August 10th, 2016

Hard Stare

Windows and malware, and the vulnerability of Internet Explorer.

My last job over here in Czechia was a year basically acting as the entire international customer complaints department for a prominent antivirus vendor.

Damned straight, Windows still has severe malware and virus problems! Yes, even Windows 8.x and 10.

The original dynamic content model for Interner Explorer was: download and run native binaries from the Internet. (AKA "ActiveX", basically OLE on web pages.) This is insane if you know anything about safe, secure software design.

It's better now, but the problem is that since IE is integrated into Windows, IE uses Windows core code to render text, images, etc. So any exploit that targets these Windows DLLs can allow a web page to execute code on your machine.

Unix' default model is that only binaries on your own system that have been marked as executable can run. By default it won't even run local stuff that isn't marked as such, let alone anything from a remote host.

(This is a dramatic oversimplification.)

Microsoft has slowly and painfully learned that the way Unix does things is safer than its own ways, and it's changing, but the damage is done. If MS rewrote Windows and fixed all this stuff, a lot of existing Windows programs wouldn't work any more. And the only reason to choose Windows is the huge base of software that there is for Windows.

Such things can be done. Mac OS X didn't run all classic MacOS apps when it was launched in 2001 or so. Then in 10.5 Apple dropped the ability to run old classic apps at all. Then in 10.6 it dropped the ability to run the OS on machines with the old processors. Then in 10.7 it dropped the ability to run apps compiled for the old processor.

It has carefully stage managed a transition, despite resistance. Microsoft _could_ have done this, but it didn't have the nerve.

It's worth mentioning that, to give it credit, the core code of both Windows 3 and Windows 95 contains some _inspired_ hacks to make stuff work, that Windows NT is a technical tour de force, and that the crap that has gradually worked its way in since Windows XP is due to the marketing people's insistence, not due to the programmers and their managers, who do superb work.

Other teams _do_ have the guts for drastic changes: look at Office 2007 (whole new UI, which I personally hate, but others like), and Windows 8 (whole new UI, which I liked but everyone else hated).

However Windows is the big cash cow and they didn't have the the courage when it was needed. Now, it's too late.