How do you objectively assess an operating system's security? I wanted to convince friends that Windows is insecure but I couldn't find unassailable evidence. Got some? There are confounding variables like the age of the operating system and size of the userbase (distorting the event volume), its attractiveness to attackers, and the tendency of organizations of different levels of technical ability to prefer different operating systems...
I'm a pretty die hard linux guy, and I think Windows is a bloated nightmare, but it's not insecure IMHO (unless you consider "privacy" to be security, but most people do not (even though I think they should)). There was a time when that wasn't as true, though. If Windows were rewritten from scratch today, I'm certain there would be some different architectural/design decisions made, but that's true for pretty much every piece of software ever written.
None of this matters. For example, you could build an operating system with security signatures that are generated by the intrusion detection system and only executables with valid signatures can be executed. This would get rid of a lot of pointless online security scans since a secure system mostly consists of already vetted executables. Interpreters must let the operating system verify signatures of the source files.
Note how the intrusion detection system here only needs to do offline scans that are unaffected by security updates.
Here is the official Windows security certification page [1]. They certify against this standard [2]. The maximum security they certify is provided is:
Page 53: “The evaluator will conduct penetration testing, based on the identified potential vulnerabilities, to determine that the OS is resistant to attacks performed by an attacker possessing Basic attack potential.”
That is the lowest level of security certification outlined in the standard. The elementary school diploma of security.
To see what that means, here is a sample of the certification report [3].
Page 14: “The evaluator has performed a search of public sources to discover known vulnerabilities of the TOE.
Using the obtained results, the evaluator has performed a sampling approach to verify if exists applicable public exploits for any of the identified public vulnerabilities and verify whether the security updates published by the vendor are effective. The evaluator has ensured that for all the public vulnerabilities identified in vulnerability assessment report belonging to the period from June 8, 2021 to July 12, 2022, the vendor has published the corresponding update fixing the vulnerabilities.“
The "hardcore" certification process they subject themselves to is effectively doing a Google search for: “Windows vulnerabilities” and checking all the public ones have fixes. That is all the security they promise you in their headline, mandatory security certification that is the only general security certification listed and advertised on their official security page.
When a company puts their elementary school diploma on their resume for “highest education received”, you should listen.
That is not to say any of the names in general purpose operating systems such as MacOS, Linux, Android, etc. are meaningfully better. They are all inadequate for the task of protecting against moderately skilled commercially minded attackers. None of them have been able to achieve levels of certification that provide confidence against such attackers.
This is actually a good sign, because those systems are objectively and experimentally incapable of reaching that standard of security. That they have been unable to force a false-positive certification that incorrectly states they have reached that standard demonstrates the certification at least has a low false-positive rate.
All of the standard stuff is inadequate in much the same way that all known materials are inadequate for making a space elevator. None of it works, so if you do want to use it, you must assume they are deficient and work around it. That or you could use the actual high quality stuff.
