EC Watching Microsoft Security Moves

Rob writes "The European Commission is looking into Microsoft Corp's recent moves into the desktop security market, according to Symantec Corp, one of the companies that stand to lose the most if Microsoft leverages its monopoly to compete. We've not filed any official complaint," a Symantec spokesperson said. "We've responded to a request for information from the European Commission... we were not proactive, they came to us." Microsoft announced last week that it will offer an enterprise desktop security package comprising antivirus, antispyware, firewall and centralized administration. That's in addition to its OneCare consumer offering, currently in beta."

This is just laughable

[schestowitz]

How about making an O/S that is secure to begin with? Charging people or supplying add-ons to fix one's own problems?

Re:This is just laughable

[Anonymous Coward]

Exactly.

Microsoft's new anti-virus/anti-spyware should be called "Windows XP SP3" and it should be free. We didn't pay for software that almost works.

Re:This is just laughable

[Verteiron]

If you are running a legal copy of Windows then you did, in fact, pay for software that almost works.

Re:This is just laughable

[LurkerXXX]

If it's worms, etc, that take over your whole system, then yes, tehy should. The problem is a lot of malware these days are things people deliberately install on their maachines, through websites or email attachments. Securing the OS so that they can't take over the whole machine is good, but they can still trash the user data which is really the important thing on the machine. Add-ons like this are still needed to protect the users data files from dumb things the user installs/runs, even if the underlying OS is protected.

Re:This is just laughable

[Savage-Rabbit]

How about making an O/S that is secure to begin with? Charging people or supplying add-ons to fix one's own problems?

Since when has Microsoft elected to do things the easy and efficient way when they can do things the really complicated and inefficient way? From my point of view it is really kind of funny that they might now get into trouble with the EU because they are trying to muscle into (and probably kill off) an industry that largely owes its existence to Microsoft's incompetence and its long-standing reluctance to fix the gaping security holes and design flaws in it's own operating system.

Re:This is just laughable

[British]

And if MS released Vista WITH the fixes, thus rendering antivirus sw/anti-malware sw obsolete, people on here would complain about "WHY do I have to pay for this upgrade to fix the problems they didn't in previous versions?!?". It seems with this situation, MS is damned if they do, damned if they dont. Damned if they do: Accused of trying to leverage out Symateic, damned if they dont: blasted for insecure OSes. Damned if they do pt 2: Put fixes in Vista software, and are accused of trying to gouge customers out of more money for an upgrade.

Re:This is just laughable

[Chris Burke]

It seems with this situation, MS is damned if they do, damned if they dont. Damned if they do: Accused of trying to leverage out Symateic, damned if they dont: blasted for insecure OSes. Damned if they do pt 2: Put fixes in Vista software, and are accused of trying to gouge customers out of more money for an upgrade.

See what happens when you write shitty, insecure code and do nothing to try to fix it until several years after it is a major problem? Sorry if I'm not gushing with sympathy for this horrible situation they put themselves in.

Re:This is just laughable

[Chris Burke]

And how many million+ lines of code have you written without any security holes? Hmmmm.

I hope that "Hmmmm" is you thinking about the difference between any security holes and many security holes. "The inevitable existence of bugs means all software is equally vulnerable" is such a ludicrous argument it only makes sense if you don't think about it at all. That said:
1) I guarantee I produce fewer security holes than the guy who thought automatically running VB scripts in the preview pane of Outlook was a go

Re:This is just laughable

[m50d]

If you ship a shoddy product you deserve to be in a damned-if-you-do damned-if-you-don't situation. It's more damned-for-shipping-an-insecure-os-in-the-first-pl ace.

Re:This is just laughable

[Overly Critical Guy]

And if MS released Vista WITH the fixes, thus rendering antivirus sw/anti-malware sw obsolete, people on here would complain about "WHY do I have to pay for this upgrade to fix the problems they didn't in previous versions?!?"

Uh...no, they wouldn't. In fact, Microsoft finally fixing Windows and making it a truly secure system would be something Slashdot would post a front page article about and (most) people would praise. Yes, there would be complaints that it took them this long, which would be warranted

let me know of some OS that is immune

[badriram]

There are NO OSes are immune to security woes, including OS X, linux etc. If you think you, well you need a lot of education. MS already fixed the no ports open by default with XP SP2, now they only have to fix the default Administrator priviledges on home computers. EVERY other problem is created by the user, lauching untrusted applications in any OS will be make vulnerable.

