Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Microsoft Agrees to Changes in Vista Security 318

An anonymous reader writes "Bowing to pressure from European antitrust regulators and rival security vendors, Microsoft has agreed to modify Windows Vista to better accommodate third-party security software makers. In a press conference Friday, Microsoft said it would configure Vista to let third-party anti-virus and other security software makers bypass 'PatchGuard,' a feature in 64-bit versions of Windows Vista designed to bar access to the Windows kernel. Microsoft said it would create an API to let third-party vendors access the kernel and to disable the Windows Security Center so that users would not be prompted by multiple alerts about operating system security. In addition, Redmond said it would modify the welcome screen presented to Vista users to include links to other security software other than Microsoft's own OneCare suite. From the article: 'It looks like Microsoft was really testing the waters here, sort of pushing the limits of antitrust and decided they probably couldn't cross that line just yet.'"
This discussion has been archived. No new comments can be posted.

Microsoft Agrees to Changes in Vista Security

Comments Filter:
  • by krell ( 896769 ) on Saturday October 14, 2006 @09:31AM (#16435517) Journal
    "designed to bar access to the Windows kernel. Microsoft said it would create an API to let third-party vendors access the kernel and to disable the Windows Security Center so that users would not be prompted by multiple alerts about operating system security"

    Perhaps all the alert popups that Windows is more and more cluttered with are a problem? As an XP user, I'd be sorely tempted to use a simple option if available that suppressed ALL of these popups. They are just as annoying in an OS as they are in a browser, especially that one about hard disk free space being too small.
  • by also-rr ( 980579 ) on Saturday October 14, 2006 @09:35AM (#16435549) Homepage
    Is this going to be a backdoor into the protected parts of the kernel that also handle media protection?

    It would be nice if one batch of companies out to screw you over had accidentally been defeated by another batch of companies out to screw you over. Sort of collateral rebuilding, if you like.
  • by Anonymous Coward on Saturday October 14, 2006 @10:00AM (#16435689)
    Your use of the word 'secure' has two different meanings here.

    1. "People complain that windows is not secure" People say this because there are a lot of holes in Windows. This is not to say that it is generally unsecure, but that people are still able to find vounerabilities within the OS. As proven before, Microsoft does patch these holes (although it can take a while compared to time needed for the exploit to cause damage). This is always going to happen with any complex piece of software that allows things to be installed on top of it and contains networking features...It's a fact of life that people should expect in a limited sense and deal with. This is where #2 comes in.

    2. "when microsoft makes it secure people go nuts that its tooo secure and they complain" Herein lies the problem. Microsoft is not making the software any more secure by blocking out other security vendors. I do think they need to restrict access to the kernel, but why from software makers such as Norton, AVG, McAfee? These programs compensate for the vounerabilites of the OS and allow protection from secutity flaws that come up between when they are discovered and when they are fixed by Microsoft. Another thing to note: this is generally the same software that protects us from users doing stupid actions such as running scripts and .exe's from random emails and who don't know enough to secure a computer.

  • by ( 450073 ) <[xanadu] [at] []> on Saturday October 14, 2006 @10:16AM (#16435793) Homepage Journal
    Because they like it. It's stable, friendly, and well supported from both the vendor and third-party software point of view.

    ...And well supported by people like me (us IT folks), you forgot to mention. I've yet again had to do a "Standard Windows Cleanup" this past week. My GF'S Dad's XP machine was under the weather (again). He's teh Average, Joe Six-Pack (l)user. Multiple versions of AOL installed (and couldn't uninstall a single one of them), Anti-Virus Defs about a year old, etc.

    OK, most of the problems with it could've been fixed or prevented by properly updating the machine over time, but, Windows will happily eat itself alive if it's not properly taken care of. This is something that the target audience you reference has no idea how to do, or that there is even a need to. It's people like Us (tm) that know these things.

