The Guardian wrote an article on Microsoft's operating systems which stated, in a rather blunt and heavy-handed manner, that users should be more responsible with their machines.
This story is not true, of course. We don't let people drive cars unless they learn how, and pass a test. We have regulations to keep defective cars off the roads. But millions of people buy PCs they don't know how to run, mess them up, and then blame everybody but themselves.
While there may be a few nuggets of truth in the article, to pretend that the majority of security problems in Windows are caused by open network ports and stupid user error is, at best, misleading.
You could, for example, install a firewall. You could also stop using IIS, Exchange, Outlook and/or Outlook Express, DirectX, and disable OLE. It's not like we haven't known for many years exactly which parts of Microsoft's operating system are the parts that make us vulnerable.
The fact is, Microsoft ships with a bunch of ports that have no reason to be shipped that way in a world where everything gets connected to the internet. This isn't users being too dumb to configure their systems correctly, this is Windows assuming that there's no reason to add security to something which can easily be made public. This is a design decision made by Microsoft, and the blame belongs exactly where it lands: on Microsoft's shoulders.
Blame users for not patching. Blame Microsoft for needing to. That's not unfair.
But that's not the majority of concerns; you're a hundred times likely to get hit by an e-mail virus that abuses Outlook and goes through your address book than by any of the major patch abusers.
I worked for Netscape during the time of the browser wars; I remember the move into Groupware, and the reason we opened all of these cans of worms in Microsoft's (and our own) mail client in the first place.
The 'corporate market' demanded a bunch of functionality that you could only get through scripted mail. In order to get that corporate market to move away from custom groupware and into standards-based e-mail, scripting and HTML support came in early. At the same time, Microsoft started pushing native office integration through OLE view-in-place of more than just a few JPEGs, and ensured that their scripting languages could access a broad range of internal stuff for scripting workflow-like behavior.
It was the corporate market, and its request for things that would make it feel more at ease about switching away from its proprietary groupware platforms, that eventually spelled the downfall for e-mail security and opened up the can of worms. Netscape very early on in 4 closed off access to the address book from JavaScript; Microsoft did not. Netscape killed off auto-open and most OLE; Microsoft pushed ActiveX into it.
Everyone pushed for features, features, features, and people were way too busy trying to woo a bunch of big blue corporates into switching to [Netscape Messaging Server, Exchange Server] and away from [Novell, IBM] groupware to sit around scratching their heads wondering what would happen if everyone got saddled with them.
To pretend that this is about a firewall is grossly negligent of the truth: this is about trust. Ten years ago, we trusted what we ran. Today, you can't - but most people are still running an operating system with a mindset developed ten years ago.
The reason unix is more secure has more to do with that fundamental axis than anything else; these multiuser systems were quite literally designed to prevent people from stealing CPU time and resources from other users of the system, and the secure mindset evolved from that. These systems were the first to prevent applications from writing into each other's memory (or reading it) and securing processes from each other, and the first to implement heavy multi-user security to prevent file access by unauthorized users and programs.
The advent of Windows 2000 into mainstream Windows usage eliminated a whole class of viruses - the implementation of a 25+ year old design pattern of protected memory prevented an application from stomping all over its neighbors. Every time Microsoft takes a step towards pushing those 25+ year old features into Windows, another class of viruses will vanish; then, at that point, the stream of attacks on end users may slow down to a more sane rate.
Until then, we can expect that Microsoft's continued design choices will result in millions of people panicking to push the windows update button.
Users can protect themselves from Microsoft's design choices, yes - but you're under an illusion if you think they're anything other than that; design choices. Your OS didn't get this way by accident.
