Microsoft Agrees to Changes in Vista Security

An anonymous reader writes "Bowing to pressure from European antitrust regulators and rival security vendors, Microsoft has agreed to modify Windows Vista to better accommodate third-party security software makers. In a press conference Friday, Microsoft said it would configure Vista to let third-party anti-virus and other security software makers bypass 'PatchGuard,' a feature in 64-bit versions of Windows Vista designed to bar access to the Windows kernel. Microsoft said it would create an API to let third-party vendors access the kernel and to disable the Windows Security Center so that users would not be prompted by multiple alerts about operating system security. In addition, Redmond said it would modify the welcome screen presented to Vista users to include links to other security software other than Microsoft's own OneCare suite. From the article: 'It looks like Microsoft was really testing the waters here, sort of pushing the limits of antitrust and decided they probably couldn't cross that line just yet.'"

testing the waters?

[yagu]

From the article (and /. summary):

It looks like Microsoft was really testing the waters here, sort of pushing the limits of antitrust and decided they probably couldn't cross that line just yet," Northcutt said. "That's a good thing, because it's just too easy for mistakes to happen when you are only left with a single security provider."

It's only an author's surmise, but as I understand and interpret Microsoft's position, there is no line they will be able to cross ever while they are still a monopoly. Microsoft enjoys (immensely) their monopoly position in PC OSes, and as long as they do (immensely), they will continue to be proscribed from using their monopoly to leverage, influence, and otherwise compete unfairly with any other of their products.

There is no line to test.

I don't get it.

[Shivetya]

Sorry but I think the kernel should be off limits. Leave that to Microsoft and hold them wholly accountable to preventing issues with it.

On one hand people bitch about MS's lack of security yet when they do essentially what is asked it is claimed they only did it to be uncompetitive.

Make up your mind. Or is just permanent open season on MS?

I find it kind of interesting...

[dghcasp]

Companies like Symantec (aka Norton) have profited immensely from an industry created because Windows wasn't secure.

Now they're upset because Microsoft wants that piece of that market; in other words, Microsoft wants to profit from the fact that Windows isn't secure.

Yet in pretty much every other operating system, the solution is simply to make the darned thing secure.

Now, I realize that the issues are a bit larger than this, but I do wonder: IF Microsoft ever released a truly secure operating system, thus making Symantec and other such companies as relevant as the buggy whip, would they then sue to prevent the release of the O/S?

Re:Microsoft cant win

[pdbaby]

when microsoft makes it secure people go nuts that its tooo secure and they complain

The problem is that Microsoft's record with security isn't great; lots of people (myself included) prefer to trust another company to provide anti-virus and firewall security under Windows. Microsoft will have to work very hard - in an equal arena -- to show that their AV and firewall solutions are as good or better as those of their competition

While I dislike the M$ monopoloy...

[Ichigo Kurosaki]

I personally don't want a crippled OS to accommodate third party security vendors. If Microsoft can make there OS so secure that third party software is not needed I say go for it.

Of course if it turns out that Microsoft was just locking other vendors out to make users use their security software, which performed poorly I applaud the EU for helping the consumers. Because really all I care about is how well the end result is.

Re:I don't get it.

[UnknowingFool]

Here's the crux of the complaint: In Windows, to combat viruses and add security like firewalls, these programs need kernel level access (as many APIs unfortunately do). Now with Vista, MS had decided to close off that access to all software except their commercial security apps (which they will charge extra to the customer). To some that is abusing their monopoly. It would one thing if they closed it totally because of security and that nothing but the OS could access it. But they had set it up to where only their MS programs could access it. It would be no different if Vista had made changes that would allow MS Money to work but not Quicken.

3rd parties should protect the OS

[dioscaido]

Why should the OS be secure when I can pay $30 for a 3rd party can do it (and destabilize the system as they do it, since they root the OS in undocumented ways)? This is a bad precedent and a huge loss for consumers.

Re:testing the waters?

[Guppy06]

"Microsoft isn't a monopoly though. There is absolutely nothing stopping anyone from using any number of other x86 operating systems on their PC. Don't like Windows? Fine, install Linux, FreeBSD, NetBSD, OpenBSD, etc. Hell, buy a Mac and use MacOS X."

We've all been over this before...

