Windows NT: a hacker's best friend

Their Web sites were all defaced at different times last year by a hacker using a security weakness in Windows NT, the precursor to Microsoft's Windows 2000 server software.

Those episodes, along with the embarrassing hack of the software giant's own corporate networks, probably helped Microsoft's Web server software win the title of most vulnerable to hackers.

This was according to a survey posted this week at Attrition.org, a site that celebrates the exploits of hackers and points out the security holes of established companies.

Of the defacements in December, 57.98 percent came on servers running Windows NT, while those using Windows 2000 were tallied at 9.96 percent. The servers running the Linux versions accounted for just more than 21.3 percent during December. Sun Microsystems' Solaris saw about 4.1 percent of the defacements.

Overall figures for defacements from August 1999 to the present peg Windows NT at 56.69 percent. Windows 2000 came in at 2.41 percent, but the software, an upgrade to Windows NT, launched on Feb. 17, 2000, about six months after the beginning of the period covered by the statistics. Combined Linux defacements over this period were steady around 21 percent.

Why is Microsoft a target?
"I think Microsoft software is actually a target because Microsoft is so powerful and popular that anyone who succeeds in breaking into that software usually gets a lot of interest in the press," said Dan Kusnetzky, a software analyst at IDC. "Many of these people are hacking because they want to be known."

The company's software is also the most commonly used, leading to inflated numbers of hacker attacks compared with other platforms.

IDC pegs Windows NT as holding about a 38 percent share of the shipments of server software in 1999. Linux captured a 24 percent share of shipments, Netware held 19 percent, and Unix had a combined market share of 15 percent. IDC research figures for 2000 have yet to be released.

Another reason Microsoft's software may be a favored target is the company's alleged propensity toward focusing on ease-of-use and on the time it takes to develop an application and get it shipped.

"There is a trade-off if you make it very easy to develop applications to deploy them; sometimes you may take some shortcuts in security," Kusnetzky said.

Still, security experts agreed that the methodology used by Attrition.org needs to be studied more closely before drawing any conclusions.

"What this shows us is that all systems continue to have security problems," said Matt Bishop, an associate professor of computer science at the University of California at Davis. "That's why we are all banging our heads against a wall."