Re:let me know of some OS that is immune

[twiddlingbits]

When the default browser (IE) is NOT a trusted app then you know you got problems. In fact I wouldn't consider the OS itself a trusted app. So just booting up Windows makes your machine insecure.

Re:let me know of some OS that is immune

[badriram]

I would you would one of those people that thought firefox was secure as well. I use firefox not because it is more secure, but because it is targeted less.

Re:let me know of some OS that is immune

[twiddlingbits]

I know FF has had some problems, but they were 1)Minor compared to those of IE 2)were fixed VERY quickly, not months later and 3) were publically disclosed to everyone, FF even displayed info that told you "critical updates" were needed, I haven't seen that in IE!

Re:let me know of some OS that is immune

[Overly Critical Guy]

There's more to it than that. For instance, like all UNIX distributions, Mac OS X spawns background system processes, called daemons, to handle various tasks. When a user logs into Mac OS X, a special security context is created for that user. Any applications that user launches are started under that user's credentials. Background processes can respond to requests from user-level applications, but they can not initiate any contact with the user, nor present any graphical interface, because they operate in

Re:let me know of some OS that is immune

[ckaminski]

In order to install software to perform the "shatter attack" you must *BE* an administrative user. No such software is installed by default in Windows. As such, it must be installed by the end user.

Hence, all spyware/worms of this nature are end-user issues.

Please note that X11 is not immune to similar attacks. If you have certain filesystem permissions, you can most certainly hijack other windows on your system, and Linux and many Unixes have been plagued with privilege escalation bugs over the years.

Re:This is just laughable

[Deathlizard]

Microsoft Could easily secure Windows to the point that no malware could infect the machine. You wouldn't like it, however, because you wouldn't be able to do anything on it other than browse the web. Want to install that Program? Sorry, it's not digitally signed! Like that Desktop Wallpaper? Sorry, but it's a Jpeg so it could have a Virus! ETC. If you want a Truly secure OS which doesn't need any type of protection, then you want Palladium. Simple as that.

On the other hand, Not having a secure OS means that now you have to deal with Joe Stupid installing everything Bob Ignoramus sends to him, because Bob Ignoramus would never send Joe Stupid a virus. No Sirree. Now in Joe Stupid's mind. All he sees is PAM_ANDERSON_NUDE_ON_THE_BEACH.JPG.EXE, and thinks to himself, "I wanna see that, and I'm going to click Yes on this big red box that says that this could be a virus, and I'm going to click yes on this other big red warning that says that it isn't signed, and I'm going to put my Admin Password in this box that says I need admin rights to run this file, and HEY it's not Pam Anderson, it's Paypal telling me to enter my password since my account expired, How Nice of them to remind me So I better do that, and Hold Up! This damn Punch the monkey Ad keeps coming up and my machine is running slow for some reason!!!"

Basically, Since Locking the machine Down isn't a good solution, and there's no security patches for the human brain yet, the easiest way to increase security without restricting the PC to the point that it's useless is have these addons to Stop Joe from being too stupid, but allow Joe to install Redneck Rampage Deer Hunter Extreme Machinegun Challenge when he feels like killing something. Frankly Why MS didn't have A virus scanner in XP is beyond me other than MS didn't want to hear Symantec Crying that their business they built on insecure Microsoft Os's is going away because Microsoft Suddenly decided to start securing their OS.

Frankly, The only complaint about this Microsoft Anti virus is that they are going to have definition subscriptions like all the other anti virus apps instead of just turning their AV solution on by default on Vista and allow it to update without having to worry about expiring definition subscriptions.

Re:This is just laughable

[Pecisk]

What a hell you are talking about? Sorry, but there is NO excuse for Windows lack of security. Only Microsoft shills and some people who just don't want to bash and critize their beloved operational system can say that.

Check out OS X! They have the best installation system ever - just copy that shiny vector-graphics based icon to your Applications folder, ENTER your password once and DONE!

Please understand that User Friendly [tm] interface of Windows is NOT reason of their lack of security. Ignorance is.

Re:This is just laughable

[Deathlizard]

First off,

Check out OS X! They have the best installation system ever - just copy that shiny vector-graphics based icon to your Applications folder, ENTER your password once and DONE!

