Windows 7 users got a nice surprise on Tuesday when Microsoft released its first set of security patches since unveiling the new operating system last month. Of the 15 bugs patched, none affected Windows 7.
When Microsoft launched Windows 7, it was billed as the company's most secure release ever -- the culmination of a nine-year "Trustworthy Computing" effort to shore up a product line that had been riddled with major security holes.
[ Get InfoWorld's 21-page hands-on look at the new version of Windows, from InfoWorld’s editors and contributors. | Find out what's new, what's wrong, and what's good about Windows 7 in InfoWorld's "Windows 7: The essential guide." | And learn how to secure your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld. ]
But does stress-tested software really matter to Microsoft's customers, seemingly besieged by more online attacks than ever before? Microsoft had years to improve Windows XP, but the Conficker worm, which began spreading last year, is now thought to have infected more than 7 million Windows machines. And for every Windows bug that gets squashed, hackers seem to find new problems in the software that runs on top of Microsoft's operating system -- Flash Player, QuickTime, and Java.
"Windows 7 is definitely by far the most secure system they've shipped," said Dave Aitel, chief technology officer with Immunity, a security company that spends a lot of time finding the latest software bugs. "I guess the question that everybody is asking right now is, 'Is this enough?'"
The man behind Microsoft's Trustworthy Computing initiative, Chief Research and Strategy Officer Craig Mundie, says the industry still has work to do. “We’ve made huge progress with respect to security around the core OS technology in the Windows PC," he said in a recent interview. "But as we did that and the 'Net became more prevalent, the bad guys continued to evolve their attacks."
This is Microsoft's conundrum. Windows may be safer, but cybercriminals still have plenty of other places to attack. And when you can hit hundreds of millions of users with a single attack, why change the game plan? So most of the worst attacks today still target PCs running Windows, whether the OS itself is secure or not.
Take spear-phishing. Attackers are getting so good at sending these highly customized e-mail messages, complete with malicious attachments, that the underlying security of Windows is almost irrelevant.
"The problem with the targeted attacks is that there's so much money that they can actually trump the security," said Alan Paller, director of research for the SANS Institute, a security training company. "The amount of money that governments and large industrial crime groups have to spend is enough to trump any of the defenses we have."