Ubiquitousness of Microsoft Opens Window to Trouble

Mysteriously, the twin obsessions of the software world--viruses and Microsoft’s monopoly--haven’t been linked in the courtroom. They are nearly inseparable in cyberspace.

It’s not Microsoft’s fault that overwhelming market dominance makes its products enticing springboards to widespread disruption. But hackers know an easy mark when they see one. Consider a few examples of what Microsoft has scrambled to clean up in just the last six months:

* Security holes in the Windows and the Outlook e-mail programs allowed the Love Bug virus to destroy PC files and to infect millions of PCs in hours.

* Several holes were found in Microsoft’s Internet Explorer Web browser. One let Web site operators view files on a user’s PC. Another allowed attackers to manipulate server computers (which manage computer networks) in ways that could be used to shut down Web sites. Another flaw let hackers within a corporate network alter supposedly secure files. Yet another allowed “cookies” (identifiers used by Web sites to track users for e-commerce) to be stolen by hackers.

* Microsoft’s Hotmail, a free e-mail program used by tens of millions, was hit by a programming trick that creates a phony log-in dialogue box to trick users into revealing passwords--with which attackers could secretly appropriate the e-mail account. Attackers also found a way to surreptitiously delete, read or send mail from Hotmail accounts.

* Attackers seized control of Microsoft WebTV e-mail accounts; users reportedly learned that phony, profane e-mails were sent in their names.

Yet, while Microsoft has been denounced by legal adversaries as an enemy to innovation and a ruthless manipulator, it’s gotten a free pass on what may be the company’s clearest threat to the computing world: Much of today’s digital experience operates within a Microsoft “monoculture,” as one anti-virus expert describes it. It’s an environment where digital viruses and worms can proliferate unimpeded, much as their biological namesakes might sweep over a vast field of wheat.

When asked why Microsoft products so often fall prey to hackers, experts first point to mounting complexity. The company’s basic business model is this: Users should upgrade regularly to take advantage of new features. The formula relegates security to a matter of damage control.

“Microsoft knows that reliable software is not cost-effective,” Bruce Schneier, chief technical officer for Counterpane Internet Security in San Jose, wrote in a newsletter he distributes to security geeks. “They get whacked with a new security vulnerability several times a week. They fix the ones they can, write misleading press releases about the ones they can’t, and wait for the press fervor to die down. . . . And six months later, they issue the next software version with new features and all sorts of new insecurities.”

Beyond the proliferation of features, Microsoft’s penchant for integrating Windows with its productivity applications has created a mother lode of options for attackers.

For example, the company’s “scripting” tools allow sophisticated users to customize a program’s functions and to automate interactions between Microsoft applications; an action in Word (the company’s word processing product) can trigger Outlook to send an e-mail message.

Microsoft often ships its software with such tools turned “on” by default--rather than as an option consciously selected by the user. In this way, Microsoft opens the door for Internet intruders to hijack a PC and set off a series of malicious actions like so many dominoes.

That openness to foreign scripts was exploited by the Love Bug’s author to cause each infected PC to e-mail a copy of the virus to every address in the host’s Outlook address book and to destroy files.

Microsoft has always sold such features with the claim that customers want a “rich computing experience,” said Jeff Schiller, network manager for MIT and a noted security expert. “People don’t want such a rich computing experience that it includes getting their machines trashed.”

To be sure, determined hackers can penetrate almost any security barrier to any kind of software.

Industry leaders America Online, Yahoo, Qualcomm and Red Hat Software have had to address serious vulnerabilities in recent months. Even Network Associates’ Gauntlet “firewall”--designed specifically to guard against network intruders and named “security product of the year” by a leading trade magazine--was recently discovered to harbor an embarrassing security flaw (since fixed).

However, Microsoft is the top threat to security. That’s not because the company’s programmers are arrogant and complacent, though some are. It’s not because the company favors new features over security, though it does. And it’s not because other companies’ products are more secure, though they often are.

It’s because monopoly is the sworn enemy of software security. Network saboteurs would face monumentally harder challenges if a single company’s tightly linked products didn’t run the vast majority of the world’s computers.

The survival of Apple’s Macintosh and the ascendancy of Linux and other software operating systems that run Internet appliances may be the best hedge against digital inbreeding and an endless string of disruptive attacks on our computing lives.

*

Times staff writer Charles Piller can be reached at charles.piller@latimes.com.