Joe Stupid: "Gee this fine Pam Anderson file that Bob sent me is going to be great! But it needs installed. Well, Let me drag this Nice Shiny Vector-graphics based icon to my Applications folder, type in my password, and HEY it's not Pam Anderson, it's Paypal telling me to enter my password...."

If you notice, the example I gave

Re:This is just laughable

[Pecisk]

Because allows unitended installs in first place. It is HUGE difference. With Windows, I'm simply not sure what it will do automaticly next - even if I don't want it.

Problem is Microsoft ignorance in first place - if you do user friendly usability, then do it, checking all other things - security, stability, etc. Sorry, but there is no excuse that Microsoft marketing dep. have too much power over developers.

Re:This is just laughable

[Overly Critical Guy]

All I have to say is, Macs are 15% of the computing install base, and yet OS X has not had a virus or trojan infection in the past five years. Such malicious software relies on the ability to propagate, and on Windows, such mediums are plentiful. OS X just doesn't have the infrastructure--no registry to exploit, no "interactive services" exploits, no ports open, and so forth. Malicious software gets stopped in its tracks to begin with.

Re:This is just laughable

[bushidocoder]

Macs are 15% of the computing install base,

Where did you get that number from?

Most tech analysts list Apple's market share in the US as about 3.6% as of June of this year - Apple claims higher, about 4.5% - if we give Apple the benefit of the doubt and assume they're 100% correct, you're still only talking about less than 5% in the US. Apple's worldwide numbers are approximately 1.8% market share.

Whitelisting

[RAMMS+EIN]

``If you want a Truly secure OS which doesn't need any type of protection, then you want Palladium. Simple as that.''

Yes, but there is a right way and a wrong way to do it. The wrong way is to let one company (especially one with a reputation as bad as Microsoft's) control it. The right way is to let people choose lists to trust (much like APT repositories). I actually think that's a good idea.

Coupled with sandboxing (so applications cannot access files they have no business accessing, even if they belong t

Re:Whitelisting

[Deathlizard]

It really doesn't matter who is controlling Palladium (or a palladium like system created by someone else). In the end it is an iron clad system governed by some body. So if you create executable code, your dealing with that body or it never runs, and that body has the final say on the matter. I'm sure the RIAA/MPAA would love a system like that. Not me however.

for example, the PS2. I could write code for it, but if I want to play that code on someone Else's PS2 I would either have to defeat the protection

Your opinion is just laughable

[geekee]

" How about making an O/S that is secure to begin with? Charging people or supplying add-ons to fix one's own problems?"

Name an OS that is? (No Linux, BSD, Solaris, AIX, and MacOS are not secure)

Re:This is just laughable

[FidelCatsro]

That's not really the issue .
one of the issues is that they are going to be charging people to protect them from their mistakes .
Also in doing so MS creates a situation where creating a bug free product will lose them profits .
Not to mention the fact that they can leverage their position to gain dominance in the market and wipe out the competition

Re:This is just laughable

[AviLazar]

Your assuming MS is going to charge for this...they might give it for free like their anti-spyware program. Also, even if the do charge for it -- guess what, symantec also charges...either way I got to pay. And MS is not totally to blame for people exploiting it....and if you want to say MS sucks because it has exploits, then you better say that the Mozilla foundation sucks because it also has exploits.

Re:This is just laughable

[tsa]

MI>MS is not totally to blame for people exploiting it

Yes, they should get a part of the profit other companies make on software that runs on Windows [slashdot.org] :-)

Re:This is just laughable

[AviLazar]

Classic FUD.
Firefox has vulnerabilties, yes, but they tend to be:
1) Patched Faster
2) Less critical
3) Patched completely
4) Openly admitted to

You wish it was fud. It is true, just because you don't like the truth does not mean it. There was an article, fairly recently, on /. showing that in the past month or so FireFox had more security holes found the IE. Me saying that IE is better then FireFox based on that assumption is fud, but I didn't say which program was better. I have said I prefer

Bloatware

[sp3298622]

First Adobe gets hit with integrated PDF creation in the new version of Word, and now Symantec is on the list of features Microsoft is going to incorporate in the next version of Windows. If there is anything they should have learned by now from the success of Linux, the benefits of allowing specialized developers creating software packages they know, understand and excel in doing properly, should have been clear to Microsoft by now. But I guess that's another thing that Microsoft think they can do better than anything else, what's new?

