Apple and Linux stand to gain as Microsoft faces mighty challenges this week, with critics warning that its dominance of the operating systems market has created a software 'monoculture' that threatens global data security.

Microsoft released a software update last week – almost eight months after critical flaws in its OS were identified; it then saw secret source code for Windows NT and 2000 posted on the Internet in a leak the FBI has been called in to investigate.

Regarding the software patch, Microsoft gave the OS flaw a "critical" severity rating – but was first notified of the problem last July. A Microsoft official said it took so long to produce the patch because of the need to "look at the broadest possible implications" of the flaw.

UK-based security experts mi2g points to the company's security flaws: "In what has become a weekly occurrence and a departure from well-scheduled monthly announcements, Microsoft has issued yet another critical update to repair a flaw that could give hackers complete control over multiple versions of Windows-based computers."

Apple currently issues monthly security updates that rectify recently identified problems; however, the release of until-now secret OS source code for Windows may also enable hackers to build new attacks against Microsoft-powered PCs.

mi2g observes: "These issues are lowering the trust of the public in computing vendors, Internet-based financial transactions and safekeeping of digital assets."

The analysts observe that even though Microsoft has issued a patch and recommended its customers install it, homes and small to medium-sized businesses may take "days, weeks or months" to do so – leaving the opportunity for a new infection that could exploit the vulnerability patched by the software vendor last week.

High costs

Analysts observe that in the City of London, the cost of applying critical updates is assessed at $150 per machine. Globally, it warns: "The cost of maintaining Microsoft platforms may turn out to be higher than originally budgeted by most organizations to the tune of 10-20 per cent annually."

"The time window of eight months seen in the recent case between when the flaw was discovered and when the patch came out was clearly too long. The implications of such an attack become increasingly difficult to envision, especially if there is a leak from within the organization that discovered the vulnerability or if another entity independently identifies the same flaw in the meantime," the analysts add in a note that was released Friday – before news of Microsoft's system software leak broke.

A report on the Rapid City Journal adds to the debate Microsoft must counter to maintain its OS hegemony.

It relates the story of security analyst Dan Geer, who co-authored a report released last year that put the debate over software monoculture into the public eye. Geer lost his job following the release of the report – he had worked for @Stake, a firm Microsoft used extensively. Though his former company denies it, many believe Geer was fired for his part in the Microsoft criticism contained in the report.

Other OSes considered

It seems that dependence on Microsoft systems does not guarantee security; US Homeland Security Department chief information officer Steven Cooper was questioned about the US federal government's vulnerability to monoculture. He said this was a concern and "said the department would likely expand its use of Linux and Unix as a precaution," the report states.

Apple is understood to be courting the US federal markets, to the extent of appearing at trade shows for the sector, and having its products recently-certified for use by federal agencies. A recent report reveals that many at the FBI use Macs.

In related news, Mike Reiter of Carnegie-Mellon University and Stephanie Forrest, a University of New Mexico biologist recently received a $750,000 National Science Foundation grant to study methods to automatically diversify software code.

On the release of portions of the Microsoft Windows 2000 and Windows NT 4.0 source code to the Internet, Microsoft said: "At this time there is no known impact on customers. We continue to be committed to protecting our customers and their networks, and we will take any appropriate steps to ensure that we meet this commitment."

Such commitments may not be enough. This morning's Financial Times says: "Microsoft's past behaviour, and the steady disclosures of flaws in its software, mean that it is short of allies in what is becoming a difficult, and delicate, battle."

It's possible Microsoft may be driven to emulate Apple once again. Apple works with open-source developers on many of its projects: Mac OS X is based on open-source Unix architecture, and Safari is also based on open-source code.

Apple's head of QuickTime product marketing Frank Casanova has gone on record in the past to point out that the open-source community offers far more development resources – in numbers – than any one IT company can afford to hire.

A report on Linuxworld suggests that Microsoft should once again follow Apple's lead: "Microsoft needs to consider a partial open-source model for code development if it hopes to survive the coming open-source onslaught," it says.

Apple processor supplier IBM is working on migrating Microsoft Office to Linux; Microsoft isn't involved in this.