Microsoft Agrees to Changes in Vista Security

An anonymous reader writes "Bowing to pressure from European antitrust regulators and rival security vendors, Microsoft has agreed to modify Windows Vista to better accommodate third-party security software makers. In a press conference Friday, Microsoft said it would configure Vista to let third-party anti-virus and other security software makers bypass 'PatchGuard,' a feature in 64-bit versions of Windows Vista designed to bar access to the Windows kernel. Microsoft said it would create an API to let third-party vendors access the kernel and to disable the Windows Security Center so that users would not be prompted by multiple alerts about operating system security. In addition, Redmond said it would modify the welcome screen presented to Vista users to include links to other security software other than Microsoft's own OneCare suite. From the article: 'It looks like Microsoft was really testing the waters here, sort of pushing the limits of antitrust and decided they probably couldn't cross that line just yet.'"

testing the waters?

[yagu (721525)]

From the article (and /. summary):

It looks like Microsoft was really testing the waters here, sort of pushing the limits of antitrust and decided they probably couldn't cross that line just yet," Northcutt said. "That's a good thing, because it's just too easy for mistakes to happen when you are only left with a single security provider."

It's only an author's surmise, but as I understand and interpret Microsoft's position, there is no line they will be able to cross ever while they are still a monopoly. Microsoft enjoys (immensely) their monopoly position in PC OSes, and as long as they do (immensely), they will continue to be proscribed from using their monopoly to leverage, influence, and otherwise compete unfairly with any other of their products.

There is no line to test.

Re:

[Deathlizard (115856)]

No, they should have fought the EU to the end on this.

According to the EU, MS apparently has some obligation to keep these security companies leeching off their OS exploits alive, even to the point of opening their system to security exploits in Vista to do so.

Don't get me wrong, I can understand Symantec going nuts about the OneCare advertising, and can somewhat understand the security center, (although I think MS should allow Symantec to write whatever they want there instead of letting Symantec Disable t

Re:

[Xiph1980 (944189)]

may I assume that you took the blue pill?

Re:testing the waters?

[Guppy06 (410832)]

"Microsoft isn't a monopoly though. There is absolutely nothing stopping anyone from using any number of other x86 operating systems on their PC. Don't like Windows? Fine, install Linux, FreeBSD, NetBSD, OpenBSD, etc. Hell, buy a Mac and use MacOS X."

We've all been over this before...

1. Computer manfuacturers are bent over a barrel to include an OEM Windows install on every machine they sell. The only realistic way for a user to get a computer without Windows is to build one themself.
2. Since everybody is already getting a copy of Windows, what incentinve is there for the end user to try an alternative OS? Better yet, even if they do, they've already paid for Windows and Microsoft still has their money and their "installed base" numbers
3. People write software for the dominant OS rather than invest even more money into R&D for multiple OSes. Meaning that most applications (read "games") out there are designed for Windows

The 95% of end users out there who don't build their own PCs from scratch are left with choosing to continue running the Windows their machine came with, or to take on the Sisyphusean challenge of working to install their own OS and tailoring their software shopping (if not their life in general) around that OS instead of simply using what they already paid for.

"You know why people use Microsoft Windows? Because they like it."

Microsoft will never allow anybody to test that hypothesis in any meaningful way. You can't say that with any certainty until Dell and HP start saying "Would you like Vista or Fedora with your new computer?"

And how does Microsoft do this? By abusing their monopoly power.

Re:

[Columcille (88542)]

We've all been over this before...

Let's go over it once more...

Computer manfuacturers are bent over a barrel to include an OEM Windows install on every machine they sell. The only realistic way for a user to get a computer without Windows is to build one themself.

Computer manufacturers are motivated to provide a product customers want to buy. The number of people that would buy machines with some flavor of Linux is very small. It would be foolish for computer manufacturers to make computers without

Re:

[Stradivarius (7490)]

Your last paragraph identified the real issue, which is applications. Most people could care less what operating system they run. They just want to be able to use the computer in certain specific ways - write documents, play games, surf the web, etc. If people could get all their applications and not have to put up with all the Windows spyware and viruses, I bet they'd jump at alternatives. (Just look at the recent upswing in the popularity of Macs, despite the much smaller choice of software available on

Re:

[Overly Critical Guy (663429)]

Computer manufacturers are motivated to provide a product customers want to buy. The number of people that would buy machines with some flavor of Linux is very small. It would be foolish for computer manufacturers to make computers without Windows.

