August 21, 2003

Consequences of Operating System Monoculture

An interesting article on viruses by Charles Duhigg of the Washington Post:

Strong Attackers, Weak Software (TechNews.com): ..."This is the fastest-growing e-mail virus of all time," Sunner said. MessageLabs, which scans 17 million e-mails per day for 6,500 businesses, detected a Sobig.F infection in one of every 17 e-mails scanned when the virus peaked Tuesday. The previous peak infection rate was one in every 125 e-mails for the "Klez" virus last year.

This has been a big month for "fastest-growing" computer viruses and worms. Last week, the "Blaster" worm infected at least 500,000 computers worldwide, forcing the Maryland Motor Vehicle Administration to shut its offices for a day and jamming computer networks around the world. The "Welchia" or "Nachi" worm, which appeared earlier this week and is designed to protect computers against Blaster, brought down the check-in system at Air Canada and infiltrated unclassified computers on the Navy-Marine intranet, a first for computer viruses. CSX Corp., the third-largest U.S. railroad, yesterday reported a computer virus slowed or halted service on its 23,000-mile eastern U.S. network, forcing cancellation of some Washington-area trains and causing delays averaging six to 10 hours.

Computer security experts say the recent upsurge in virus activity is not a sign of anything new. Instead, it's the culmination of a trend that has been building for years as virus programmers have become more adept at creating malicious programs, and software companies have sold products increasingly vulnerable to attack....

But the end of this last paragraph is kinda strange. "Software companies" have sold products increasingly vulnerable to attack. What companies is he thinking of, exactly? AOL? Bare-Bones? Omni? Adobe? Netopia? No. Microsoft.

It's like the effing Irish Potato Blight. The fact that Microsoft has been so successful in spreading its operating-system monoculture around the computing world is what makes the network potentially vulnerable. And the fact that Microsoft has focused its energies elsewhere has turned that potential vulnerability into a huge weak spot.

Surely, surely at some point IT departments in organizations are going to think, "As long as everybody else is running Windows, we should definitely be running something else."

Yet Charles Duhigg writes that it is software "companies" that have sold products "increasingly vulnerable to attack". I wonder what he could have been thinking...

Posted by DeLong at August 21, 2003 07:05 AM | TrackBack

Comments

Actually, the 'OS monoculture' goes beyond the operating system to an 'OS and application monoculture' because Microsoft's fundamental strategy has been to roll non-OS functions (like email) into the OS. Any systems engineer will tell you that this is a recipe for a fragile, vulnerable, and unfixable system.

Posted by: Matt on August 21, 2003 07:14 AM

There are benefits as well as costs to being part of the monoculture. I run FreeBSD and so I'm not susceptible to any of this stuff but I'm also constantly having to work to communicate with people who run Windows.

Posted by: EKR on August 21, 2003 07:30 AM

There is a limit to benefits of scale then. How could we avoid human/societal monoculturalism? Isn't industialsm (americanism?) a likely candidate for being the cultural Microsoft^tm?

Posted by: Mats on August 21, 2003 08:05 AM

I'm sorry. The problem isn't ubiquity, the problem is buggy, poorly-designed crappy software.

BIND has an even bigger share of the Domain Name Service (DNS) "market" than Microsoft has of the OS market. The entire DNS infrastructure of the internet runs almost exclusively on *one* program (not even Microsoft dares use anything else).

But notice that the Internet isn't being brought to its knees every other week (for, indeed, if DNS doesn't work, nothing else will) by the latest virus or worm.

BIND has its share of (by comparison, minor) security problems, but it is not the rampant crapware that regularly gets released by Redmond.

Turn your attention to web servers. Apache "owns" 2/3 of that market, to Microsoft's little less than 1/3. But the dramatic incidents of web-server worms (NIMDA, Code-Red, ...) have been exclusively confined to the minority Microsoft platform.

At its height, NIMDA generated enough traffic to bring the web to its knees, even though 2/3 of the platforms were immune.

The problem ain't monoculture.

If 98% of the world's PC's *were* running FreeBSD, you can be assured that we wouldn't be plagued by the "virus-of-the-week" problem.

Posted by: Jacques Distler on August 21, 2003 08:06 AM

Mr. DeLong writes:

Yet Charles Duhigg writes that it is software "companies" that have sold products "increasingly vulnerable to attack". I wonder what he could have been thinking...

The original says:

Such vulnerabilities exist because software is distributed without appropriate amounts of testing and because software vendors increasingly create new functionalities that invite infection, they said.

"The idea of a mail message that contains a program with lots of bells and whistles is a really cool idea," said Marty Lindner, of the CERT coordination center at Carnegie Mellon University. "But when you realize that a bad guy can use those bells and whistles for other purposes, that idea isn't as cool as it used to be."

The introduction of new functionality tends to create vulnerabilities caused by unforseen interactions with what was there already (as well as any independent holes it may have). The more complex (functional) the whole, the harder it is to control all the interactions.

There are design techniques that are supposed to limit or prevent this, but they are not (at least in the real world) completely effective.

I have a somewhat ideosyncratic view of the problem: I think that it's caused in no small part by the fact that Windows is a single identity system. That means that anything I run, especially mail, runs as me, with all my privileges.

Using a multiple identity system, such as UNIX, I'd create a mail user to run mail. This identity would be strictly limited in what it could do. That alone limits the damage a great deal.

As for:
Surely, surely at some point IT departments in organizations are going to think, "As long as everybody else is running Windows, we should definitely be running something else."

