Contributed by Robert “@pwcrack” Weiss
Microsoft Windows XP was released in 2001 and is scheduled for end of life less than a year from now in 2014. At that time Microsoft will discontinue critical and security patches for the aging operating system. When this happens it will have had an unprecedented run of over a decade as a dominant operating system – a record unlikely to be broken.
During this time XP has been examined and researched in detail by both security researchers attempting to repair it and malware authors and malicious developers attempting to exploit it. It would be intuitive to assume that over this period XP would have been examined and patched to the point where it would have become an extremely secure and stable operating system if not the most secure operating system ever developed. But in fact, the opposite appears to be the case. XP today is fundamentally less secure than other fresh to the market operating systems such as Windows 7, OSX Mountain Lion or Ubuntu 13 (Raring Ringtail.) And this is important: an XP user today would be well served to switch to a more modern operating system.
The reasons for this are instructive. Many people claim that security flaws stem from a lack of testing or quality assurance prior to release. The story goes that the manufacturer rushes the software out early, doesn’t take the time or spend the money to do quality assurance or testing, and uses the public as guinea pigs, releasing patches as flaws or vulnerabilities are discovered. If this was the case it would be reasonable to anticipate that the software issues would eventually be discovered and that over time, the patching process would eventually yield a reasonably perfected process. If the premise that insecurity stems from a lack of quality assurance prior to release was correct, we would expect software to get more secure over time as the guinea pig users performed their function and software flaws were identified and corrected. However, this does not appear to be the case. The flood of patch Tuesday critical and security patches continues unabated. It does not appear that the discoveries are slowing. Further, ten years of discovery and patching have not yielded a more secure system. Lastly, during the life of XP the software industry developed automated code review tools that could easily have been used to review the XP source code and it is reasonable to expect that Microsoft would have been at the forefront of developing and using these tools and would have applied them to XP.
Another theory is that software insecurity stems from complexity. Operating systems are massively complex and getting more complex. Windows NT 3.1 contained approximately 5 million source lines of code (SLOC), Windows 2000 contained more than 29 million SLOC and XP contained over 45 million SLOC. Windows 7 almost certainly continues in this trend. This complexity is not limited to Windows. Red Hat Linux 7.1 contained 30 million SLOC, FreeBSD contained 8 million SLOC and Linux Kernel 3.6 contained 15 million SLOC. All updated operating systems appear to be in a steady trend toward more complexity.
If massive complexity of code was the cause of software vulnerabilities we would expect that simpler systems would be more secure. It seems unreasonable that after 10 years of patching a less complex operating system, it would eventually be replaced by a newer, fundamentally more complex operating system that is also fundamentally more secure if the lack of security stemmed from complexity.
This is not to say that complexity is a positive attribute in terms of the security of a system or software. It seems logical that complexity overall is a negative attribute of the security of a system and introduces the possibility of unknown consequences. However, a modern operating system also needs to be complex enough to include implementations of all of the best security practices and controls. In short, complexity by itself is insufficient to explain the lack of security of a system.
So if a lack of quality assurance testing due to a rush to release software or massive complexity of source code does not seem to be the root causes of insecure software, what is the root cause? Why, after a decade of patching, isn’t XP the most secure operating system on the planet?
Bad architecture. XP was released into a marketplace that was less concerned with software security than we are today. Many of the lessons about software security over the last decade have been built into Windows 7. Therefore, while newer, less researched and more complex, Windows 7 is also more secure. This also explains why Unix and Linux O/S seem to be more secure. While not immune to vulnerabilities, these systems have been architected from the beginning with security in mind. They were designed for a community that was fundamentally more focused on security issues and have been designed to be more secure from the beginning. Windows 8 Secure Boot (or Trusted Boot) and UEFI seem to be an additional step in this direction. It is not the amount or duration of software quality assurance or testing prior to release or the simplicity of the design, but more secure architecture and better engineering that is driving the improvement in software security for the future.
If it is the case the security improvements are driven by architecting and engineering security into the system from the beginning, we can expect regular improvements in system security as new software incorporates more and better security controls. Future releases are likely to continue to deliver better security as long as the marketplace continues to demand more secure software. The lesson applies to applications not just to operating systems. Security comes from good architecture and secure applications are designed that way from the beginning.
What are your thoughts on Windows XP? Post your comments below. Today’s post pic is from ResetWindowsPassword.com.