Windows: Still insecure after all these years

OPINION: With every Windows release, Microsoft promises better security. And, sometimes, it makes improvements. But then, well then, we see truly ancient security holes show up yet again.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

For longer than some of you have been alive, I've been preaching the gospel of using more secure desktop operating systems. You see, Windows has been insecure since 1985's Windows 1.0, really an MS-DOS extension, rolled out the door. Then, as now, there were more secure options. Then it was Unix desktop operating systems. Today it's Linux desktops.

Why hasn't Microsoft ever gotten its security act together? The fundamental problem is that Windows was never, ever meant to work on a network. It worked as a standalone PC operating system. And, even today, 37 years later, the same pre-internet problems keep showing up. Unix and Linux started with the premise that there's more than one user on the system, and you need to secure accounts and programs from other users, local or remote. This has served these operating systems well.  

In addition, the developers from Redmond may say they rewrite Windows code from the bottom up to make it more secure. But, they don't. 

Take, for example, Microsoft recently patched zero-day remote code execution Windows Scripting Languages Remote Code Execution Vulnerability, CVE-2022-41128, With a  Common Vulnerability Scoring System (CVSS) rating of 8.8, it's a baddie. This is a Windows JavaScript scripting language security hole. Specifically, it's a hole in Internet Explorer (IE) 11's JScript9 JavaScript engine. 

Also: Hackers are still finding -- and using -- flaws in Internet Explorer

It's a nasty one. It affects every version of currently supported Windows. That includes everything from Windows 8.1 to all the various Windows Servers and Windows 11. Since it showed up, North Korean hackers exploited it to infect South Korean users with malware.

It works by presenting the victims with a malicious document. When an innocent opens the document, it then downloads a rich text file (RTF) remote template. The HTML inside would then be rendered by the IE engine. Then -- ta-da! -- you've got a case of some malware or the other. 

The Google Threat Analysis Group (TAG) that found it said, "This technique has been widely used to distribute IE exploits via Office files since 2017. Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser."

Oh, guys, it is so, so much older than that. I described this kind of problem in the long-defunct magazine PC Sources in 1992 when I found it in Windows for WorkGroup 3.1. Then, as now, Windows and its native programs treated document data as programming instructions. 

That's why according to Atlas VPN, "Microsoft Office remains the most widely exploited software for malware delivery." How bad is it? Try 78.5% of all attacks. Office on your PC, Office 365, it doesn't matter. They're all open to attacks. 

Now, then, what's the elephant in the room I haven't mentioned yet? It's that IE retired back in June 2022. It's been replaced by Microsoft Edge. 

Also: The best Linux laptops 

So, why the heck are all versions of Windows vulnerable to an IE attack in late 2022? Isn't it history? I mean, IE was never in Windows 11, anyway. You'd like to think that, but no matter what version of Windows you're using, the IE engine is still in Windows and still ready to run JavaScript attacks.

Windows's fundamental security flaws have never been fixed. They never will be. Backward compatibility is far more important to Microsoft than security. So, the company continues to play patch a hole. 

If, like me, you favor security over backward compatibility, you'll run Linux. Despite what you've heard, Linux is not that hard to use. But, if you'd rather not go to the effort, just buy a Chromebook. Anyone can use a Chromebook, and, since it's based on Linux, it's a lot more secure. 

Related Stories:

Editorial standards