Popularity does not equal insecurity

Erica, you wrote
at http://www.bradenton.com/mld/bradenton/business/10445192.htm -
> Chances are, if your employees are using Microsoft Corp.'s Internet
> Explorer to surf the Web or Outlook to check e-mail, your company is
> more exposed to viruses and spyware, some security experts say.
 
And they're right.
 
> Is it because Internet Explorer and Outlook are inferior?
 
> Not really.
 
> It's because Microsoft's operating systems and programs are used by
> more than 90 percent of computer users - especially in the largest
> of businesses.
 
Unfortunately, that statement's not quite right. I'm pleased that you included
a few other opinions in the article, but you did not introduce anything to
seriously contradict David Perry's opening statement, or your words
introducing it.
 
Increased popularity makes the market more attractive to writers of
"malware" (the short term for the collection of nasties out there including
browser hijacks, phishing frauds, viruses and worms) and it means that any
individual piece of malware will be tripped over by more people, but it does
NOT increase the number of security holes present in any piece of software.
 
If simple popularity were a strong indicator of vulnerability, then the Apache
webserver would also be attacked disproportionately, since it "owns" more
than two thirds of all web servers, nearly three times as many as Microsoft's
IIS. However, Apache has never had a Code Red, a sadmind, an MDAC
vulnerability or a Nimda.
 
Similarly, the Open Source databases MySQL and PostgreSQL are wildly popular,
widely exposed to the Internet, and have had no MS-Blast attacks. Modern
email servers like PostFix and QMail have never been successfully attacked
despite very wide deployment, and even cranky old SendMail, the grandfather
of all email servers, has a far better track record than MS-Exchange.
 
The context of this statement implies that it's based on David Perry's input,
too:
 
> You can't expect to rid your company of all viruses and spyware simply
> by switching browsers. It will cut the risk, though. That's because
> there are still plenty of viruses that are written strictly for
> Internet Explorer.
 
Speaking from personal, recent, in-the-field experience I have to say that the
reason supplied is fatally inadequate. There are plenty of browser hijackers,
phishing scams and other pieces of malware out there which are designed to
work with any web browser or email client at all, and another large range
designed to work with any MS-Windows-based browser. Based on this, you would
expect this range of malware to continue to bite you even after you switched.
 
Yet switching from Internet Explorer and Outlook (or Outlook Express) to
Mozilla's FireFox web browser and ThunderBird email program deep-sixes a lot
of this malware as well, for the very simple reason that they are built to do
exactly that.
 
Mozilla is not a company with income goals or shareholders, Mozilla is a
foundation established by and for and of Internet users, and this is
reflected in the goals and quality of their products.
 
As a general statement, switching away from Microsoft's products, however
popular or otherwise, decreases your exposure to malware.
 
As another general statement, switching to Open Source software also decreases
your exposure. Because you don't need any special tools to find problems, any
programmer can read them right there in the source code, they are found and
eliminated quickly.
 
Open Source alternatives are available for a broad spectrum of applications;
for example, MS-Office can be easily replaced by the comprehensive
OpenOffice.org suite; Adobe's PhotoShop can usually be replaced with the GNU
Image Manipulation Program (fondly referred to as "The GIMP"); Solitaire
pales to insignificance alongside PySol.
 
With this in mind, a further effective step not mentioned, presumably because
you are neither really familiar with nor comfortable with the alternatives,
is to switch completely away from MS-Windows.
 
The two common alternatives are Linux and Apple's OS X.
 
OS X is initially the more costly to switch to because you have to replace
your computer as well, but the interface is a lot more polished than anything
else out there.
 
The two usual show-stoppers in any attempt to switch away are games and
particular "vertical market" applications. Many of these can be run using a
translation layer called WINE, but not all.
 
The benefits in switching, aside from security, include greater reliability,
accountability and control. Individual pieces of software offer specific
additional benefits; for example, the KDE desktop suite I'm using offers a
degree of consistent integration only dreamed of in the MS-Windows world.
 
There's also up-front cost (which is often zero) to consider, and the reduced
cost of maintenance (both direct and indirect) to factor in.
 
It's a very real and compelling response to any security issues, and yet it
sees no mention at all in this article.
 
> Mozilla is a free software suite [...] the Web browser that comes with
> it is not Firefox or Netscape.
 
This is also not strictly true. Netscape's Navigator is indeed a slightly
stretched version of Mozilla proper, and FireFox is both derived from it and
shares a lot of code.
 
You've done a much more thorough and impartial job than many other journalists
have, including some prominent self-styled technical experts; nevertheless, I
would appreciate seeing an article correcting these points, or an opportunity
to publish an article of my own here which presents them more realistically.
 
Cheers; Leon