Windows Chief Suggests Vista Won't Need Antivirus

LadyDarth writes "During a telephone conference with reporters yesterday, outgoing Microsoft co-president Jim Allchin, while touting the new security features of Windows Vista, which was released to manufacturing yesterday, told a reporter that the system's new lockdown features are so capable and thorough that he was comfortable with his own seven-year-old son using Vista without antivirus software installed."

If users can...

Run a program which sends out mass mails, or communicates with a server or does other actions then malicious people will write malicious code.
Just because a virus cannot harm the operating system does not mean it is harmless.

Re:If users can...

Run a program which sends out mass mails...

You've stumbled across their secret plan. Vista won't run programs. 99.9% of Windows problems have been traced to 'users' running 'programs'.

Also reported:

Average user won't need Vista.

Re:Also reported:

The average user doesnt need windows. Whichever version you care to discuss. But they have it because its the ubiquitous option. Market saturation of Vista will take about 2 years to hit that magic 20% mark, but once that happens, most businesses, homes and institutions will upgrade too... not because they 'need' it, but because its what everyone uses (and XP wont be sold any longer, and they are too scared to try Linux or OSX).

Re:Also reported

Zealotry aside (FWIW, I am a Linux advocate although I use all three platforms mentioned here), the businesses are not "scared" to use Linux and/or OSX, they don't want to due to a simple reason that APIs in Linux and surprisingly enough OSX are moving targets which constantly break stuff left and right. Granted, this is not accross the board, but it is prominent enough to affect the overall product and warrant a significant rise in TCO. Case in point, I purchased an $800 OSX software 1 month ago. Upon installing it, it turned out to be a PowerPC-only application which surprisingly ran quite well under Rossetta in 10.4.7 (especially considering that it was altivec optimized). Then came the 10.4.8 and suddenly my application icon was crossed out saying this application is not supported. So, now I either have to wait for the original software makers to release an update (which they've been promising for some time but nothing has shipped yet and there is a lingering suspicion that in the end I'll have to pay for it), or use my new software as an $800 paperweight... Either way, I am losing in productivity and/or money.

Now if you consider how many times did the Apple platform switch in the recent years and how much overhead has that generated for the Apple third-party software manufacturers, not to mention how many API changes have taken place since 10.0, you'll quickly realize that Apple platform is almost as "enthusiast" as Linux. OTOH, whether you like it or not, XP in 2006 can run software made in 1995 without any problems whatsoever. All this means that businesses can get more mileage from their custom solutions and hence the market share disparity...

Hindsight being 20/20...

Who plans on bookmarking this story so they can laugh heartily at it again in a year?

Re:Hindsight being 20/20...

  Who plans on bookmarking this story so they can laugh heartily at it again in a year?

Don't need to. Just wait for it to be duped...

/Hans

no antivirus?

Sure... and I'm comfortable driving a car with no airbags! Doesn't mean that everyone doesn't want an airbag!

bahahahahahhahahahahahahahhahahahah

no, stop, you're killing me, ahhahahahahahhahahhahahhahahhahhahhha

I've used XP SP2 without AV for years

Never had a problem. Of course, I use Firefox, a NAT, and don't visit porn sites or use P2P, which pretty much cuts my attack vectors to zero. Haven't had any AdWare in, hmm, 4 years or so either. I have AdAware installed on my computer but haven't bothered running it in about 2 years since it never picks up anything.

Now I'm using IE7 as my main browser (quiet!) and don't anticipate any problems with it, either. Heck, its *more* paranoid than FF is some of the time (it will quibble about http refresh redirects to executables, for example).

Re:I've used XP SP2 without AV for years

don't visit porn sites or use P2P

Then what do you use the internet for?

Antivirus is a cure worse than the disease

I hate Antivirus products. They consume huge amounts of computing power, slow my computer down, and cause no end of frustration when installing legitimate network applications. In other words, the cost and overhead they impose is far greater than anything I've ever had to endure from viruses that I don't get anyway, because I'm not a complete idiot. I only log in as adminstrator when necessary. I keep up with patches and security updates. I keep my data, the only unique and irreplacable thing on my computer, backed up. I don't click on every idiotic funny ha ha attachment going around. I don't install software utilities from The People's Glorious Republic of Aziberjanistan.

