For the last several years, Microsoft’s market-dominating Windows operating system has been continually (and successfully) browbeat with on persistent, continual problem: security. From flaws in email clients and Web browsers (which have cost untold billions of dollars in lost data, business productivity, and support costs) to weaknesses which seem to routinely put Window’s users comptuers and personal information at the mercy of attackers around the world, Microsoft has faced unrelenting criticism for security flaws in its products, and has invested untold millions of dollars in efforts to improve its security response and protect its customers. With Windows Vista, Microsoft claims to be taking that effort one step further, integrating security enhancement and new technology designed to make Windows less vulnerable to attacks, and protect user and corporate information.
But for all this, Microsoft is now facing harsh criticism from leading security and antivirus software developers Symantec and McAfee, who claim that Microsoft is locking out third party security vendors to gain an unfair advantage in a market place; furthermore, in doing so, the companies argue that Microsoft is creating a less diverse security landscape for Windows, and thereby making Windows users more vulnerable to attack.
The latest brouhaha began last week, with Symantec communications director Chris Paden saying the release of Windows Vista will “reduce consumer choice” in the area of computer security. And now antivirus maker McAfee has taken out a full page advertisement in the print version of the Financial Times to voice its concerns over Vista’s security model. McAfee’s chairman and CEO George Samenuk wrote in the ad: “With its upcoming Vista operating system, Microsoft is embracing the flawed logic that computers will be more secure if it stops co-operating with the independent security firms.”
The controversy is twofold. First, Windows Vista includes a “patchguard” which actively prevents third parties (like security software vendors) from modifying or replacing portions of Windows kernel code. Second, Windows Vista includes a new Security Center feature which is supposed to be a one-stop access point for security technology.
Security vendors claim that Vista’s patchguard functionality prevents them from developing security software for Vista, giving Microsoft an unfair competitive advantage in the security marketplace, and creating a monoculture in the Windows security world whereby all Vista users will be vulnerable to emerging security flaws, and will have no alternative security technologies available to them. Although preventing applications to install modifications to the Windows kernel might at first glance seem like a prudent security measure on Microsoft’s part, Samenuk argues it will be ineffective. In his company’s Financial Times ad, he notes “Microsoft is being completely unrealistic if, by locking security companies out of the kernel, it thinks hackers won’t crack Vista’s kernel. In fact, they already have.”
Other complaints focus on Security Center. Windows Vista will not ship with antivirus software; instead, Microsoft will promote its own Windows Live OneCare, their own add-on antivirus and security subscription service. Furthermore, Security Center will not enable management of third-party security software.
Where is all this headed? Most likely, to the European Commission: the EU fined issued heavy fines to Microsoft in 2004 for anticompetitive behavior, is currently in the process of instigating daily fines against Microsoft for failure to document key server technologies, and has already warned Microsoft that it’s examining Vista’s features to see how they fit with the EU regulatory landscape. As a result, Microsoft has already hinted the release of Windows Vista could be delayed in Europe.