Not a chance. The benefits to using the popular system EKR pointed out above, added to the problems of finding people to run less widespread systems and the ever-present "No one ever got fired for recommending Microsoft" factor, are enough to rule that out for the forseeable future. How long is that? In IBM's case it was about 30 years.

Posted by: Jonathan Goldberg on August 21, 2003 08:08 AM

Well I don't think it's the monoculture that's the problem. And I don't think it's the permissions scheme in WinBloze, at least not since NT. And I don't think it's the crappy buggy software, all software is buggy. The problem is complex, but can be distilled down to two architecture decisions. First, Windows was architected to maximize 'user experience'; all other considerations were for many years secondary. Thus we have an email client that by design can automagically run 'rich' applications upon receipt of remotely originated messages. 'rich' implies complexity, complexity implies bugs. The second and fatal architecture policy is to hide these bugs, many quite fundamental, by binary only distributions, and to entrust security to obscurity, fixing only those bugs that are found. Outside review of the overall application execution architecture would surely force MS to make fundamental changes, if only from pressure from the DoD alone.

It wouldn't matter if failures were local, people get what they deserve from the products they freely choose[1]. But failures in Windows these days abuse the networks we all live on, whether we're running MS or not. It screws up my online reception of KFJC and WFMU, and that's really pissing in my cheerios.

[1] In a free market. And it's a free market. I am essentially MS free, and I recommend OpenOffice to people who are trying to read older Word and PP docs. I have a laptop with all the bells and whistles running debian; this message is written on a FreeBSD box.

Posted by: Russell L. Carter on August 21, 2003 10:14 AM

Unfortunately, I don't think that Mr. Distler is correct. Even in situations where UNIX systems have had very severe vulnerabilities (this is quite common) the extent of penetration has been much less. For instance, Apache had a horrible buffer overflow about a year back but there was never a worm that exploited it the way that Code Red did.

It turns out to be hard to write portable UNIX worms because the exploits inevitably depend not only on the software being exploited but also on the OS platform. If you examine the source code of the Slapper worm that exploited the OpenSSL bugs of last July you can see this enormous table of how to exploit different variants of Apache and Linux. This isn't a problem when you write a Windows worm.

I strongly suspect that if everyone ran more or less the same version of Linux or FreeBSD that the malware problem would be fairly bad.

Posted by: EKR on August 21, 2003 11:05 AM

Unfortunately, I don't think that Mr. Distler is correct. Even in situations where UNIX systems have had very severe vulnerabilities (this is quite common) the extent of penetration has been much less. For instance, Apache had a horrible buffer overflow about a year back but there was never a worm that exploited it the way that Code Red did.

It turns out to be hard to write portable UNIX worms because the exploits inevitably depend not only on the software being exploited but also on the OS platform. If you examine the source code of the Slapper worm that exploited the OpenSSL bugs of last July you can see this enormous table of how to exploit different variants of Apache and Linux. This isn't a problem when you write a Windows worm.

I strongly suspect that if everyone ran more or less the same version of Linux or FreeBSD that the malware problem would be fairly bad.

Posted by: EKR on August 21, 2003 11:10 AM

I agree with what other commenters have said: monoculture isn't the problem, Windows/Office is the problem.

Another consequence of the complexity that people have mentioned: Windows system administrators are often reluctant to install security patches until there is a pressing need, because they know from bitter experience that in the course of fixing the security hole, other things will break.

(For example, according to some postings on a Windows security list, the patch that protects Windows against the Blaster worm will, under some circumstances, prevent a Windows machine from connecting with a Microsoft Exchange email server.)

Posted by: Seth Gordon on August 21, 2003 01:18 PM

Worm? What worm?

Posted by: Bernard Macintosh Yomtov on August 21, 2003 09:15 PM

Symantec should also take their fair share of the blame, and while they're not quite at the monoculture level yet they do have 50% of the antivirus market share and considerably more than that on consumer desktops.

People trust their antivirus systems to protect them from hostile programs and NAV simply fails to do this. NAV has no integrated firewall (they prefer to sell this seperately) and thus left systems completely vulnerable to any new network exploit - including Blaster. Norton also doesn't stop executable e-mail attachments at the door, letting new viruses get a foot in the door.

Norton's cynical policy of discontinuing virus signature updates for older versions also means that thousands of cut-off customers became perfect reinfection platforms for SoBig.F.

Of course, it's not really in the interests of security companies to stop security threats TOO effectively, is it? Just watch Symantec's stock price shooting up over the last few days.

Posted by: bobdobba on August 21, 2003 09:36 PM

Symantec should also take their fair share of the blame, and while they're not quite at the monoculture level yet they do have 50% of the antivirus market share and considerably more than that on consumer desktops.

People trust their antivirus systems to protect them from hostile programs and NAV simply fails to do this. NAV has no integrated firewall (they prefer to sell this seperately) and thus left systems completely vulnerable to any new network exploit - including Blaster. Norton also doesn't stop executable e-mail attachments at the door, letting new viruses get a foot in the door.

Norton's cynical policy of discontinuing virus signature updates for older versions also means that thousands of cut-off customers became perfect reinfection platforms for SoBig.F.

Of course, it's not really in the interests of security companies to stop security threats TOO effectively, is it? Just watch Symantec's stock price shooting up over the last few days.

Posted by: bobdobba on August 21, 2003 09:39 PM
Post a comment