I suppose if you're dumb enough to think you need an Antivirus program, you probably do.

Re:I've used XP SP2 without AV for years

Never had a problem.

Or your PC has been sending out millions of spam emails but you've been clueless because nothing unexpected shows up in process list and your PC isn't crashing or behaving badly as far as you can tell.

How many of the litterally millions of infected spam zombies out there do you think are on PCs who's owners "Never had a problem" with viruses? I wonder how many of them tell Mac and Linux users they are crazy for suggesting that Windows security is a bit... lax.

i have to concur

i've been trying it out, and vista works for me, naked on the internet, without a single problem. in fact i would go so far as to say that V1AGRA HOOD1A GR0W Y0UR PEN1S L0W M0RTGAGE RATES L0SE WE1GHT MEET BARELY LEGAL TEENS SEE HARDC0RE SHEMALE ACTION

LIghtening fast

That only took... what... 15-odd years. Seeing will be believing.

I remember....

....when they announced that Windows 2000 would never have a Service Pack release. One would never be needed.

(still have no use for XP, btw.)

Jeez..

After summarizing that past statement, Allchin continued, "Please don't misunderstand me: This is an escalating situation. The hackers are getting smarter, there's more at stake, and so there's just no way for us to say that some perfection has been achieved. But I can say, knowing what I know now, I feel very confident."

If you RTFA, and then go back and read the title of this post, it's quite apparent that it's sensationalist and stupid. Of course Allchin thinks that this version of Windows will be the "Most Secure Evar". He works at Microsoft. Taking what he said out of context is just childish. But really, I suppose I shouldn't expect any less.

Re:Jeez..

Allchin says stupid things. For example, here [microsoft.com] he says that Windows XP would not be vulnerable to buffer overflow attacks.

We used new source automation tools that removes any potential buffer overflow attacks.

News articles detailing Windows XP buffer overflow attacks are abundant [google.com].

Reminds me of what they said about Win95.

as I remember it was something like "you can't possibly write a virus for this operating system". Go get em boys.

Titanic

Sounds a bit like some unsinkable ship.

My first thought was...

To laugh. It always surprises me when someone says "we'll never need this" or "computers will never..." I remember a computer magazine editorial saying we would never store music on Hard Drives, it would take up to much space. These people never seem to think more that a few months or maybe a year into the future.

all a ploy to make more $

See, if you don't run av, then when you get infected, you'll have to reload vi$ta (which they only let you do once). Then, you'll have to buy another copy of said OS.

Brilliant marketing $cheme

@LiquidCoooled, about zombies

Windows Vista severly limits access to raw packet sending to non-priviledged apps, meaning that packet forging is much more difficult. Although the zombies that are sending seemingly alright content (at the protocol level) aren't affected, those that are doing the SYN/ACK DDOS floods will be.

vuja de

wow... haven't heard that one before.... No, really. I haven't.

No system is immune to viruses. All it takes is a stupid user to allow it, and we all know there's no shortage of that. That's why antivirus products exist for every major OS out there. Even Linux has antivirus apps (though granted, most of them are geared towards Linux boxen running as servers for Windows-based networks).

Oh wait. Technically, if it requires a stupid user's interaction to get in, it's not a virus. It's a trojan. I guess Vista really could be immune to viruses.... ;)

Hmm, and where have we heard this before

Yea..........and 640K will be plenty of memory..........
And the world will only need 4 computers...................
And no one would ever need a computer at home..............

Sheesh......where do they come up with this stuff?

Duh

Of course a seven-year-old on a locked down computer wont be able to do any harm. Kids that age aren't into the sites (porn, illegal downloads, etc.) that are notorious for viruses and spyware. Not to mention that the kid's using a machine secured by parental controls and is most likely on a limited account. Wake me up when the average teenager can safely use Windows with an administrator account and no extra security software installed.

Wait until he gets older...

You'll need to start worrying when he turns 12 or 13. ;)

re: Hmm, and where have we heard this before

rimcrazy
Yea..........and 640K will be plenty of memory..........
And the world will only need 4 computers...................
And no one would ever need a computer at home..............

Sheesh......where do they come up with this stuff?

A new one:

We will never have more than 16777215 comments.............

