Myth #1 that Microsoft might have fallen for: Microsoft’s security woes are just because of its popularity. If Linux or OS X were as popular, they’d be dogged just as badly.
No one has a shred of evidence to indicate that any Linux has more vulnerabilities than Windows, and that the only reason they’re not attacked is that they’re not popular? But lack of evidence has not always interfered with Microsoft’s apparent beliefs. Apathy towards security has the specious advantage of saving some resources. Often it takes no more than the silliest premise to dissuade an organization from necessary investment.
There was a time, years ago, when there were too many vulnerabilities in Linux, especially buffer overflows in the likes of IMAP and SMTP servers, and even the kernel. Guess what? These bugs were heavily exploited, even though Linux was less popular than it is now. Many machines got rooted in those days. But a curious thing happened. Those days vanished.
These days most Linuxen are impressively secure in their default distribution and almost all significant software developers associated with Linux have cleaned up their act (or faced ejection from distributions). It has become much harder to exploit a Linux, even for a determined attacker.
It doesn’t take much grade school logic to figure that since Linuxes were hit hard back when they were even less widespread than now, that the relative present-day lack of malware punch is not because they’re not as popular as Windows.
Myth #2 that Microsoft might have fallen for: people get malware when they do things Microsoft doesn’t approve of, anyway.
It’s so tempting. “These people getting malware are doing things they shouldn’t be doing, so they get what they deserve”. If Microsoft believed this, it would be an effective salve to the conscience. A cynic such as I am considers that Microsoft would rather send BSA paratroopers after people they vaguely suspect of naughtiness than deploy measures to protect the whole class. Of course, no one who has had any experience with Windows can believe for one moment the canard that people only get malware when installing pirate or peer-to-peer software, or legit software by shoddy vendors (interestingly enough, the vendors usually cited are Microsoft’s competitors).
I could tell a thousand stories, but one will do for anecdote. I set up Windows XP for my parents in law. Pretty run-of-the-mill custom PC. I patched it to the nines using Windows update. A lot of work, but it’s what we kin techies do. When I was done my son wanted to play around with it, so I opened IE (I was taking a break before installing Firefox and hiding all traces of IE) and wandered on-line to his favorite spot: hotwheels.com. Trouble is, I misspelled the Web site name. I don’t remember the exact mispelling, but I do know that as soon as I saw the resulting page, I could tell there was trouble. The resulting cascade of trojan spyware was spectacular. Looking at “Add/remove software” listed some twenty of them. On a lark, I tried nuking them all using all the measures I could–uninstalling, removing directories, etc. Emtying a lake with a teaspoon. I had to start all over again with a reinstall.
This is what can happen with one erroneously entered URL. I’ve seen similar effects from an aunt who clicked one of those “download these cute smileys for your e-mail” ads, and countless other examples. It’s not hard to imagine how close each keystroke/mouseclick brings Aunt Hattie to MalHell. Oh no. Malware victims are ordinary people doing perfectly ordinary things, and being cruelly punished for it.
Microsoft must recognize this to some extent, considering they’ve now pledged seriousness to anti-Malware. After all, why would they offer Penicillin to Corsairs? But is such a misperception possibly part of the reason they waited so long to take action?
As a Linux user married to an OS X user, malware is not something I worry much about. But I’m kin techie for many other households, and Windows security problems affect me all too painfully. If mythology helps to fuel Microsoft’s lagging response, I hope I can do what I can to help debunk the silly myths.