By Pui-Wing Tam
18 September 2003 This article originally appeared in: Wall Street Journal
AFTER A SERIES of recent computer virus and worm attacks, Mark Dickelman, chief information officer of electronic payments company Anexsys LLC, gathered his technology team and asked them what would happen if a "day zero" attack were to take place.
A day-zero incident is an emerging fear in the tech world. While most tech viruses and worms take advantage of vulnerabilities that a software maker has already uncovered and written a patch for, a day-zero attack occurs when a sophisticated hacker exploits a flaw that the software maker doesn't yet know about.
Mr. Dickelman isn't encouraged by what he is hearing from his team. His company, he believes, could be hobbled by a day-zero attack that targets Microsoft Corp.'s Windows software, which is used on most of Anexsys's personal computers. (Day zero refers to the fact that there are zero days of warning about the flawed software.) It might take days for a patch to be cooked up and installed, he says, hurting employee productivity in the meantime.
The upshot: The computer-systems chief is now considering moving a portion of the Chicago-based company's computers to a non-Windows operating system, since the vast majority of viruses and worms are written to attack Windows-based PCs.
"There's clearly a growing demand for companies to have a genetic diversity of operating systems, so that we're not exposed to the increasing rate of viruses and worms," says Mr. Dickelman. "We have to have some percentage of machines that aren't subject to the same risks."
Others are coming to the same conclusion. In the wake of the havoc caused by the Blaster worm and SoBig virus last month, chief information officers and others in the tech industry are waking up to other potentially more damaging security risks, such as a day-zero attack.
That's good news for Microsoft rivals such as Apple Computer Inc., Sun Microsystems Inc. and Lindows.com Inc. According to Symantec Corp., which makes antivirus software, more than 4,000 viruses and other forms of malicious code have been launched against Windows so far this year. Yet there have been no viruses or worms unleashed against Apple's Macintosh operating system since 2001. And just 11 incidents of malicious code have been recorded this year against the Unix operating system and the increasingly popular Linux, a free operating system that is descended from Unix.
At GMAC Commercial Mortgage Corp., Chief Information Officer Niraj Patel introduced 200 non-Windows desktop computers earlier this year. The PCs use software from VMware Inc. of Palo Alto, Calif., that isolates operating systems from the hardware, and can allow them to run both Linux and Windows. Mr. Patel says it was easy to shut down those machines when the worm hit last month, preventing them from being infected.
"I'm happy with Windows for general use," he says. "But for business-critical situations, it makes sense to have diverse operating systems."
Competitors aren't shy about exploiting Microsoft's virus woes. This week, Sun unveiled a desktop-PC program dubbed Java Desktop Systems. Able to run on PCs that use the Linux or Unix operating systems, the software comes with a Web browser, instant-messaging capability and other applications, and is squarely positioned as a Windows alternative.
"If you think about the billions of dollars lost in the virus attacks, that simply won't happen with this system," says Ingrid Van Den Hoogen, who heads software strategy for Sun, of Santa Clara, Calif. "The world is in need of alternatives because of the cost of viruses to companies."
Indeed, it cost companies an average $81,000 each to recover from a virus attack in 2002, up from $69,000 a year earlier, according to a survey by ICSA Labs, a division of TruSecure Corp. A day-zero attack could be more expensive.
Still, there's no groundswell so far of companies moving to non-Windows operating systems as a protection. Al Gillen, who covers operating systems for research firm International Data Corp., forecasts Windows will retain its more than 90% market share of desktop operating systems through at least 2007. Any movement away from Windows would cut only one or two percentage points from Microsoft's lead, he projects.
And moving to a different operating system may not be a safe harbor for long, says Marty Lindner, a team leader at the Computer Emergency Response Team Coordination Center in Pittsburgh, a nonprofit organization that monitors computer attacks. Any alternate operating system that starts becoming popular is likely to soon become a target for virus-writers, he says.
That sentiment is seconded by Marc West, chief information officer at videogame maker Electronic Arts Inc. Using non-Windows machines has to make sense as a business decision, he says. "You can be 95% secure, but never 100% secure" even with alternate operating systems, he says. "For the other 5%, you just have to be crisp about your security practices."
Still, Mr. West says, the prospect of a day-zero attack is "pretty serious" and that he is "evaluating non-Windows machines as an opportunity." His company already has some computers that run desktop software from Sun. Over time, he says, these non-Windows machines "may get to parity" with Windows-based computers at his company. As for Anexsys' Mr. Dickelman, he still is looking at alternate operating systems, from Apple's Macintosh software to Linux and Unix. "We haven't come to any conclusions yet" about switching, he says. "But clearly, there's an extreme risk in uniformity and standardization."
Greg Sullivan, a Microsoft lead product manager for Windows, says the Redmond, Wash., giant knows "we need to earn our customers' business every day" and says it is changing the way it designs software to make it more secure. Microsoft, of course, is betting the huge investment companies have made in installing and learning its programs will deter them from abandoning Windows on a large scale. Mr. Sullivan says when customers look at what Windows offers in terms of tools and applications, "we compare favorably to other choices out there."