Anti-virus software

A case can be made for running all Windows versions without anti-virus, especially if browsing the Internet routinely as a limited user. Unfortunately, the popular anti-virus products (McAfee, Symantec, Trend Micro) almost never prevent targeted attacks by cyber criminals, so one is tempted to avoid the performance hit and potential system destabilisation that comes from using these products and just rely on common sense, good backups, encryption of sensitive data, and acting all the time as if a keylogger might be installed on your system. I still use an anti-virus product personally, but I do not regard it as a reliable means of preventing infection.

Well gosh...

Let's just call the new "lockdown features" what they really are:

NATIVE ANTIVIRUS

Seriously, isn't this what third party antivirus vendors have been whining about?

Okay... so perhaps it isn't that crazy...

From TFA, it sounds like you really might not need an antivirus... if you lock it down with the parental tools so you can't download anything at all except from your own approved sites, that covers up a large malware attack vector that an antivirus is suppose to protect. After all, the role of the antivirus now and in the future will be that of a blacklist of known bad software. Everything else an AV does can be obsoleted.

Any OS can be virus-ridden...

... when a statistically significant percentage of administrators (this includes people who administrate their own home computer) are too ignorant to take precautions against executing unknown code as a superuser.

And XP has no buffer overflows...

Here's the same guy's promise about their last operating system:

Microsoft has said it has stamped out buffer overflows with the upcoming release of Windows XP. Jim Allchin, vice president, claimed the company has done a complete code review of its operating system and removed all buffers which could overflow. [vnunet.com]

I'll let somebody else post a list of all the critical updates caused by buffer overflows...

yeah, big whoop

Coupla key points:

1. He didn't say he let his kid on the Internet without an AV package running.

2. He didn't say "firewall". Speaking of which, ZoneAlarm just grabbed focus and I think I let something connect out to the Internet. I'm running an installer so I'm not gonna freak out, but I certainly hope Vista won't let apps steal focus while you're fracking typing.

3. He also didn't say the kid would be online unsupervised or without parental controls running.

4. It's a safe bet to assume he meant the kid would use IE if he went online, but he didn't actually say it either.

Nothing to see here, move along.

What else is new?

I've had two infections on my Windows over the years--Nimda and a video codec trojan. I'm not counting the second boxes that I used to use for experiments--I never put anything important on them, so I tended to just not care, and blow away Windows when they got nasty--that was back in the bad old dialup days when potential damage to others was minimal, and Windows was a lot less secure. I don't know if AV would have stopped Nimda, because I didn't use AV back then. AV didn't stop the trojan. I used to disable AV routinely because it *is* a virus. It used to slow boxes down way too much, and cause all kinds of problems with installers. I always un-do the stupid defaults in Windows and IE, and I try not to be too careless. Nimda is really the only one I can blame on MS, and it was patched ages ago. I would probably disable AV on my current box, but they seem to have gotten better about not hogging resources and/or crashing the box so I just leave it alone.

I wonder if Vista is finally going to display extensions by default. That was always irritating. It would be *nice* if you had to enable active content on a per-site basis by default. It would be better if they just didn't have so much active content out there. Would I "just trust" a Vista box? No way. But would I run it without AV if there was none pre-installed? Yes, in a heartbeat--but I would still be very careful about how I conducted myself on the web, and I would still want to go through all the settings to make sure there was nothing stupid in there. And I would *still* be checking up on processes and registry keys from time-to-time.

But anyway, XP without AV is not a big deal--if you know what you're doing. Unfortunately, that's a big if. Nevermind 7 year olds. It's the 57 year olds that you have to worry about.

What he meant:

What he actually meant to say was that it won't need any antivirus...for the first 10 minutes. That's almost a two-fold increase from XP!

It's not the viruses you need to worry about...

Viruses, these days, are not what you need to worry about.

The main attack vectors these days seem to center on "drive by downloads" or pop ups that trick you into downloading executables ("WARNING! Your PC is infested with SPYWARE - CLICK HERE to remove"). Most Antivirus software is unbelievably pathetic when it comes to identifying/dealing with spyware. I've seen dozens of clients who have so much spyware, it can take 30 minutes or more to boot up and then spend more time closing all the popped-up windows. FF and it appears IE7 as well will hopefully go a long way to closing this attack. Now we just need to wait for everyone with win95,98,ME, NT, etc. to upgrade.

And my dog...