    I personally find it much more work to keep a Win box running smooth and secure then I've ever had with my *NIX boxes.
  • by Temujin_12 ( 832986 ) on Saturday October 14, 2006 @10:23AM (#16435849)
    To my own suprise, when I read this I thought, "So, MS is striping away a part of its core security to accommodate 3rd party businesses? What would we say if our favorite *nix distribution started doing this?" Perhaps it is time to just let MS be. Let them provide their own security, their own browser, their own IM, etc, that are all tightly interwoven. Let them squelch creativity on their OS to the point that they either blow us away with what they can do when they lock the doors or alienate themselves from the entire software industry. Let them do whatever they want to lock/unlock 3rd party vendors out/in. We all complain about security, but then come unglued when MS tries to take a hard line to improve it because they close holes. Granted, the way they are closing holes may not be the best approach.

    I say, let's just let them do whatever they want. A few things could come of this:
    -Nothing really changes, we take off our tin foil hats, and life continues just fine
    -Vista may actually be more secure and developers become adjusted to developing for it
    -Vista becomes so hard to work with (as a software developer) that no software is written for it and everyone keeps using (developing for) XP, or switches OSes (and Vista becomes one of MS's big blunders)
    -Vista becomes hard to work with (as a software developer) and we see more software makers moving over to alternative OSes (OSX, *nix, etc)

    Really, what is so wrong with the LONG TERM results of these scenarios? Let's let MS make or break itself. Let's let them "test the waters" and see what happens.
  • NO NO NO. (Score:5, Interesting)

    by ( 782137 ) <joe&joe-baldwin,net> on Saturday October 14, 2006 @10:33AM (#16435913) Homepage Journal
    Trend Micro's anti-virus and Avast both work on Vista, because their respective developers spent time developing new software to work with it.

    Symantec and McAfee on the other hand, rather than invest money in development for a version of their programs which fits Vista's new security model, decided to bitch and whine loudly about Microsoft's new security in Vista while doing nothing of any value. In a sane and equitable world, Microsoft would have offered to aid them in building their new anti-virus products for Vista, and McAfee and Symantec would have agreed. Instead, probably with the threat of a lawsuit from the two companies, and because of the two launching attack ads, they let them bypass their new security features.

    This should not be happening. This is BAD for security, as once you let one program bypass security barriers it's only a matter of time before others do, not all of them friendly. This is STUPID because Microsoft has kowtowed to pressure from two companies far more focused on saving money on developing their shitty, shitty antivirus programs than actually providing any more security.

    Fuck Symantec, fuck McAfee.
  • Forced to use (Score:3, Interesting)

    by Mateo_LeFou ( 859634 ) on Saturday October 14, 2006 @10:37AM (#16435967) Homepage
    I don't use windows, because I want to control my computer.

    I am, however, forced to *buy Windows every time I get a new computer. I could build my own, I guess, but that's quite a bit of work.

    Or would you say that the US Postal service doesn't have a monopoly because after all I can drive my letters to Nevada myself if I don't like their product?
  • by rhendershot ( 46429 ) on Saturday October 14, 2006 @11:16AM (#16436283) Journal
    That trust is severely misplaced. Third-party companies can only play catch-up and do so from the disadvantage of external access to the system.

    The parent article misses a beat in that Microsoft has an API to the kernel for their AV needs, by definition. The only issue is should that be public. The EU is making them publish this API (in some form, I don't trust Microsoft to release all their 'goodies'). But should it remain private to Microsoft then the consequence is that virus writer's will de-engineer it as they have done with so much of Microsoft's closed technology. Obviously, then, it benefits the end-users that the API be published and it benefits the end user that third-parties have a better vehicle towards check&balances of their own AV solutions.

    But don't ever expect them to be able to produce the tightly-integrated, non-intrusive extensions to the kernel that Microsoft *could* produce, were they sufficiently motivated. To that, having the load-library/file-access hooks published for the kernal and the necessary security credentials to do so is a good thing since various pieces can be compared as to how one or the other of third-parties or Microsoft works better/faster/less problematic. That's good for the end user.