Re:Bloatware

[Evil W1zard]

I'm not the biggest proponent of MS, but why should they learn from the success of Linux? They are a corporation and thusly are in the business of making money, and that business has been extremely good. Lets face it they make OS's and Apps for the masses. By including more security software in their portfolio they stand to make a nice profit and that is what drives the business.

Re:Bloatware

[Lally Singh]

Check out the growth curve on their stock -- it's been flat for years. The company hasn't been going anywhere for a _looong_ time.

Re:Bloatware

[Ucklak]

One of the differences in Linux is that if/when you do run as root, your library path is different and/or limited.

I can't run apachectl -t as a user unless I /sbin/apachectl -t
Likewise, I can't run quake3 as root.

Why not apply the same methodology to a Windows environment?

Re:Bloatware

[ckaminski]

Something that OSes need, is sandboxing. You install program a in /sandbox/app. Can even run as root but any changes to the system get throw out when /sandbox/app is removed.

Hell, after personally working with my father's SOHO for a while, I'm convinced EVERY app needs to be sandboxed.

Your bloat, my convenience

[AviLazar]

Maybe you think having anti-virus pre-built into MS is bloatware, but I find it to be useful and frankly it should have been incorporated years ago. Bloatware is putting in things that are useless, like AOL ;)

Antivirus, spyware protection, firewall, internet browser (to name a few) --- these are things that should come in any OS product. In fact, they should be as mandatory as TCP/IP protocol.

If anything this will help those people who never buy anti-virus software...they just unpackage their compu

Re:Your bloat, my convenience

[Phisbut]

Antivirus, spyware protection, firewall, internet browser (to name a few)

A firewall should never be required to run any PC, because no PC should ever respond to a connection attempt that it wasn't designed/configured to handle. A firewall's sole purpose is to close ports that should not have been open in the first place.

Re:Your bloat, my convenience

[TheRaven64]

Half right. It's useful to be able to prevent partially-trusted programs from initiating connections as well. This would be better done with an app-level sandbox, or something like systrace, but a local firewall can also be useful.

Re:Your bloat, my convenience

[AviLazar]

A firewall should never be required to run any PC, because no PC should ever respond to a connection attempt that it wasn't designed/configured to handle. A firewall's sole purpose is to close ports that should not have been open in the first place.

I never said a fire wall should be required to run on a pc...i said it should come with an OS. I may want to have ports open, but still need to manage the open ports with a firewall.

Re:Your bloat, my convenience

[Overly Critical Guy]

Antivirus, spyware protection, firewall, internet browser (to name a few) --- these are things that should come in any OS product. In fact, they should be as mandatory as TCP/IP protocol.

Ladies and gentleman, this is the mindset Microsoft has fostered in the populace. "It's good to diaper your OS like a baby with layers of applications to protect your OS from the Internet."

Spyware protection should ABSOLUTELY NOT be mandatory or part of the TCP/IP protocol (ha)--spyware takes advantages of flaws in Windows

Re:Your bloat, my convenience

[AviLazar]

Ladies and gentleman, this is the mindset Microsoft has fostered in the populace. "It's good to diaper your OS like a baby with layers of applications to protect your OS from the Internet." Spyware protection should ABSOLUTELY NOT be mandatory or part of the TCP/IP protocol (ha)--spyware takes advantages of flaws in Windows architectural design, and Microsoft should fix that design. Viruses rely on propagation, and systems like OS X simply don't have the mechanisms to allow for that--hence no viruses in fi

Re:Your bloat, my convenience

[AviLazar]

I'm afraid you don't know what are you talking about. Bloatware here means doing two antagonic things with the same package of expensive software while wasting your resources. The first thing is putting your system in danger with a poorly designed operating system. The second thing is trying to make it secure with more software instead of properly fixing the design from the beginning. It's like buying a sieve and some duct tape and expect it to behave like a big spoon :-)

Is that the official definition

Re:Bloatware

[milimetric]

Awesome post. Here's what I take from it. Symantec and Adobe should get behind Linux. Seriously. In Linux, Symantec can contribute their expertise at the KERNEL level instead of in the weak application domain. Application domain security is like using the "optional" decorator pattern to implement security when coding an app. It's gotta be a tight kernel that doesn't allow code to execute unless the user specifically says I want to execute this code and I want it to have priviliges [up to] my own privi

Re:Bloatware

[value_added]

First Adobe gets hit with integrated PDF creation in the new version of Word, and now ...

