Whatever Microsoft's strengths or failings as a developer of reliable software, the mere existence of an operating-system monopoly is a critical security risk, argues a new report released this week at a Computer & Communications Industry Association (CCIA) gathering in Washington, D.C.
Written by seven IT security researchers, CyberInsecurity - The Cost of Monopoly calls on governments and businesses to consider in their buying decisions the dangers of homogenous systems, and to diversify the software mix deployed in their organisations.
It also urges the US government to counterbalance Microsoft's user lock-in tactics by forcing the company to offer multi-platform support for its dominant applications, including Internet Explorer and Microsoft Office products.
While Microsoft was a focus of the report, the company wasn't solely responsible for the risky situation that now existed, the authors said.
"I think the blame falls mostly on the buyers," co-author, Bruce Schneier, said. "The seller is going to sell what the buyers want."
Schneier is the founder and chief technical officer of Counterpane Internet Security.
"Because everyone is buying it, because it's compatible, because it's easy, everyone is doing it," he said. "The point of the report is to say, 'Hey, there are security implications to your decision.'"
Microsoft's pledge to improve its products' reliability won't fix the underlying problem of the vulnerability inherent in a system that depends on just one architecture, co-author and computer security consultant, Perry Metzger, said.
"It doesn't matter how hard Microsoft works on security," he said. "So long as they continue to be human beings, there will continue to be flaws - and you don't want every machine on Earth to have the same flaw revealed at the same time. It's as though every person in the US had the exact same genes."
None of the report's authors were paid for their contributions, and the CCIA is merely acting as the paper's publisher and did not influence its content, according to the report's instigator, @stake chief technical officer, Dan Geer.
The report's conclusions do, however, dovetail with CCIA's push for tighter regulatory controls on Microsoft and for greater diversity in the US federal government's IT systems.
The group plans to feature the report at this week's conference, and in its conversations with representatives of Congress and federal agencies.
The report's authors said they hoped it would aid corporate IT workers in efforts to convince executives at their companies that Microsoft's software shouldn't be deployed by default.
"There isn't a lot of talk about monoculture and security problems," Metzger said. "Our hope is that we can bring this into the debate."
Beyond recommending diversification, the paper suggests steps the US government could take to mitigate the effects of Microsoft's monopoly position.
Forced publication of application program interfaces (APIs) for Microsoft's Windows and Office software would help, as would requiring the company to work with other industry vendors on development of future specifications through a process similar to the Internet Society's request for comments (RFC) system, the report said.