    The squeals heard from AV companies are to be expected. Any change affects their income lines. Vista could be remedially-exempt (eg. totally secure) and some form of the same complaints from them, and the EU, would still be heard. That's a case of they're damned if they do and if they don't. My assertion is they created the situation so just have to live with it ;)
  • by OriginalArlen ( 726444 ) on Saturday October 14, 2006 @11:45AM (#16436543)
    Full disclosure: I do security.

    This is a major change in the security model of the OS. As such it means the security model must be reviewed and re-evaluated. If Vista is released on the current schedule, that will mean that Microsoft have not done this essential work, which will mean the whole security model of the OS is invalid and (heh heh!) "untrustworthy". Not to mention the knock-on effects of this change on all those comingled applications (Internet Explorer, etc) - their security models are now b0rked as well, as the OS will no longer be behaving as it was expected when the app was designed...

    So either there are another 6-9 months' delay (at least), or Vista will be released with it's security fundamentally compromised. Your call, Billy-boy!

  • by Cap'n Crax ( 313292 ) on Saturday October 14, 2006 @12:15PM (#16436791) Homepage
    And I will tell you why. I actually like the NT kernel and architecture. I think it is well designed, and works great when built upon properly. I think Windows 2000 is the probably the best consumer OS ever made, even though Microsoft pointed it at business users. It's what I run, and likely will not switch from, except for (maybe) running XP in a VM to run some games.

        But even with 2000, MS had to insert their boneheaded ideas in it. For example, with "Windows File Protection," which is really the sfc.exe ("System FIle Checker") and sfcfiles.dll (The actual list of files to be protected, stuck in a DLL) it gives an Admin NO WAY to add to or change which files are protected. And it includes things like PINBALL.EXE!!! in the list of protected, undeletable system files. And creates stupid things like "C:\Program Files\microsoft frontpage" when I DO NOT even have Frontpage or IIS installed. And unless you disable SFC (which I did) it will re-create the stupid directory on every re-boot. So what COULD HAVE BEEN a useful feature is more like a "let MS Admin your computer for you" feature, because there is no way for the owner of the computer to manage which files are protected under "Windows File Protection." And guess what, on COMPUTERS I OWN, **I** like to control what directories are created and where they are placed. It's MY computer!!!

        Now I have read, from a recent article by Mary Jo Foley, ZDNET, that some of the new security in Vista will come from "Code protection technologies such as tamper resistance, code obfuscation, and anti-reverse engineering measures..." THIS IS NOT SECURITY. This is HIDING YOUR BUGS. Instead of actually fixing the bugs, or not having them to begin with, they are actively trying to just make them harder to find. But they are still IN THERE!! This is just simply boneheaded. This is not the way to develop an OS.

        With this new WGA crap, they are trying to FORCE users to install (and keep installed) components that NO ONE WANTS (except MS, of course). But guess what, any decent computer Admin **MUST** have the ability to accept or deny ANY update to the OS and have the ability to rollback changes if they cause problems. Just Google for wgatray.exe for many fine examples of the horrible problems their crap is causing.

        With Win 2000 at least, MS created a good OS, once you fix the initial problems. But for me at least, there is NO WAY I will "upgrade" to this Vista shit with requiring signed drivers (what about independent hardware hackers/developers?) or XP with "Activation" (what, I can't swap out my motherboard without CALLING and RE-ACTIVATING?) They have just gone too far with this DRM and Anti-Piracy shit. NOT IN MY OPERATING SYSTEM.

        I need to move to Linux. Kubuntu is looking really good now. If I can just get the couple of games I like working under WINE or Cedega, then F*** MS. It's just too much. I've had enough.


    P.S. The Mary Jo Foley article I quoted from is located at: []

  • by Columcille ( 88542 ) * on Saturday October 14, 2006 @12:30PM (#16436883) Homepage
    I used to be quite the anti-Microsoft zealot. Then I realized I was only anti-Microsoft because it was the geek thing to do. Microsoft has its problems, but it really does deliver good products and, IMO, the best OS's out there. In the end that sort of claim is simply a matter of personal opinion, but at the very least it is one of the options on the table.
  • by Columcille ( 88542 ) * on Saturday October 14, 2006 @12:39PM (#16436947) Homepage
    We've all been over this before...