Actually, in the Real World(TM), the first thing a user learns when trying the Word->PDF "conversion" is that it's (to paraphrase) like a dog walking on it's hind legs. It's not done very often, and when it is, it's not done very well. The second thing they learn is that Word has trouble making up it's mind whether it wants to try and be be a word-processor or a desktop publishing program.

I doubt Symantec has anyt

Re:Bloatware

[KarmaMB84]

Where they are worried about is the people that got 45 day trial versions of Norton with their PC (and it shouldn't be in the OS when it's shipping pre-insalled?) and usually end up getting a subscription after being trashed by a virus when their copy expires and isn't updated. If they don't get a trial copy because MS is protecting them and forcing the signature updates on them through WU, why would they pay for subscriptions?

It's not about quality, but about power

[RAMMS+EIN]

``If there is anything they should have learned by now from the success of Linux, the benefits of allowing specialized developers creating software packages they know, understand and excel in doing properly, should have been clear to Microsoft by now.''

Oh, they probably do know that. However, now you're talking about quality. Making the best software isn't and has never been their top priority. What they are doing here is using their monopoly position in OSs and Office Suites as a springboard to domination

Re:Bloatware

[wiredlogic]

First Adobe gets hit with integrated PDF creation in the new version of Word
And Apple has PDF creation integrated into its entire GUI environment and clipboard... Scandalous.

What's the Fuss?

[putko]

This issue -- MS moving into the security market -- has always struck me as a non-issue.

If MS just did their job and made a secure OS, like OpenBSD (or the other BSDs), there wouldn't be a huge market for security band-aids.

E.g. suppose MS began to apply formal methods, semi-formal methods, code reviews and so on in an effort to eliminate sources of insecurity -- yet did not sell a single "security" product. Not even a Snort.

Would the EU then claim that MS was taking away their oxygen supply of the "security" band-aid selling companies?

Re:What's the Fuss?

[div_2n]

If MS fixed their shoddy product so that these kinds of products wouldn't be needed, that would be one thing. But to sell or especially give away this kind of software that is being sold by a third party is beyond dirty.

Selling is dirty because it is a band-aid to their inability to produce a secure product. Giving away is dirty because that is leveraging their monopoly to supplant another company.

Fixing their product issues is the only route that would be right thing to do.

Re:What's the Fuss?

[FidelCatsro]

In doing so they are creating a financial incentive to not fix problems .
Products are there to fill demand , If you remove the need then you remove the demand. In that case there is no problem.

Re:What's the Fuss?

[Daedala]

I believe that it's an issue, not because I think Symantec deserves a break, but because I think profiting from one's own security flaws results in even worse security. (That's a nice OS you got there, eh? Shame if something were to...'appen to it.) If all of this were free and guaranteed to stay that way, it would bother me less. I still think it would be security band-aids, and not helpful in the long run, but not actively evil.

Re:What's the Fuss?

[hackstraw]

If MS just did their job and made a secure OS, like OpenBSD (or the other BSDs), there wouldn't be a huge market for security band-aids.

Ah, but many believe that MS does more with their os than make a secure one and remind people of it.

Want to look at a secure desktop (that is BSD based), take a look at OS X, and it does more than be secure to boot.

Re:What's the Fuss?

[99BottlesOfBeerInMyF]

E.g. suppose MS began to apply formal methods, semi-formal methods, code reviews and so on in an effort to eliminate sources of insecurity -- yet did not sell a single "security" product. Not even a Snort. Would the EU then claim that MS was taking away their oxygen supply of the "security" band-aid selling companies?

No, because their is a fundamental difference between improving an existing product in a market where you have a monopoly and using that existing monopoly to move into a new market. The first is legal, the second is not. If MS improves their OS so that it uses no electricity, that is fine. It has made the product better, and while this will have an adverse effect upon electricity sales, it does not move MS into the electricity market by leveraging their existing monopoly. That is the part the law objects to, because that is the dangerous part of a monopoly and one that removes all the competitive benefits of a free market. What MS cannot (legally) do is start to give away electricity for free with copies of their OS or bundle it in any fashion.

