Microsoft technician fellow Mark Russinovich recently raised a few eyebrows at the ChefCon when he talked about the possibility of Windows opening up and becoming an open source OS. This is an indicative of the software giant’s gradual change of attitude to the open source movement. However, the prospect of the firm becoming more like Linux is too much an expectation in the near future.
Even then, experts are of the view that if Windows become open source, it would mean better security for the computing world. Morey Haber, technology VP at BeyondTrust, said that such a move would help enhance security system significantly as hundreds of experts will be able to look at the OS and identify vulnerabilities.
He also warned that there would be a spike in security vulnerabilities but patches would be quickly developed by volunteers.
Finding the golden mean
Up to what level Windows OS would ever be open-sourced would determine how beneficial the move could be in terms of the software’s security, said Mike Taylor, who is the lead developer at Rook Security. He is of the view that the entire Windows code should be open up because it will bring only real benefits in terms of securing the OS.
He said there is a need for having more eyes on vulnerabilities and there would be hundreds of researchers willing to contribute code or patches that will fix any threats. Of course, Windows would become more vulnerable, but at the same time security risk could be addressed much more quickly.
More fixers than breakers
Google is giving software vendors 90 days to fix any flaw after they are being reported to them. It also recently notified Microsoft about the vulnerability in its Windows 8.1 version and thus began the countdown. Microsoft did come up with a fix with the 90-day period, but it decided to release it only the next Patch Tuesday, which clearly fell after Google’s 90-day deadline. So, Google refused to delay the action and released information on the flaw two days before the fix was released.
It is crucial for any open source system to be fully open so that the community can have an unobstructed view. Matt Johansen, a senior manager at the Threat Research Center of WhiteHat Security, said that “a full view of the source code will give a higher chance of finding vulnerabilities” which is “a good thing.” He added that if there is no clear view into program’s code, experts and researchers are forced to use “fuzz testing” method which involves injecting junk inputs into the software or system to find out what happens next.
It’s no security blanket
There are also experts who feel that an open source Windows version could create more security problems. For instance, various distributives of Windows OS could emerge. BeyondTrust’s Haber is of the view that Windows OS could end up with similar problems faced by Linux and Android, where there is plenty of fragmentation with their own unique vulnerabilities.
It may also be true that “many eyes” can identify vulnerabilities before hackers strike, but the recent case of OpenSSL and various open source software shows us that this does not always work, said RedSeal’s Steve Hultquist. And, he also expressed fears that Windows may not be under active development by members of the open source community. This could result in targeted attacks.