Microsoft operating systems are installed on 95% of the PC's in the world and their PnP (Plug and Play) system is back in the news after giving consumers so many problems in the past with IRQ and I/O address settings in earlier versions of Win 95. It is even more troublesome now in its newest version (UPnP) found in Win XP. UPnP is basically an extension of regular PnP that allows not only local devices but also networked devices to be automatically detected and installed.

It seems as with many of Microsoft products it's going to take a while to work out the bugs. Raising questions about what seemingly is a policy of releasing a product to millions of consumers and have them, outside security analysts, and hackers troubleshoot it. Adding security with patches only after someone else reports a hole in one of their products.

From a business perspective this beats hiring hundreds of additional security analysts and putting them on the company payroll to troubleshoot it. Besides XP needed to be out before Christmas.

The US government specifically the cyber unit of the FBI has taken a dim view of this and has issued its own warnings telling consumers running Win XP to take new steps beyond those recommended by Microsoft to protect their computers. Recommending disabling the Universal PnP code although not telling consumers how to do it. The Microsoft patch does NOT disable UPnP. Aplus Omega's philosophy is "if you are not using the service disable it" and eliminate just one more route an attacker has to infiltrate your computer. Here's how to Disable UPnp .

While security analysts examining the XP hole cite that it allows hackers at remote locations to control a computer.

"They could monitor your keystrokes to determine your passwords and send them out to a remote website, open every document on your machine, add or delete data, send out email messages of their choice to your friends, or just reformat your hard drive."

The XP firewall will not provide complete protection against this attack since it does nothing to stop outbound traffic and an intruder can still use a broadcast address to reach the UPnP service. Very similar to hacks in the past when Microsoft's own servers fell under siege and source code for its Windows and MS Office systems were stolen as this article in PC World details.

Or as reported in a ZDNet article last year when the LoveLetter virus infected the Pentagon and four of its computers on a classified network were compromised. "Somehow the program was able to jump from the Internet to the military's classified network - a feat that is not supposed to be possible." It is possible and is still possible. Even agencies with the best security practices will be vulnerable to attacks by knowledgeable intruders if connected to the internet.

For now it is doubtful that Microsoft has solved all of these security problems and the best consumers can hope for is to PLUG their computer into the internet AND PRAY the hackers don't find you and take it over. Many calling this "The Mother of All Exploits" Microsoft Failing Security Test

Doing a little research it was suprising to find that some these problems were highlighted back in June 2001 or four (4) months before the official release of XP. On June 22, 2001 the Computer Dealer News reported that a former head of NASA IT security said "Microsoft's security problems are the result of a rush-to-market philosophy and the software giant's upcoming XP operating system could open the door to a barrage of attacks."

Marc Maiffret, a chief officer at eEye Digital Security who initially found the XP UPnP vulnerability, comments "Until they actually redo it, it is not something people should be using"

While Bill Wall, the chief computer security engineer for Florida IT outfit Harris Corp also back in June 2001 said "Microsoft is on a deadline to produce XP because they've already advertised it and XP is going to be out in October no matter what. If there's a serious flaw, they're still going to release it and patch it later."

And in July 2001 Steve Gibson (security analyst and operator of GRC.com) is quoted as saying "With a bit of horror, I learned that Microsoft's developers have no understanding of security."

Although this may be a factor Microsoft has been in the business a long time and does have some of the most highly respected and knowledgeable security analysts in the world but they don't run the company and can't keep track of what the other 50,000 employees at Microsoft are doing to the system. To really get to the bottom of the holes would just be too costly. They would have to stop writing code for about a year and work on security.

Each of Microsoft's OS's are built on top of a previous version - a pyramid effect. The current Win XP UPnP vulnerability is actually a Win ME bug that got passed on to XP! Which means people running Win ME for the last year or so could have easily had their data stolen. To fix the problem now they would have to tear the base of the pyramid down and reengineer the whole 650 MB of code from the bottom up. Strip much of the functionality out of the present Windows OS's (operating systems) and go back to basics. Creating a bare-bones system but then the majority of the people would then be saying "How come my computer can't do anything?"

Very simply its "Innovation vs. Security" and Microsoft has chosen the innovation route. Feeling HEY it's not our problem. Blame the firewall and antivirus manufacturers like we did when our system was broken into. Firewalls and antivirus software products help but they are no substitute for a secure operating system.