Um, that's because Microsoft has OEM contracts in place that raise Windows license fees if companies ship competing software, even if it's simply provided as an option. Why do you think Dell barely advertises Linux? Yes, it would be foolish for OEMs to cross Mic

Re:

[Columcille (88542)]

I used to be quite the anti-Microsoft zealot. Then I realized I was only anti-Microsoft because it was the geek thing to do. Microsoft has its problems, but it really does deliver good products and, IMO, the best OS's out there. In the end that sort of claim is simply a matter of personal opinion, but at the very least it is one of the options on the table.

Re:

[xanadu-xtroot.com (450073)]

Because they like it. It's stable, friendly, and well supported from both the vendor and third-party software point of view.

...And well supported by people like me (us IT folks), you forgot to mention. I've yet again had to do a "Standard Windows Cleanup" this past week. My GF'S Dad's XP machine was under the weather (again). He's teh Average, Joe Six-Pack (l)user. Multiple versions of AOL installed (and couldn't uninstall a single one of them), Anti-Virus Defs about a year old, etc.

OK, most of th

Forced to use

[Mateo_LeFou (859634)]

I don't use windows, because I want to control my computer.

I am, however, forced to *buy Windows every time I get a new computer. I could build my own, I guess, but that's quite a bit of work.

Or would you say that the US Postal service doesn't have a monopoly because after all I can drive my letters to Nevada myself if I don't like their product?

Build from Scratch?

[Bilbo (7015)]

Build your own system? HA!!! I can do it in about 10 minutes. (Takes me longer to install the OS than it does to put the hardware together.)

However, expecting the average user to know how to do that is like expecting the average person to perform brain surgery. Most people I know have a hard time telling the difference between RAM memory and Disk memory. They think the tower is the "CPU", and that SCSI is what you call gum stuck to the bottom of your chair. It's not that the people aren't smart. It

Are the alerts perhaps the problem?

[krell (896769)]

"designed to bar access to the Windows kernel. Microsoft said it would create an API to let third-party vendors access the kernel and to disable the Windows Security Center so that users would not be prompted by multiple alerts about operating system security"

Perhaps all the alert popups that Windows is more and more cluttered with are a problem? As an XP user, I'd be sorely tempted to use a simple option if available that suppressed ALL of these popups. They are just as annoying in an OS as they are in

Re:Are the alerts perhaps the problem?

[by Anonymous Coward]

You must restart your computer. Would you like to do it now, or would you like me to display this same dialog 30 seconds from now, while you're doing something else like typing a slashdot comm

Re:

[krell (896769)]

"You must restart your computer. Would you like to do it now, or would you like me to display this same dialog 30 seconds from now, while you're doing something else like typing a slashdot comm"

Did that end with "NO CARRIER"? hahaha. Often accompanied by a badly-designed message window that has two or three options, NONE of which you want (one reason being is that they are poorly described). So you decide to ignore the popup and minimize it. Oh look, it breaks windows-design standards by not having "mini

Re:

[tomhudson (43916)]

(or drag it to a corner of the screen where it sits with other unstoppable inscrutable popup windows until you reboot).

Finally, a reason for the masses to go to a dual-monitor setup. Drag that old obsolete 12" monochrome monitor and hercules card out and just "drag-and-ignore".

Re:

[GTMoogle (968547)]

In college I worked at a software company where one developer arbitrarily decided that the product needed to restart when first installed. So he activated the standard windows restart routine that gives you a dialog that says "Windows will restart in 30 seconds", a graph that's counting down, and a 'restart now' button.

QA didn't have a cow, they had an entire herd.