    Let's go over it once more...

    Computer manfuacturers are bent over a barrel to include an OEM Windows install on every machine they sell. The only realistic way for a user to get a computer without Windows is to build one themself.

    Computer manufacturers are motivated to provide a product customers want to buy. The number of people that would buy machines with some flavor of Linux is very small. It would be foolish for computer manufacturers to make computers without Windows. Similar thing to the number of people that would buy computers without an OS. The percentage would be high in geek circles but geek circles don't exactly make up a large portion of the market.

    Since everybody is already getting a copy of Windows, what incentinve is there for the end user to try an alternative OS? Better yet, even if they do, they've already paid for Windows and Microsoft still has their money and their "installed base" numbers

    True enough but you are forgetting that most people are getting what they want. Windows isn't simply being forced on them - they want Windows and don't want to try an alternate OS.

    People write software for the dominant OS rather than invest even more money into R&D for multiple OSes. Meaning that most applications (read "games") out there are designed for Windows

    And what is more, people write software for an OS equipped for their software. Most of the games take advantage of many tools provided within Windows - from optimized ways of interacting with hardware to graphic and sound interface libraries. To just code the game for Linux would take significantly more work.
  • by Eezy Bordone ( 645987 ) on Saturday October 14, 2006 @12:48PM (#16437041) Homepage
    MS is not giving access to the kernel. In fact they're doing what they've been doing with V64 all along, providing API's to monitor the kernel but not hooks into it.

    Here's an informative link [] on KPP or PatchGuard.

  • Re:I don't get it. (Score:2, Interesting)

    by Allador ( 537449 ) on Saturday October 14, 2006 @10:50PM (#16440861)
    Nearly every single thing you've said is incorrect.

    "In Windows, to combat viruses and add security like firewalls, these programs need kernel level access (as many APIs unfortunately do)."

    First, an API is what these programs use to access kernel structures and functions, not the other way around.

    Second, you're right in that they do need kernel level access, THROUGH the Windows APIs. What PatchGuard does is to stop these companies from bypassing the APIs and directly modifying in-memory kernel structures. This is the rough equivalent of using a database, but instead of using the database APIs and interfaces to modify the data in them, you want to get raw disk access to the data stores, and read/write binary data directly to the files.

    In Vista, MS has given 3rd party firewall software unprecedented access to the transport. They can insert filters to the IP stack through a very finely grained API. This is compared to earlier when firewall vendors had to write a full driver to implement this.

    To properly implement a firewall, a company in NO WAY needs to directly modify in-memory kernel structures. This is all that PatchGuard stops, is software doing something they have been specifically instructed not to do, because it destabilizes the kernel.

    MS software does not modify in-memory kernel structures, because its a horrifically stupid way to insert your software into the kernel. Ever notice how Symantec and McAfee are so commonly accused of destabilizing systems? This kind of crap is why.

    "Now with Vista, MS had decided to close off that access to all software except their commercial security apps (which they will charge extra to the customer)."

    Incorrect. The MS anti-virus software does not modify in-memory kernel structures. And its not out of generosity or being a good citizens, its because the alternative is stupid, and destabilizes the system.

    "To some that is abusing their monopoly. It would one thing if they closed it totally because of security and that nothing but the OS could access it."

    Yes, thats exactly what they did.

    Blocking the kernel structures from direct access is a decade old security hole that MS _finally_ closed. This was The Right Thing To Do, and benefits everyone except for the incompetent folks at Symantec and McAfee. Why is it that the other firewall companies, and anti-virus companies, and anti-spam companies dont have any problem with these changes. Only McAfee and Symantec, makers of the most buggy, overbloated, system-destabilizing 'security suites', who have both been the cause of security holes that let people own the OS, have a problem with this.

"If it's not loud, it doesn't work!" -- Blank Reg, from "Max Headroom"