... doesn't need to be walked if you don't mind it using your house as a toilet.

And he likely is right...

...in certain circumstances. Hell, I haven't had a positive virus under XP for years. I'm running avast right now, but I'm contemplating just removing it completely. The only reason I haven't is because I occasionally get emails from relatives such as "click on this funny card!" containing links to god knows where.

IIRC the only times I ever did get viruses were downloading porn or cracks. Sandbox what you can download (which at least they said they did in vista, who knows if it will be effective) and that eliminates most vectors, other than relative spam mail.

ObSimpsons

<VOICE type="Nelson">
Ha ha!
</VOICE>

This is exactly why....

Microsoft needs to have drug testing.

Re:I've used XP SP2 without AV for years

I have that experience as well... Any mildly technical user of windows can avoid viruses. I haven't run virus checking ever since SP2 came out. The truth is that most viruses are executed because of user stupidity.

firefox + nat=no anti virus not needed

You're crazy for using ie7 though.. you can still run activex, its not safe.

monological discussions

did I mention how /.'s new discussion system now reminds me of my wife, like, we're having a discussion and there is no way for me to successfully launch a reply.

oh wait, this is /. after all. A wife is, ehmm, ... well, - just forget it.

If his son is not an Admin on the box, why not?

Without Administrator access, a virus can at best mess around with his son's account. Easy enough to fix by killing and recreating the account. This is actually true of XP as well (and OSX/Linux, obviously), but Vista is the first MS OS to handle Standard User in a straightforward way.

And with UAC, since Administrators don't even run with full token by default, 3rd party applications will quickly move away from assuming Admin access (a huge problem with running XP as limited -- apps blow up).

yay for him....

My kids have been using Linux "with no antivirus" since before they could type (they started with things like tuxpaint and gcompris)

Windows is finally catching up?!!

Re:I've used XP SP2 without AV for years

Just because you haven't had a problem doesn't mean you're not one for someone else. If you havent run scans, how do you know you're not infected?

Context

I don't believe he was saying "Vista can't get viruses", but rather UAC (user account control) stops code from executing, thus making him feel safe that even his son could surf the web (with UAC on) without obtaining a virus blindly. I think the biggest weakness with past Windows have been uninformed users thinking that clicking "yes" in dialog boxes to execute an unknown program or script is a witty thing to do. I believe UAC tries to solve this, and most "average" users will be too lazy to turn it off (or won't know how), while advanced users can simply surf responsibly with it off.

No, seriously,

... and when his son becomes thirteen he will actually connect the computer to the network. ;)

Uh oh...

This reminds me of a Douglas Adams quote:

"The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair."

disturbing...

BTW, Vista Is Still The Anti-OS.

That said, a disturbing quote to me from the article was, "His [Allchin's son] machine is locked down with parental controls, he can't download things unless it's to the places that I've said that he could do, and I'm feeling totally confident about that," he [Allchin] added. "That is quite a statement. I couldn't say that in Windows XP SP2.""

It's not disturbing they/he claim the security in Vista, it's disturbing I've been around long enough it's an old tape. Every single new Windows, every single new version, every single new service pack brings the old saw "this time ${WindowsVersin} is really secure and stable". I guess I'm tired of saying "told you so", when it's not. (Oooops, I did it again.)

Prediction (not too hard...): Vista will be riddled with stability and security issues.

Re: I've used XP SP2 without AV for years

I haven't had a virus/adware for >3 years and I do use P2P. I think using XP SP2 (if you have to use windoze)/Firefox/Thunderbird and not clicking on every attachment/download I get without checking:

1. file extension,
2. trusted source

is the key.

P.S I just noticed that 'Firefox' and 'Thunderbird' aren't in the FF2 English dictionary!

Never mind, the solution is quite intuitive really, just highlight the 'misspelled' word, right click and select 'add to dictionary'. Sweet...

With Microsoft's lousy security record ...

... you'd think they might have learned to underpromise and overdeliver, for once. Unfortunately, the MS propaganda machine is going at it as usual.

Let's see, 50 million lines of code, a new IP stack, horrid complexity -- I'm taking bets on when the first service pack is needed, and when the first worm hits.

A side bet -- how many vulnerabilities did the black hats find in Vista, and then didn't report them to MS.

After the hype dies down, it might be time to short Microsoft again.