OS makers: Security is job No. 1

New generation of software focuses as much on security as on glitzy features, as consumers get frustrated by viruses and fraud threats.

Matt Hines
Matt Hines Staff Writer, CNET News.com
Matt Hines
covers business software, with a particular focus on enterprise applications.
7 min read
Look beyond the bells and whistles, and make sure the security's tough.

That's the attitude of operating system makers, who aren't just focusing on features such as snazzy graphics and better networking tools when revamping products. Now they're also providing sturdier defenses.

The new generation of OSes includes improvements aimed at keeping data more safe. Microsoft, long the target of hackers' efforts and resulting customer ire, has promised anti-spyware and other tools in the upcoming version of Windows, code-named Longhorn. And while they aren't as aggressive about marketing their security efforts, Apple Computer and Linux-seller Novell recently released updates with an eye to stronger defenses.


What's new:
The next generation of operating systems focuses as much on tough security as it does on whistles and bells.

Bottom line:
Development of better defenses is a response to growing frustration among consumers, who are fending off a rising tide of viruses and fraud threats.

More stories on OS security

That doesn't mean companies aren't still serving up other advances, such as smoother collaboration or more-comprehensive search. But given home PC owners' growing worries about security, OS makers are aiming to prove they are trying harder to prevent software vulnerabilities and protect against outside attacks.

"The OS makers know that their futures depend on the trust that buyers have with their products, and buyers aren't trusting computers today," Forrester Research analyst Ted Schadler said. "We know that people are downloading less music, shopping online less and steering away from online banking because of security fears."

Several high-profile incidents of data theft, such as the ChoicePoint breach, have highlighted the need to protect confidential personal information. Alerts about phishing and other online fraud schemes have further publicized the risks. On top of this, malicious code writers have not let up on sending out traditional PC viruses.

Even though these consumer security threats sometimes take advantage of weak points in technologies other than operating systems, or exploit people's habits, OS makers often bear the brunt of the blame for them, Schadler said.

"(Security) is a problem that consumers are increasingly aware of and angry about, and they want to blame someone," he said. "The OS players are taking notice because they have to."

For Web designer Eugene Abovsky, 23, helping his friends and family members keep their PCs running smoothly and securely in his spare time has become an uphill battle as security concerns multiply. Abovsky works only with Microsoft's Windows, and he said that juggling patches and warding off "malware"--malicous software--have become time-consuming ventures that leave him frustrated with the software giant.

"Microsoft should be ashamed at the level of protection they provide to the average consumer who uses Windows," he said. "Almost all of the Windows computers I deal with in the homes of people I know have been so infested with spyware, malware and adware that they are almost unusable."

For Microsoft, the dominance of Windows and a string of high-profile vulnerabilities have translated into serious headaches around attacks and security. In addition, the company's software has historically come under more attack from hackers than that of its rivals.

To respond to these, Microsoft developed its Trustworthy Computing initiative, launched in 2002, which aims to improve the security and public perceptions of its products. It also issues a monthly bulletin of security patches, and its last significant update to the full version of Windows, Service Pack 2, was centered on security.

The results of those efforts have produced, in Longhorn, an operating system that will more aggressively defend computers, said Greg Sullivan, lead product manager at Microsoft. Among other defensive moves, it actively fights the installation of malicious programs such as spyware and automatically quarantines devices that could have acquired viruses outside home or business networks, he said.

"Clearly we have a very significant role to play in making sure that our platform is one that customers can use safely and securely, and that's

why we're investing so heavily in Longhorn to improve the underlying architecture," he said.

Some of the planned security tools in Longhorn, whose delayed launch is now scheduled for 2006, are likely to put Microsoft in competition with third-party security software vendors such as Symantec. However, Symantec and others have said they remain unthreatened by Microsoft's development of onboard antivirus measures and anti-spyware.

At Apple, security may not be the primary thrust of its introduction of Mac OS 10.4 Tiger, but the company said it is more focused on helping consumers protect their computers than it has ever been before.

