It has been more than three solid decades since the IT revolution began
in right earnest.The initial hiccups and the development tangles would
have been got over by now, one would have thought. But the ghost has
indeed returned to haunt the softwares in the shape of software
vulnerabilities, a great thorn in the flesh of the Operating Systems and
other softwares.e? Unfortunately it is clear that many operating systems,
middleware and applications are still plagued by all kinds of
In the first 9 months, many IT statistical organizations have reported
2982 vulnerabilities, or an average of more than ten vulnerabilities per
day. This total number is more than ten times the number of
vulnerabilities reported for the entire year in 1998 and close to three
times the number of vulnerabilities in the year 2000. The reports in the
vulnerabilities databases sometimes describe errors within the operating
systems themselves but more often they describe application errors
through which the integrity of the operating system can be compromised.
The really obstinate and intransigent could argue that application
problems such as buffer-overflow are no concern of the operating
system.The counterargument is that while the blame for application errors
might lie with the software engineers and developers who created the
software, the ability of an application error to compromise an operating
system is a fault in the operatin in the first place,the system itself.
The number of vulnerabilities of an operating system are a clear reminder
of the inherent weaknesses in that system.
The operating systems with fewest vulnerabilities in 2003 are HP's
OpenVMS, IBM's OS/400 and IBM's zOS. These three are all proprietary and
they all have security that is fully integrated, not applied as some kind
of after-thought. Certainly they come with a decent price-tag but they
can be well worth the money when the result is fewer security problems,
less unscheduled downtime and less downtime for patching.The other
significant feature of these operating systems is the language in which
they are written. The two from IBM are both written in assembler and
OpenVMS uses a range of about ten languages, one of which is C.
C and similar languages that use pass-by-value techniques are
exceptionally prone to buffer overflow and the consequent potential for
unauthorized users to execute either their own malicious code or other
programs which run with enhanced access privileges. Avoiding the use of
these languages at the most vulnerable points, namely user I/O and
network I/O, would appear to be wise. Linux, Unix and Windows are almost
entirely written in C, and most of their middleware and application
software is also in these vulnerable languages, so it should come as no
surprise that they are comparatively less secure than OpenVMS, OS/400 and
The other operating system that had very few vulnerabilities is Apple's
OS 9. Again this is a proprietary operating system and the decisions and
integration of security rest with one organisation which does not have to
concern itself with compatibility with other vendors.
Apple recently moved to a Unix-based operating system, OS X, and the 24
vulnerabilities reported for it.Linux users are usually very fast to
assert that Linux has fewer vulnerabilities than Microsoft's products.
The Linux kernel itself has few vulnerabilities but versions such as
those from Mandrake, Redhat, Sun and SuSE have far more than Windows even
when the number of vulnerabilities for Windows are added to the
vulnerabilities of Outlook, Internet Explorer and Access.
Linux fans often point to press reports as evidence that Linux has fewer
problems. Certainly a vulnerability in a product such as Outlook or
Explorer might cause far more problems than Linux vulnerabilities but
this is only due to the extent of use of Microsoft's products. It is
responsible for the majority of the application software that runs on its
various versions of Windows and so regardless of where the erroneous
software might be located it only has itself to blame.
In Windows XP SP2, Microsoft is finally making the security enhancements
that should have been in place more than five years ago. These include
having better network security by default and simplifying the automatic
update of their software, something that should very rarely be needed if
the software was properly written in the first place.
Microsoft is also tweaking the protection on dynamically created code.The
recent release of Linux 2.6 has also introduced some security
enhancements, again rather overdue if Linux ever hopes to be a serious
alternative. In particular the new release includes the ability to define
privileges in finer detail rather than the simple grouping of "user" and
"root", but this is something that most proprietary forms of Unix have
had for many years.
Windows and proprietary Unix are both more secure than Linux but the most
secure operating systems continue to be certain proprietary systems from
HP and IBM. Some may refer to these more secure systems as legacy systems
but if legacy means secure and reliable it seems that legacy should be
the preferred option. Software Vulnerabilities today are causing serious
thought among the users and developers alike. A solutions has to be found
for this recurring issue.
It must certainly be the primary task of developers and software
engineers the world over to work for success and bring forth effective
solutions for these nagging problems.
Pkp Iyer, Senior Editor, Excellone Technologies. Excellone Technologies
Are Quality Webdesign And Website Development Company From India