Re:

[pdbaby (609052)]

I wonder how long it will be before operating systems come with a "you're running low on disk space: want me to order a 250gb drive for you?" ...or buy internet-based storage like on S3. While I doubt it'd have the best prices, I'm sure it'd be a big hit with normal users

Re:You & I Are Smarter Than the Average Bear

[krell (896769)]

"These alerts and popups may be the thing needed to prevent my computer ignorant siblings from obediantly installing viruses on my parent's computer."

You mean the ignorant siblings who always click "OK" every time they see a popup, so when you go home you find a desktop filled with bonzi buddies and casino shortcuts, 3 toolbars on the browser, and full-screen ads that pop-up at any time at random?

"I know they're Microsoft and they're stupid/evil but you have to see at least some sort of benefit from t

Two approaches to security.

[krell (896769)]

"I know they're Microsoft and they're stupid/evil but you have to see at least some sort of benefit from these (all be they poorly implemented) security features."

You know, you can either train the guy cowering in the room in the middle of the house on how to use a blunderbuss to deal with intruders..... Or you can address the fact that there are no actual windows or doors in the empty door/windowframes of the house, and maybe consider the removing the big "FREE FURNITURE - COME ON IN" sign that is on th

I don't get it.

[Shivetya (243324)]

Sorry but I think the kernel should be off limits. Leave that to Microsoft and hold them wholly accountable to preventing issues with it.

On one hand people bitch about MS's lack of security yet when they do essentially what is asked it is claimed they only did it to be uncompetitive.

Make up your mind. Or is just permanent open season on MS?

Re:

[UnknowingFool (672806)]

Here's the crux of the complaint: In Windows, to combat viruses and add security like firewalls, these programs need kernel level access (as many APIs unfortunately do). Now with Vista, MS had decided to close off that access to all software except their commercial security apps (which they will charge extra to the customer). To some that is abusing their monopoly. It would one thing if they closed it totally because of security and that nothing but the OS could access it. But they had set it up to whe

Re:I don't get it.

[jb.hl.com (782137)]

MS had decided to close off that access to all software except their commercial security apps (which they will charge extra to the customer)

Lies. Trend and Avast have apparently been able to run on Vista without any problems. They knuckled down and wrote code so they worked on Vista, and indeed Vista has an API called Windows Filtering Platform, which allows anti-virus makers to monitor file activity. Symantec and McAfee, on the other hand, threw a hissy fit.

Microsoft is, for once, clearly in the right.

Government Interference in the Marketplace

[mosel-saar-ruwer (732341)]

Sorry but I think the kernel should be off limits. Leave that to Microsoft and hold them wholly accountable to preventing issues with it. On one hand people bitch about MS's lack of security yet when they do essentially what is asked it is claimed they only did it to be uncompetitive. Make up your mind. Or is just permanent open season on MS?

Exactly.

That is why we got such awful security in Internet Explorer [although for the opposite reason]: Back in the mid-to-late 1990s, the Clinton administration

Re:

[Dmala (752610)]

Back in the mid-to-late 1990s, the Clinton administration was suing Microsoft over their "monopolistic" marketshare, and because of that [vis-a-vis Netscape and their browser], Microsoft was forced to integrate Internet Explorer into the operating system so that they could say to the Justice Department that they couldn't ship a version of Windows without it.

That wasn't the only course of action they could have taken. They could have just actually made a better browser than Netscape. It's a radical idea

Re:

[s4ltyd0g (452701)]

The anti virus companies have made tons of money off of Microsoft insecurties.

Now that there's a chance all those holes might go away, they will fight tooth and nail to prevent that from happening. I'm no Microsoft fan but these companies whining about Microsoft using their monopoly position to shut them out of the market, are in conflict of interest.

Nothing new here, just buisness as usual.

Re:

[javaxjb (931766)]

But the crux of the matter is that the kernel is not off limits. Signed drivers from third parties are allowed to access the kernel. So how is this any different? Why make an arbitrary distinction between say video drivers and antivirus software? Shouldn't we welcome the choice. After all, if Microsoft can actually make a decent security add-on, won't we be better served by the competition between the third party vendors. Maybe then the other players products will be more efficient and less annoying.

