Operation Vista: An Exercise in Greed
I know, it's all too popular to slam Microsoft and these days it's especially common to slam Windows Vista, but hear me out because I'm going to do my very best to approach this even-handedly.
If you've been reading tech news in the past few weeks you assuredly know all about how Symantec and McAfee have made public claims that Vista is insecure. You may not have heard that F-Secure is also on-board with them.
The playing field is confusingly split, however. Some big security firms like Sophos are defending Microsoft and casually dismiss concerns by other security software vendors. Russian security outfit Kaspersky has categorically stated that Microsoft has done absolutely nothing to make it difficult for third parties to develop security software on the Vista platform.
So what the heck is going on? Well, the uproar is primarily over two things. One is a feature called "Patch Guard" which locks the kernel (the core of the operating system) to prevent it from being modified. From a security standpoint, this could be a very good thing providing no malware is developed that can break through and modify the kernel anyway. If that happens the good guys will have some difficulty removing the virus from the kernel because Patch Guard will still be keeping every other piece of software, including them, out.
In any other situation, no piece of software should ever need to modify the kernel. Due to that, and the fact that Microsoft unrealistically believes their Patch Guard to be virtually impenetrable, not even "good guys" will get the code they need to get past it. Some security firms are fine with this because in their judgement the danger of a kernel breach is low and if (or when) it happens Microsoft can release a patch that corrects the issue.
In fact, Microsoft has regularly scheduled patches for all its currently-supported operating systems. The fact that they need to release new patches every few weeks is frightening in itself, but with the Internet Explorer VML bug two weeks ago the regularly scheduled patch day played an even more dangerous role as Microsoft played down security concerns over the exploit and initially insisted there was no need to release a patch for the problem any sooner than the next scheduled patch date — more than two weeks away.
The flaw in the VML allowed a remote website to download and run spyware on the users' local machines, but only if the website being visited was serving the trojan up to visitors. The exploit appeared on sites of ill-repute from day zero, but the black-hat cowboys behind the plot had a trick up their sleeve in the form of a cPanel exploit, allowing them access to sites on web servers running that particular software. Very shortly there were over a thousand innocent sites whose operators had no idea they were infecting every IE visitor that browsed through.
Yet, Microsoft continued to play down the scope and severity of the problem. They did eventually relent to outside pressure and release a patch for the IE bug prior to their regular update, but only after a week had passed. ZERT, an independant group of engineers, released an unofficial patch for the problem much earlier in the crisis, but Microsoft counseled their customers not to use it.
Microsoft's track record on security is not good. Before this VML exploit there were many, many other examples of poor security response by Microsoft including their regularly scheduled habit of releasing new operating systems that are not, by most professional standards, ready to be released.
So there is certainly cause for concern, and McAfee, Symantec and others are not completely daffy. On the other hand, there really is no immediate problem. Patch Guard works. In fact, it's not even new. It has already been incorporated into the 64-bit version of Windows XP and Windows 2003. That being the case begs the question, why is this suddenly an issue now?
To explore that let's take a look at the second of our two reasons these security firms are upset: The Vista Security Panel. This feature has essentially the same purpose as the security center found in the control panel of Windows XP, but with some differences in functionality. The biggest difference, as far as Symantec, McAfee and the entire European Union are concerned, is the fact that third-party security software won't be able to turn it off.
According to Microsoft it can be turned off manually by the user (no information on how easy or difficult this is to do), but cannot be disabled by software. There are legitimate security reasons to support the decision to do this, but at the same time this poses a bit of a problem for any security software vendor who want to use their own customized and branded security panel. The computer will have two security panels running at all times and the average computer user could become confused and frustrated.
This is a major reason why the playing field is split. Security vendors who specialize in direct-to-consumer products have an additional hurdle to overcome while companies focusing primarily on corporate and enterprise solutions, or security products that are just plain not-as-flashy are unaffected.
At its heart, this issue is about Microsoft using its muscle (as opposed to superior product offering) to squeeze itself deeper into the security software industry. What's at stake is, all other concerns being unrealized as of yet, branding.
Personally, I find Symantec and McAfee's consumer products abhorrent. They drain system resources and their pop-up messages are beyond annoying. But the point remains that these companies represent recognizable brands; Brands whose sales are in-part driven by brand-reinforcement such as found throughout the products in question.
What does it all come down to?
Microsoft makes very flexible operating systems which also happen to be riddled with flaws. C'est la vie. They also use their operating systems to push other software vendors out of the market under the guise of offering users more features. Internet Explorer, Unzip, Software Firewall and now these new features in Vista: It's obvious to anyone paying attention that third-party software products suffer serious blows when Microsoft adds new features to Windows. The question to ask, though, is whether or not this is "wrong", and by wrong I mean bad for the consumer, Anti-Trust lawsuit kind of wrong.
My answer is, "yes". The simple reason for this is that in many cases Microsoft's offerings are often inferior and they represent hurdles (which translate to time and money) for third-party vendors to overcome.
With regards to Symantec, McAfee and the rest of those criticizing Vista for the above reasons I would have to say their concerns are valid, but not cause for alarm. Additionally, the "big stink" being made is likely fueled more by concern for their share of the security software market than by concern for average-joe computer user. Having said that, keep in mind that they have as much of a right to defend their brand and market share as Microsoft has to diminish it. More, in fact.
- one
