In a report released at a meeting of the group in Washing DC, attended by industry figures and top government officials, the CCIA warned the dominance of vulnerable Microsoft software on the internet opens the doors for cascading failures.
The near universal deployment of Microsoft operating systems is highly conducive to cascade failure, the report says. These cascades have already been shown to disable critical infrastructure.
The organization points to the Nimda and Slammer worms as examples of this type of failure. They spread fast because these worms did not have to guess much about the target computers, because nearly all computers have the same vulnerabilities.
The CCIA’s report follows a letter it sent to the Department of Homeland Security in July, after the agency – set up after the September 11 terrorist attacks – committed to pay $90 million over five years for Microsoft software.
That letter was prescient. Yesterday, it emerged that an unclassified network at the US Department of State suffered an outage caused by the Welchia worm, which targets a known vulnerability in Windows XP and 2000 machines.
According to reports, the worm created enough network traffic to force administrators to disconnect links used by the so-called CLASS computer system, used to match the names of visa applicants against those of suspected criminals and terrorists.
Microsoft spokesperson Sean Sundwall said yesterday that Microsoft has made security its absolute top priority. He said: No software will ever be perfect, but our job is to make our software as close to perfect as possible in terms of security.
He pointed out that almost all software on the market has security vulnerabilities, including products from its rivals, and that Microsoft makes the effort to alert users to these problems and issue fixes.
The CCIA, which counts Microsoft rivals Sun, Oracle [ORCL], AOL [AOL], Liberate and Yahoo [YHOO] (among other who do not directly compete with the company) among its members, was vocal during Microsoft’s antitrust trial and the subsequent remedies debate.
The report makes the case, that it is not only buggy, bloated and complex software – which all make it easier to find security holes – but also Microsoft’s business practices, that makes the internet vulnerable to catastrophic failures.
The document claims that Microsoft’s practices of tightly integrating applications with the OS, of creating technical obstacles to customers wanting to operate heterogeneous networks, and of prematurely shipping software, all add to the security problem.
Some of the issues brought up in the paper have already been addressed in the nation’s courts of law, Microsoft’s Sundwall said.
The report goes so far as to make recommendations for how Microsoft should be punished for its antitrust law violations, suggesting the forced, open development publication of interface specifications used in its software.
This article was based on material originally published by ComputerWire.