Considering Microsoft gets 50% of its revenue from products released in the last 12 months. Good, bad, or indifferent Microsoft must promote, release, and sell at least one major product each year. And this business plan is working just fine. Microsoft has sold 17 million copies of the new XP software in the first two months since its introduction which is a 300 percent increase over sales of Windows 98. If you were the CEO would you change anything your doing?

Without a major overhaul what can consumers expect from Microsoft in terms of security. Not much. Although some immediate short term improvements would occur if they changed their present philosophy of shipping OS's with almost every function enabled as the default setting. Microsoft ships windows with many extraneous functions, scripts, services, and open ports enabled which makes it much easier for crackers to break into your system. The fewer functions, scripts, and ports you have open, the fewer avenues an attacker can use to compromise your computer.

In summary with an average of 650 MB of code and XP Home or Professional requiring a Microsoft recommended minimum of 128 MB RAM to run these OS's have grown into monsters with tentacles so vast and diverse that no one person including Gates knows exactly how the whole thing works. There are hundreds of groups of programmers with 50 or so people in each group working on their own part of the system. Of course Windows has holes and will probably continue to have holes. Its too massive now to contain. As of Feb 2002 we found sixty nine (69) holes in Win 2000 which are listed along with the Microsoft knowledge base "Q" number here .

The only difference with XP will be the company will stop listing many of these vulnerablities which others have already noted is happening now. We feel they don't want the bad press. The OS company feels it distracts administrators from maintaining their systems and gives hackers insight into developing new attacks. A little more than a distraction when the boss comes in yelling "What happened to our system" every couple of weeks after each hack. So there will be fewer listings but that will not mean fewer vulnerabilities. Only fewer that the public are aware of. What can consumers hope for? Without a complete renovation of the operating system it will be continuous patches to reinforce the base so the whole thing doesn't come tumbling down.

To answer our original question "Will we ever have a Secure Operating System"? Not without competition! Microsoft controls 95% of the OS market and most consumers have no choice but to buy whatever they produce. There is no incentive for Microsoft to produce a very secure system. In fact it would be counterproductive. 1st - it would be too costly in terms of troubleshooting their present systems and the concurrent delays it would cause in new OS releases and 2nd - they would not be able to announce, Buy our new OS, It's the most secure ever!, which we will probably be hearing with each new annual operating system release for the next ten years. And yes there is a new OS planned for release in mid 2006 code named "Longhorn" and one planned for early 2008 code named "Blackcomb" ...

What is the most secure OS? A stripped down, bare bones one. Security is always compromised by the complexity of the system. The more lines of code the greater the chance an attacker can find a hole. Win 2000 has a million lines of code, Win XP about a 100 million lines of code. The memory to run Win 2000 effectively about 64 MB while Win XP should have 256 MB.

THE MOST SECURE:

#1 - a bare bones MAC, coming in second Linux, next an appropriately locked down NT4 or 2000 system, and finally at bottom of the heap is XP (with or without SP2).

The reason a MAC. Partly because 90% plus of people use Windows. In a survey conducted by Symantec in 2003 of all the viruses they could find in the wild they found 4,000 Windows viruses, 11 for Linux, and 0 for the Mac. There are an extremely small number of viruses, worms, trojans in the wild for the Mac. Malware writers who want to make an impact almost always choose Windows. Another reason is because it's much harder to write a virus for a Mac or Linux machine. Security is at the foreground in the design of the Mac.

#2 - Linux was chosen second because it had only 11 viruses vs 4,000 for Windows. Besides the United States Department of Homeland Security changed over to Linux after running on Windows 2000 for several months and that's good enough for us. The switch was prompted in order have an operating system they knew could be more easily locked down. In addition they are the only ones that want to do the spying and don't want Microsoft spying on them. If you don't exam every bit of source code, you don't know what the OS is doing. Linux is open source and can be examined by programmers. Microsoft's OS's will never be.

#3 - The reason NT4 or 2000. Because XP has a million more lines of code and many new unsecure functions like UPnP. The more code and functions the greater the chance of holes.

According to CERIAS: Win 2000 has 30 million lines of code. A conservative rate for serious code errors is 1 error in 100 pages of code. For Win 2000 that comes out to 6,000 errors! This number is decreased with every patch. XP has many millions more lines of code so more errors.

#4 - The next reason XP is because its NEW and the bugs haven't been worked out like the old systems that have been patched and repatched, examined and reexamined. Most vulnerabilities in a new OS are found after its release and patched month after month until the OS is fairly secure. Never buy anything new. It costs more and hasn't been throughly tested yet. Microsoft is notorious for shipping out new OS's before they are throughly tested.