The main security concept in designing Tiger, released at the end of April, was to let people see more clearly every program running on their computer, according to Apple executives. That visibility should make it harder for malicious programs to install themselves or hide in documents or Web pages that may appear to be harmless, they said.

Tuning up OS security

The next generation of operating systems promises to bolster security.

Mac OS 10.4 (Tiger)

Application launch verification system: Designed to warn people whenever they fire up a program that has not been installed or run on their computer before.

Kerberos VPN support: Network authentication technology developed at the Massachusetts Institute of Technology.

Firewall log: Records and tracks potential attacks.

Firewall stealth mode: Blocks a computer from identifying itself to potential attackers.

Government Smart Card Interface Standard: Adopted for use with security devices.


Windows Longhorn

Antivirus tools: Built-in defense against malicious programs, including spyware and adware.

Security update automation: Helps manage security updates and patches as they are released.

Firewall upgrades: Monitor for outside attacks and incoming executable code.

Behavior reporting tools: Scan for unusual activity in PC file systems and registries.

Internet Explorer: Multiple upgrades, yet to be detailed.


Novell Suse Linux Professional 9.3

Linux subsystem: Revamped to address security issues.

Firewall upgrades: Added filtering tools.

Simpler default configuration: Emphasizes noninstallation of unused applications.


Red Hat Enterprise Linux v.4

Linux subsystem: Adds enhanced security considerations.

Compiler and library upgrades: Scan for suspicious activity.

Memory corruption checker: Looks for virus activity.


Brian Croll, senior director of software product marketing at Apple, said the company's most productive strategy in securing its OS was to make the core architecture available to the open-source community. "We get an incredible amount of peer review through that process, which really helped to secure the foundation of Tiger," he said.

A debate has been raging over whether open-source or proprietary operating systems are more secure. Because access to proprietary source code is closed, it's less likely to be exploited, say supporters. Open-source backers argue that the support of a programming community means more eyes are examining and working on the code, so that bugs are likely to be spotted and fixed sooner.

Novell's recently released consumer OS, SuSE Linux Professional 9.3, is built on open-source underpinnings. Executives from the company said that even though the design of its products might be more transparent than that those from Microsoft or Apple, Novell's approach to security is likely similar to that of its proprietary rivals.

"Whether its Linux, Tiger or Longhorn, you have to treat security as a process rather than a state," said Roman Drahtmueller, Novell's Linux security architect. "It's not going to be only a feature or solution or a product that can make your environment or network secure, it's about the procedures and processes regarding how software security is treated in general. We may think that Linux does a better job of that, but I believe all the vendors are looking at security in this manner."

Security upgrades in the new generation of OSes range from improvements in the underlying architecture to the inclusion of anti-spyware and other tools, the manufacturers said.

For Apple, the most important new security features in Tiger are technologies that help consumers control the programs they add on top of the OS, said Wiley Hodges, a senior product line manager at the Mac maker.

"Obviously, user behavior largely dictates the security of an OS," Hodges said. "We understand that, and it has helped dictate a lot of what we've done?We've focused a great deal on the ease of making a system secure out of the box and helping to maintain that security in the long run."

Novell's focus was on letting people dictate which security features and strategies they use, Drahtmueller said. And rival Red Hat said the new Linux subsystem in Enterprise Linux version 4, introduced in February 2005, greatly strengthens the security of the product's underlying coding.

The bolstering of security in Longhorn began with the building of the OS on Microsoft's Windows Server 2003 SP1 code base, Sullivan said. Much of the improvement available through that code is related to strengthening, or "hardening" of the programming kernel at the core of the software, he said.

Overall, the OS makers agree that consumers will play the greatest role in keeping their computers safe from outside threats, by using good judgment when going online or in sharing information with others. But the vendors concede that OSes will remain a focal point for people figuring out the best way to defend themselves.

Apple's Hodges said that's fine with him, since in the end, the OS software will be the most significant line of technological defense that consumers can rely on.

"Users, at some level, ultimately have some responsibility for what they do," he said. "It is the responsibility of the OS vendors to make it easier for customers to understand and implement the security capabilities of their systems."