1. Computer manfuacturers are bent over a barrel to include an OEM Windows install on every machine they sell. The only realistic way for a user to get a computer without Windows is to build one themself.
2. Since everybody is already getting a copy of Windows, what incentinve is there for the end user to try an alternative OS? Better yet, even if they do, they've already paid for Windows and Microsoft still has their money and their "installed base" numbers
3. People write software for the dominant OS rather than invest even more money into R&D for multiple OSes. Meaning that most applications (read "games") out there are designed for Windows

The 95% of end users out there who don't build their own PCs from scratch are left with choosing to continue running the Windows their machine came with, or to take on the Sisyphusean challenge of working to install their own OS and tailoring their software shopping (if not their life in general) around that OS instead of simply using what they already paid for.

"You know why people use Microsoft Windows? Because they like it."

Microsoft will never allow anybody to test that hypothesis in any meaningful way. You can't say that with any certainty until Dell and HP start saying "Would you like Vista or Fedora with your new computer?"

And how does Microsoft do this? By abusing their monopoly power.

Government Interference in the Marketplace

[mosel-saar-ruwer]

Sorry but I think the kernel should be off limits. Leave that to Microsoft and hold them wholly accountable to preventing issues with it. On one hand people bitch about MS's lack of security yet when they do essentially what is asked it is claimed they only did it to be uncompetitive. Make up your mind. Or is just permanent open season on MS?

Exactly.

That is why we got such awful security in Internet Explorer [although for the opposite reason]: Back in the mid-to-late 1990s, the Clinton administration was suing Microsoft over their "monopolistic" marketshare, and because of that [vis-a-vis Netscape and their browser], Microsoft was forced to integrate Internet Explorer into the operating system so that they could say to the Justice Department that they couldn't ship a version of Windows without it.

Fast forward eight or ten years, and now we've got the reverse: Microsoft is forced to open up the operating system to appease EU regulators who want all of their security vendors to be able to get a cut of the action.

In either direction [governments forcing Microsoft browsers into the operating system, governments forcing third party vendors into the operating system], what you get is government-induced mayhem.

But of course that's not the politically correct point of view here at Slashdot, so expect me to get modded down to "-1 Troll".

Re:I don't get it.

[s4ltyd0g]

The anti virus companies have made tons of money off of Microsoft insecurties.

Now that there's a chance all those holes might go away, they will fight tooth and nail to prevent that from happening. I'm no Microsoft fan but these companies whining about Microsoft using their monopoly position to shut them out of the market, are in conflict of interest.

Nothing new here, just buisness as usual.

Re:I find it kind of interesting...

[MalusCaelestis]

You're missing the point that this is exactly what's happening. By implementing PatchGuard, Microsoft was trying to make the OS more secure. But because these "security" companies bitched and moaned that Microsoft shut them out of the kernel (where no software but the OS ought to be), Microsoft must now make the system less secure in order to look like they're not abusing their monopoly powers. No reasonable person can place the blame on Microsoft here. If they don't open up the kernel to Symantec, McAfee, et al. then they'll be opening themselves up to another anti-trust lawsuit, risking billions of dollars in fines and damages in both the US and the EU. Not even Microsoft can afford that.

Re:I don't get it.

[jb.hl.com]

MS had decided to close off that access to all software except their commercial security apps (which they will charge extra to the customer)

Lies. Trend and Avast have apparently been able to run on Vista without any problems. They knuckled down and wrote code so they worked on Vista, and indeed Vista has an API called Windows Filtering Platform, which allows anti-virus makers to monitor file activity. Symantec and McAfee, on the other hand, threw a hissy fit.

Microsoft is, for once, clearly in the right.

Re:I don't get it.

[javaxjb]

But the crux of the matter is that the kernel is not off limits. Signed drivers from third parties are allowed to access the kernel. So how is this any different? Why make an arbitrary distinction between say video drivers and antivirus software? Shouldn't we welcome the choice. After all, if Microsoft can actually make a decent security add-on, won't we be better served by the competition between the third party vendors. Maybe then the other players products will be more efficient and less annoying.

Re:What other changes before launch?

[tomhudson]

And there's no reason to believe that Vista will do anything but sell like hotcakes (after all, there are more reasons to go from XP to Vista than there were to go from 2k to XP), so there won't be any of the user backlash that most Slashdotters pretend they see in the future.

For those who missed the "irony" tags - people didn't switch from 2k to XP - they went from Win9x to XP - the 2k users continually dug in their heels when it came to switching. And certainly nobody I know even has Vista on their radar ...

Really, is there ANYBODY who knows a real live "Joe Sixpack end user" who is even aware that Vista exists? Its pretty bad when both OSX and Linux have a bigger awareness in the general community than linux's new flagship.

