To begin with, the phrase “insecure by design” is simply wrong.  Having been involved in the design and release of many components to the world, security is a big priority.  Many years ago, Microsoft launched the Secure Windows Initiative (SWI).  To quote from the site:

The Secure Windows Initiative (SWI) is an effort within Microsoft dedicated to making Microsoft products more secure from malicious attacks. It is part of a broader security initiative that includes programs such as the Microsoft Security Response Center (MSRC) .

Every new component that is created has to go through a SWI review.  In it, we go through threat modeling where various potential attack vectors are analyzed and the dev has to go through and figure out how it can be mitigated.  A component cannot be signed off and released without completing this.  Things like injection attacks, cross-site scripting and so forth are all discussed.  Thus, the very notion that security isn’t a concern within Microsoft is flat-out wrong.

Secondly, Microsoft has adopted a model that has been copied by other companies.  Microsoft has launched Windows Update and Microsoft Update.  On regular schedules (second Tuesday of the month, I believe), Microsoft publishes patches and updates to its OS.  These are downloaded automatically by your server and it prompts you to install them.  Thus, when new exploits are discovered, Microsoft proactively takes care of them and releases fixes.  These fixes are free, even to pirated copies of Windows.  Your privacy and IP information is not collected.  Thus, there is no excuse not to update your system.

Finally, is it true that Windows is more vulnerable to exploit?  For that, we turn to SIRv6 which I shall get to in my next post.