James Gosling says Windows can’t touch Unix for safety

June 21, 1999 — Java coauthor and Sun Microsystems evangelist James Gosling said at last week’s JavaOne conference that the recent spate of viruses and worms affecting corporations worldwide is a result of the structure Windows in general and Windows NT in particular. He said that Unix, Linux, and Java environments are almost entirely immune to them.

Microsoft’s operating systems were not initially designed with networks in mind, Gosling said. That makes it easier for malicious hackers, like the author of June 10’s worm attack, to enter those systems with nefarious intentions.

“If it’s mission critical, you ought to write it in Java … Those are Windows viruses, not computer viruses,” said Scott McNealy, chairman and CEO of Sun.

The original Microsoft OLE technology used to swap information in and out of Windows 3.x applications on a single desktop was adapted for use on networks in later operating systems, and has left it easier for viruses, such as Melissa earlier this spring, to infect Windows desktops and file servers, Gosling said.

A user, however, said Sun should be cautious.

“Gosling and his buddies over at Sun should be careful about their boasts. Spouting terms like ‘immunity’ and ‘iron-clad’ is like dropping raw meat in shark-infested waters,” said an engineer at Palo Alto, CA-based Xerox, who wished to remain anonymous.

Microsoft employees themselves were hit by the June 10 worm, even though the Redmond, WA-based network that supports the company’s 17,000 campus users is up and running on the Beta 3 release of the new, vaunted Windows 2000 operating system, Microsoft officials said.

“You can always do more for security. So far there’s not any great solution to it,” said Jim Allchin, senior vice president of the business enterprise division at Microsoft, and overlord of the Windows 2000 development effort.

Allchin suggested that corporations adopt policies to prevent unwanted user access to systems, but that flies in the face of what Gosling said. Such architectural technologies as Java’s “sandbox” and the network-oriented design of Unix and Linux can largely prevent such invasions, Gosling said.

Gosling’s comments came as another Windows security flaw surfaced. A buffer overflow in Microsoft’s Internet Information Server 4.0 could allow junk or malicious code to overwrite executable code, thereby causing the Web server to either crash or execute unauthorized commands, said Scott Culp, a security product manager for Windows NT at Microsoft.

Buffer overflows, which are caused by programmer error, are very common and “one of the biggest of all network security problems,” said Firas Bushnaq, CEO of eEye, a security consulting firm in Corona del Mar, CA.

Bushnaq’s company reported the problem to Microsoft on June 8 and on June 14 posted the breach on its Web site, along with a way to exploit it.

“It’s a very, very serious problem that people need to fix as soon as possible,” Bushnaq said.