The Wikipedia treatment

[ArikTheRed (865776)]

That's because if you hack a Linux box all you get is control a system that belongs to some 28 year old guy who lives in his aunts basement. [citation needed]
The value in finding security holes in a Windows box is that there are millions that can be turned into zombies to be used to crank out spam or worse. There is no money in hacking Linux. [citation needed]
Most of the holes found in Windows come from Linux hackers who rarely take a look at their own OS. While there are many secure features in a stand

Most important question

[also-rr (980579)]

Is this going to be a backdoor into the protected parts of the kernel that also handle media protection?

It would be nice if one batch of companies out to screw you over had accidentally been defeated by another batch of companies out to screw you over. Sort of collateral rebuilding, if you like.

I find it kind of interesting...

[dghcasp (459766)]

Companies like Symantec (aka Norton) have profited immensely from an industry created because Windows wasn't secure.

Now they're upset because Microsoft wants that piece of that market; in other words, Microsoft wants to profit from the fact that Windows isn't secure.

Yet in pretty much every other operating system, the solution is simply to make the darned thing secure.

Now, I realize that the issues are a bit larger than this, but I do wonder: IF Microsoft ever released a truly secure operating system, thus making Symantec and other such companies as relevant as the buggy whip, would they then sue to prevent the release of the O/S?

Re:

[MalusCaelestis (172079)]

You're missing the point that this is exactly what's happening. By implementing PatchGuard, Microsoft was trying to make the OS more secure. But because these "security" companies bitched and moaned that Microsoft shut them out of the kernel (where no software but the OS ought to be), Microsoft must now make the system less secure in order to look like they're not abusing their monopoly powers. No reasonable person can place the blame on Microsoft here. If they don't open up the kernel to Symantec, McAfee,

Re:

[dghcasp (459766)]

There is nothing like a secure OS.

People who forget Multics [wikipedia.org] are doomed to, er, um, forget that it existed.

While I dislike the M$ monopoloy...

[Ichigo Kurosaki (886802)]

I personally don't want a crippled OS to accommodate third party security vendors. If Microsoft can make there OS so secure that third party software is not needed I say go for it.

Of course if it turns out that Microsoft was just locking other vendors out to make users use their security software, which performed poorly I applaud the EU for helping the consumers. Because really all I care about is how well the end result is.

Re:

[Guppy06 (410832)]

"I personally don't want a crippled OS to accommodate third party security vendors."

But before this you were willing to spend money on a crippled OS to accommodate third party media vendors?

Re:

[Tim C (15259)]

At least it would have been that little bit harder for rogue apps to pwn the box.

Beginning of the downfall

[nurb432 (527695)]

I honestly thing vista is the beginning of the end for Microsoft.

They are pissing off their corporate customers, the governmnent. end users, 3rd party vendors.. Pretty much everyone...

Much as the *AA's are starting to cross the line, and will pay the price if they dont adapt, quickly.

The world has changed, and people are more aware and just wont put up with it..

3rd parties should protect the OS

[dioscaido (541037)]

Why should the OS be secure when I can pay $30 for a 3rd party can do it (and destabilize the system as they do it, since they root the OS in undocumented ways)? This is a bad precedent and a huge loss for consumers.

What other changes before launch?

[Guppy06 (410832)]

"Microsoft said it would configure Vista to let third-party anti-virus and other security software makers bypass 'PatchGuard,' a feature in 64-bit versions of Windows Vista designed to bar access to the Windows kernel."

Can't say I'm particularly happy about this (breaking security in the name of security? Could even OneCare touch the kernel before this?), but this makes me wonder if they'll actually bend to user pressure to change the licensing terms [slashdot.org]?

Of course, the users don't have a legal team on speed-di

Re:

[tomhudson (43916)]

And there's no reason to believe that Vista will do anything but sell like hotcakes (after all, there are more reasons to go from XP to Vista than there were to go from 2k to XP), so there won't be any of the user backlash that most Slashdotters pretend they see in the future.