Adding AV is part of making it secure.

[Shivetya]

That is the key here. Microsoft's software does have problems, most software does. The big problem is that the users are in no shape or form secure. I can't count the number of times people do the same things over and over even after you tell them that is what screwed them up in the first place.

MS added a firewall to XP and now they are integrating AV. I say good for them. That is one more step to making the system more secure. Since there are many FREE AV packages I don't see a big loss here to those

MS is undermining itself

[revscat]

The fact that Microsoft can do this is just astounding. I understand their freedom within the marketplace, yes, but should their anti-virus segment prove profitable then they would then have a financial disincentive to fixing their security flaws that is directly proportional to the underlying success of their security product. This can be neither good for Windows nor the world at large.

Microsoft: Spend your energies fixing the problems, not undercutting them! This seems to me like the smoker who uses asthma medicine to take care of his wheezing. It's a temporary fix, sure, but the larger problem remains.

Uh Oh....

[8127972]

....I think someone is going to be throwing some chairs shortly.

Wny Anti-Virus is an OS function

[G4from128k]

As much as I dislike MS, I can see four arguments that antivirus is an OS function.

1. A key function of an OS is to regulate, allocate, and manage the hardware and software resources of the machine. Controlling which chunks of code/processes/threads have access to which other chunks of RAM/filesystem/IO seems core to both an OS and to controlling malware.

2. Anti-malware software needs to operate at higher level of privilege than the malware to avoid malware countermeasures. If the anti-virus is just another application, even if its at the admin level, its going to be vulnerable to being turned off by malware that explicitly tries to avoid detection and removal. Anti-virus needs to run at a privilege level above most user and admin processes. This puts it deep into the OS and should probably load before any 3rd party extensions or any form of networking stack.

3. Malware often exploits holes in the OS. All jokes aside, the OS vendor is one of the most likely organizations to understand these vulnerabilities and make a semi-competent decisions on whether to patch the OS to close the vulnerability or use anti-malware to expunge or repel the malware.

4. Defense against malware should be a default-feature of the OS, not an add-on. No car could be sold with bumpers, locks, and seat-belts sold separately. In an age of consumer PCs and botnets, it becomes part of the system provider's responsibility to deliver a "safe" product.

Re:Wny Anti-Virus is an OS function

[Bogtha]

Controlling which chunks of code/processes/threads have access to which other chunks of RAM/filesystem/IO seems core to both an OS and to controlling malware.

Not really. The OS manages processes/memory/etc. So long as it keeps them separate, it's done its job and antivirus software doesn't really have anything to do in that respect.

Anti-malware software needs to operate at higher level of privilege

Yes, but that doesn't mean it has to be built into the operating system. Example: drivers. Th

Re:Wny Anti-Virus is an OS function

[tpgp]

As much as I dislike MS, I can see four arguments that antivirus is an OS function.

I see that you have thought of a fourth reason since you last posted this comment [slashdot.org]

Glad to see you still dislike MS ;-)

2) Anti-malware software needs to operate at higher level of privilege than the malware to avoid malware countermeasures. If the anti-virus is just another application, even if its at the admin level, its going to be vulnerable to being turned off by malware that explicitly tries to avoid detection and removal

Re:Wny Anti-Virus is an OS function

[miffo.swe]

1. While i can agree on the first one i think the solution is to tighten the core OS, not apply a second layer to stop the exploits that shouldnt exist in the first place. Antivirus is just a band-aid solution for a deeper problem. If you can track malware you also probably knows why it got in in the first place. The OS vendor should be focusing on why theese malware get in in the first place. Anything a virus can do a hacker can do better and without detection.

2. If you have antimalware detection operating

Re:Wny Anti-Virus is an OS function

[kebes]

I think most of us agree with you... it IS the job of the OS to provide protection against viruses, malware, etc. However, offering a virus-scanning program is not the right way to do it. Symantec (and others) provide anti-virus and anti-spyware programs to make windows more protected... they do this because they have no other way. They cannot sell a "patch" for windows that makes it secure and whatnot, so their only option is to sell software that runs like any other program, and watches for bad things and

Re:Wny Anti-Virus is an OS function

[starfishsystems]

Sorry that I have to disagree with your argument in each of its points.

