OS monopoly poses security risk, report claims

A report by security researchers argues that the mere existence of an operating system monopoly constitutes a critical security...

A report by security researchers argues that the mere existence of an operating system monopoly constitutes a critical security risk to governments and businesses.

The report,  "CyberInsecurity - The Cost of Monopoly" was released yesterday at a Computer & Communications Industry Association (CCIA) gathering in Washington DC.

It calls on governments and businesses to consider the dangers of homogenous systems, and to diversify the software mix deployed in their organisations.

The report also urges the US. government to counterbalance Microsoft's user lock-in tactics by forcing the company to offer multiplatform support for its dominant applications, including Internet Explorer and Microsoft Office.

While Microsoft is a focus of the report, the authors of the report said it the software company is not solely responsible for the risky situation that now exists.

"I think the blame falls mostly on the buyers. The seller is going to sell what the buyers want," said co-author Bruce Schneier, who is also the founder and chief technical officer of Counterpane Internet Security.

"Because everyone is buying it, because it's compatible, because it's easy, everyone is doing it. The point of the report is to say, 'Hey, there are security implications to your decision'."

Microsoft's pledge to improve its products' reliability  will not fix the underlying problem of the vulnerability inherent in a system that depends on just one architecture, said co-author Perry Metzger, a computer security consultant.

"It doesn't matter how hard Microsoft works on security. So long as they continue to be human beings, there will continue to be flaws - and you don't want every machine on earth to have the same flaw revealed at the same time," he said. "It's as though every person in the US had the exact same genes."

None of the report's authors were paid for their contributions, and the CCIA is merely acting as the paper's publisher and had no influence its content, according to the report's instigator, @stake chief technical officer Dan Geer.

The report's conclusions do, however, dovetail with CCIA's push for tighter regulatory controls on Microsoft and for greater diversity in the US federal government's IT systems.

The report's authors said they hoped the report would aid corporate IT workers in their efforts to convince executives at their companies that Microsoft's software should not be deployed by default.

"There isn't a lot of talk about monoculture and security problems. Our hope is that we can bring this into the debate," Metzger said.

Beyond recommending diversification, the paper suggested steps could be taken to reduce the effects of Microsoft's monopoly.

Two suggestions include the forced publication of application program interfaces for Microsoft's Windows and Office software, and requiring the company to work with other software companies on development of future specifications through a process similar to the Internet Society's request for comments system.

Stacy Cowley writes for IDG News Service

Read more on IT risk management