For those who missed the "irony" tags - people didn't switch from 2k to XP - they went from Win9x to XP - the 2k users continually dug in their heels when it came to switching. And certainly nobody I know even has Vista on their ra

The anti-virus market shouldn't exist

[ByTor-2112 (313205)]

Microsoft's responsibility should be to provide an operating system that isolates the kernel from the user to the extent that no application run by an unpriviledged user could ever compromise anything other than that user's files. If they succeed, then the AV vendors have no need to get into the kernel. They just create software that looks for malicious software or libraries and eliminate them. If no app can get into the kernel they have nowhere to hide. That's the real solution IMO (not like I'm the first,

Just let them have it already

[Temujin_12 (832986)]

To my own suprise, when I read this I thought, "So, MS is striping away a part of its core security to accommodate 3rd party businesses? What would we say if our favorite *nix distribution started doing this?" Perhaps it is time to just let MS be. Let them provide their own security, their own browser, their own IM, etc, that are all tightly interwoven. Let them squelch creativity on their OS to the point that they either blow us away with what they can do when they lock the doors or alienate themselves from the entire software industry. Let them do whatever they want to lock/unlock 3rd party vendors out/in. We all complain about security, but then come unglued when MS tries to take a hard line to improve it because they close holes. Granted, the way they are closing holes may not be the best approach.

I say, let's just let them do whatever they want. A few things could come of this:
-Nothing really changes, we take off our tin foil hats, and life continues just fine
-Vista may actually be more secure and developers become adjusted to developing for it
-Vista becomes so hard to work with (as a software developer) that no software is written for it and everyone keeps using (developing for) XP, or switches OSes (and Vista becomes one of MS's big blunders)
-Vista becomes hard to work with (as a software developer) and we see more software makers moving over to alternative OSes (OSX, *nix, etc)

Really, what is so wrong with the LONG TERM results of these scenarios? Let's let MS make or break itself. Let's let them "test the waters" and see what happens.

Re:

[KarmaMB84 (743001)]

Microsoft did this because they were going to be sued for billions. They'd rather close it off and force the security companies to use a supported API than let them hook into the kernel and do whatever they want. The EU just made Windows Vista less secure on x64 systems.

NO NO NO.

[jb.hl.com (782137)]

Trend Micro's anti-virus and Avast both work on Vista, because their respective developers spent time developing new software to work with it.

Symantec and McAfee on the other hand, rather than invest money in development for a version of their programs which fits Vista's new security model, decided to bitch and whine loudly about Microsoft's new security in Vista while doing nothing of any value. In a sane and equitable world, Microsoft would have offered to aid them in building their new anti-virus products for Vista, and McAfee and Symantec would have agreed. Instead, probably with the threat of a lawsuit from the two companies, and because of the two launching attack ads, they let them bypass their new security features.

This should not be happening. This is BAD for security, as once you let one program bypass security barriers it's only a matter of time before others do, not all of them friendly. This is STUPID because Microsoft has kowtowed to pressure from two companies far more focused on saving money on developing their shitty, shitty antivirus programs than actually providing any more security.

Fuck Symantec, fuck McAfee.

Re:

[KarmaMB84 (743001)]

They kowtowed to a government body that has control of an entire continent. If they hadn't made Symantec and McAfee happy, they'd be right back in the EU courts having even more restrictions they can never meet and fines that will never stop shoved down their throats.

Re:

[texaport (600120)]

once you let one program bypass security barriers it's only a matter of time before others do, not all of them friendly.

"Redmond said it would modify the welcome screen presented
to Vista users to include links to other security software."

Maybe the forced Vista sound at logon will play a friendly tune for Microsoft's solution, and dire music for those who bypassed it.

blah, EU went too far

[jorghis (1000092)]

I could understand why the EU was upset about the media player bundling. I can understand them being upset about the splash screen for MSs AV stuff. I dont agree with them forcing MS to get rid of those things, but I understand where they are coming from.

Forcing MS to weaken Vista's security and reliability to accomodate these AV companies sucks though.

This is a -bad- thing. Why are we applauding it on slashdot? Are we so caught up in MS hate that we want the government to force them to weaken their product from a technical standpoint?

Maybe this is an example of how having a reputation for lying will make people think you are being dishonest even when you are telling the truth. I know a lot of people on this website dont totally understand the technical issues involved. But doesnt the EU commission have any experts that can explain to them that they are weakening Vista by forcing this on MS?