People will continue running XP long after its end-of-lifed, mostlyt to play games. And the antivirus vendors will cash in on this, by selling patching services to fix bugs in XP long after Microsoft stops supporting it - because its "good enough" for most users.

Its not like you need the source code to patch. Virus writers "patch" XP all the time.

The Wikipedia treatment

[ArikTheRed]

That's because if you hack a Linux box all you get is control a system that belongs to some 28 year old guy who lives in his aunts basement. [citation needed]
The value in finding security holes in a Windows box is that there are millions that can be turned into zombies to be used to crank out spam or worse. There is no money in hacking Linux. [citation needed]
Most of the holes found in Windows come from Linux hackers who rarely take a look at their own OS. While there are many secure features in a standard Linux distro most sysadmins never address them. [citation needed]
The way most people implement Linux is like parking an armored car outside of the bank but leaving the doors open. [citation needed]

Just because you say it in a expert tone, does not make it credible or correct.

Re:NO NO NO.

[KarmaMB84]

They kowtowed to a government body that has control of an entire continent. If they hadn't made Symantec and McAfee happy, they'd be right back in the EU courts having even more restrictions they can never meet and fines that will never stop shoved down their throats.

blah, EU went too far

[jorghis]

I could understand why the EU was upset about the media player bundling. I can understand them being upset about the splash screen for MSs AV stuff. I dont agree with them forcing MS to get rid of those things, but I understand where they are coming from.

Forcing MS to weaken Vista's security and reliability to accomodate these AV companies sucks though.

This is a -bad- thing. Why are we applauding it on slashdot? Are we so caught up in MS hate that we want the government to force them to weaken their product from a technical standpoint?

Maybe this is an example of how having a reputation for lying will make people think you are being dishonest even when you are telling the truth. I know a lot of people on this website dont totally understand the technical issues involved. But doesnt the EU commission have any experts that can explain to them that they are weakening Vista by forcing this on MS?

Build from Scratch?

[Bilbo]

Build your own system? HA!!! I can do it in about 10 minutes. (Takes me longer to install the OS than it does to put the hardware together.)

However, expecting the average user to know how to do that is like expecting the average person to perform brain surgery. Most people I know have a hard time telling the difference between RAM memory and Disk memory. They think the tower is the "CPU", and that SCSI is what you call gum stuck to the bottom of your chair. It's not that the people aren't smart. It's just that they have no context to work from, and for that matter, no motivation to learn. You could probably learn how to bake bread from scratch, but why bother if you can just go to the store and buy it ready made? Sure, bread made from scratch is better tasting, and probably a LOT better for you, but you don't have time to fiddle around with it. So, you let other people do the baking for you, and you just keep buying scuzzy store-bought bread.

Re:testing the waters?

[Deathlizard]

No, they should have fought the EU to the end on this.

According to the EU, MS apparently has some obligation to keep these security companies leeching off their OS exploits alive, even to the point of opening their system to security exploits in Vista to do so.

Don't get me wrong, I can understand Symantec going nuts about the OneCare advertising, and can somewhat understand the security center, (although I think MS should allow Symantec to write whatever they want there instead of letting Symantec Disable the thing for their own offering, since apparently, I need even more tray icons telling me something I don't know for some reason.) but the kernel access is simply unacceptable.

Basically there are two ways to go here.

1) Lock down the kernel so absolutely nothing outside of a service pack (being some sort of boot disk) can touch it, run everything else outside of kernel space, and have documented Kernel API calls to allow you to search for anything trying to hide outside of kernel space, which will stop many to all Rootkit attacks since nothing can hide and increase kernel stability since nothing can patch it, with the only drawback being some performance loss since low level access is off limits now.

or

2) Do it the EU way and "ensure that consumers continue to have a choice in security software" (which by the way, Isn't a problem [slashdot.org]) by opening the kernel to third party apps, which will no doubt be exploited regardless of how MS protects the kernel patching by malware and allow most rootkits and the like to latch onto the kernel while these so called security programs happily let the malware run in kernel space because it doesn't even know it's on the PC. That way, the Security companies can claim that Microsoft "Still has a Security Problem" and "need us now more than ever"

I don't know about you, but option 1 is the way to go for me, but since it sounds like their going option 2, then apparently all this security that Vista has will be no better than XP in the long run and I can expect seeing more FU and hacker defender rootkits in the vista future.

Re:I find it kind of interesting...

[dghcasp]

There is nothing like a secure OS.

People who forget Multics [wikipedia.org] are doomed to, er, um, forget that it existed.