Why Microsoft’s decision to seek security advice from Linux is a good first step

In July, Microsoft announced it is now seeking advice from the Linux development community. The company has now officially been admitted to the closed Linux-distro list. The news was met with some dismay at first, but it’s a move that makes a great deal of sense, and not just because Linux has a reputation for being a bit more secure than any of Microsoft’s products. [1] 

Microsoft is no stranger to security vulnerabilities in products both old and new. That’s really no surprise, of course. It’s the most widely-used operating system in the world, holding approximately 78 percent of the global desktop market share, and about 36 percent across all platforms.

That means it’s simply more cost-effective for criminals to target and exploit Microsoft vulnerabilities in lieu of a platform like OS X or Linux.

That isn’t to say Microsoft is entirely blameless here, of course. On more than one occasion, the company has failed to patch a zero-day exploit.  On more than one occasion, security features in Windows 10 - purportedly the company’s most secure OS to date - have been broken by official updates.

If it is to maintain its market dominance, particularly in enterprise, the company needs to do better. And it recognizes that. It’s why the company recently joined the Linux Distribution Security Contacts List.

The list is intended to foster discussion and provide information about security issues that have yet to be made public. This gives its members the opportunity to address the issues before they become common knowledge.  The conversation includes developers from Linux distros such as FreeBSD and NetBSD as well as professionals from Red Hat, Amazon Web Services, and Oracle. 

From a security perspective alone, it makes sense for Microsoft to be a part of these discussions. But that’s not the only reason this is a good first step. For one, the company confirmed that it plans to ship a Linux kernel through Windows 10. Moreover, it is for all intents and purposes a Linux distributor already, as emphasized by the Microsoft Linux kernel developer Sasha Levin, who noted in a now-public email thread that the company’s client-base already uses a number of distro-like builds.

“Microsoft wanted in because, while Windows sure isn’t Linux, the company is, in fact, a Linux distributor,” reads a piece on tech publication ZDNet. “[Levin] pointed out Microsoft has several distro-like builds, which are not derivative of an existing distribution, that are based on open-source components.”

“Per our current policy and precedents, I see no valid reasons not to subscribe Microsoft...to Linux-distros,” wrote Alexander Peslyak, founder of open-source security site Openwall, in the same thread. “Microsoft doesn't look all that different from many other large corporations, including some which already have their Linux distro teams represented on the list.” 

Even if Microsoft did not have such a long history with Linux, joining the mailing list is a good move on the company’s part. It means that the tech titan has finally acknowledged the truth that many of us have known for quite some time. That where cybersecurity is concerned, competition cannot take a front-seat ahead of collaboration.

That is to say unless we all work together, there’s no feasible way we can stop the inevitable march of cyber-crime. In short, Microsoft’s membership in this distribution list is a good first step no matter your perspective. I’m interested in seeing where it goes from here.

Tim Mullahy, Executive Vice President and Managing Director at Liberty Center One.