Microsoft has NO CLUE AT all regarding security.

[Cap'n Crax (313292)]

And I will tell you why. I actually like the NT kernel and architecture. I think it is well designed, and works great when built upon properly. I think Windows 2000 is the probably the best consumer OS ever made, even though Microsoft pointed it at business users. It's what I run, and likely will not switch from, except for (maybe) running XP in a VM to run some games.

    But even with 2000, MS had to insert their boneheaded ideas in it. For example, with "Windows File Protection," which is really the sfc.exe ("System FIle Checker") and sfcfiles.dll (The actual list of files to be protected, stuck in a DLL) it gives an Admin NO WAY to add to or change which files are protected. And it includes things like PINBALL.EXE!!! in the list of protected, undeletable system files. And creates stupid things like "C:\Program Files\microsoft frontpage" when I DO NOT even have Frontpage or IIS installed. And unless you disable SFC (which I did) it will re-create the stupid directory on every re-boot. So what COULD HAVE BEEN a useful feature is more like a "let MS Admin your computer for you" feature, because there is no way for the owner of the computer to manage which files are protected under "Windows File Protection." And guess what, on COMPUTERS I OWN, **I** like to control what directories are created and where they are placed. It's MY computer!!!

    Now I have read, from a recent article by Mary Jo Foley, ZDNET, that some of the new security in Vista will come from "Code protection technologies such as tamper resistance, code obfuscation, and anti-reverse engineering measures..." THIS IS NOT SECURITY. This is HIDING YOUR BUGS. Instead of actually fixing the bugs, or not having them to begin with, they are actively trying to just make them harder to find. But they are still IN THERE!! This is just simply boneheaded. This is not the way to develop an OS.

    With this new WGA crap, they are trying to FORCE users to install (and keep installed) components that NO ONE WANTS (except MS, of course). But guess what, any decent computer Admin **MUST** have the ability to accept or deny ANY update to the OS and have the ability to rollback changes if they cause problems. Just Google for wgatray.exe for many fine examples of the horrible problems their crap is causing.

    With Win 2000 at least, MS created a good OS, once you fix the initial problems. But for me at least, there is NO WAY I will "upgrade" to this Vista shit with requiring signed drivers (what about independent hardware hackers/developers?) or XP with "Activation" (what, I can't swap out my motherboard without CALLING and RE-ACTIVATING?) They have just gone too far with this DRM and Anti-Piracy shit. NOT IN MY OPERATING SYSTEM.

    I need to move to Linux. Kubuntu is looking really good now. If I can just get the couple of games I like working under WINE or Cedega, then F*** MS. It's just too much. I've had enough.

Crax

P.S. The Mary Jo Foley article I quoted from is located at:
http://blogs.zdnet.com/microsoft/?cat=18 [zdnet.com]

Re:

[pdbaby (609052)]

when microsoft makes it secure people go nuts that its tooo secure and they complain

The problem is that Microsoft's record with security isn't great; lots of people (myself included) prefer to trust another company to provide anti-virus and firewall security under Windows. Microsoft will have to work very hard - in an equal arena -- to show that their AV and firewall solutions are as good or better as those of their competition

Re:

[rhendershot (46429)]

That trust is severely misplaced. Third-party companies can only play catch-up and do so from the disadvantage of external access to the system.

The parent article misses a beat in that Microsoft has an API to the kernel for their AV needs, by definition. The only issue is should that be public. The EU is making them publish this API (in some form, I don't trust Microsoft to release all their 'goodies'). But should it remain private to Microsoft then the consequence is that virus writer's will de-enginee

Re:

[Darkon (206829)]

do think they need to restrict access to the kernel, but why from software makers such as Norton, AVG, McAfee?

If a means is offered for Norton, AVG, and McAfee to bypass the security then you can bet your bottom dollar that hackers and malware writers will use it as well. Personally I'd rather not have deliberate holes in my kernel just to keep 3rd party security companies happy.

Re:

[tomhudson (43916)]

Just like I test the waters before I dump the bodies...

Is that you Hans? http://geekz.co.uk/lovesraymond/archive/so-i-marri ed-a-kernel-programmer [geekz.co.uk]