A key function of an OS is to ... manage ... resources

The point is illustrates a common misperception. Viruses are not system resources. They are bitstrings which strictly originate outside the system. As such, they're benign unless the system fails to provide for this distinction.

Anti-virus needs to run at a privilege level above most user and admin processes.

Not at all. Virus detection is strictly a pattern match, which can

Why hooks/APIs aren't good enough

[G4from128k]

MS only need to provide the hooks, not necessarily the full functionality ... MS could provide the hooks for av software, other vendors could supply the virus definition library, regular updates, nice ui etc

I can see your point, but it creates some nasty vulnerabilities. What stops the virus writer from exploiting these same hooks? Every hook is a new opening for malware to overwrite/modify the virus definition files, disable the AV function, escalate privileges, inject arbitrary code, create a fake AV UI

It's right and it wrong

[erroneus]

It's right for Microsoft to be interested in security. It's wrong for them to attempt to profit from it. I don't think I need to go into any lengthy discussion about those notions.

If you ask me, Microsoft should create a mode of operation in Windows that will disallow all programs and libraries except for the ones indicated in some list. This would be most useful for corporate desktops but could also be useful for a bunch of other users as well. It would prevent the installation of software that is unwanted and all manner of things. It would change the way people use their computers, of course, but then I think it should change. It would do wonders for Microsoft's security reputation and I can't imagine it would be particularly difficult to implement. But we already know most people would simple turn that off anyway -- it impedes their access to the wonderful experience of "internet browsing" and downloading cool new things. (They get what they deserve IMHO) And since MS still essentially controlls the desktop, it's not like anyone would consider switching because Windows became a little more annoying...

Re:It's right and it wrong

[MyLongNickName]

So I write a little app I want to share with a friend... do I have to go to Microsoft to get their permission to let them run it? Brilliant... in the next breath you will probably complain about big brother preventing you from Tivoing your favorite TV program (it's my hardware, I can do whatever I want).

Re:It's right and it wrong

[krgallagher]

" It's right for Microsoft to be interested in security. It's wrong for them to attempt to profit from it."

The problem is if they give it away. If Microsoft begins giving away their security suite, then Symantec will probably go the way of Stac Electronics and Netscape.

Re:It's right and it wrong

[foniksonik]

I'll focus on your first statement... cause the second one already exists for corporate Windows systems if they care enough to implement it.

Microsoft should be interested in security, yes. Specifically they should be interested in putting out a secure OS. If in the pursuit of this goal they end up with a system that doesn't need 3rd party security for OS related issues then good for them. If they want to include apps other than the OS in Windows, then they should also be interested in securing those as well

Re:It's right and it wrong

[twiddlingbits]

"Microsoft should create a mode of operation in Windows that will disallow all programs and libraries except for the ones indicated in some list."

Are you SURE you want that, what you described is DRM taken to the extreme. The Windows Registry was the first attempt to do what you said but it is vulnerable. So, who decides what programs go onto the list as "legal", Microsoft? I don't think so! The user? If it is the user then you got the same issues you have now! So, what is the solution??

Multiple Whitelists, please

[RAMMS+EIN]

``If you ask me, Microsoft should create a mode of operation in Windows that will disallow all programs and libraries except for the ones indicated in some list.''

While I don't think Microsoft "should" do anything other than whatever the hack they want, I agree that it's a good idea. However, as I've written in other places (soon, I'll put an essay on my site so I can link to it), there should be multiple whitelists that users can chose from. This increases users' freedom and limits the possibilities for ab

Future?

[mayhemt]

Are we going to see 'Security Fix For Microsfot Anitvirus KB99999' in the future?

To be fair...

[iamacat]

Windows badly needs a bundled Anti-Virus/Anti-Spyware solution. Perhaps MS shouldn't be punished for doing the right thing for the users for once.

Re:To be fair...

[jejones]

Selling you something broken, and then charging extra to make it work, is the right thing? Sounds to me like MS has finally figured out what they could call the Other Other Operation.

I like Symantec's reaction

[RelliK]

"We've responded to a request for information from the European Commission... we were not proactive, they came to us."

Sounds like someone is already scared shitless of retaliation. "It wasn't me -- it was all him, I swear!"

Hmm...

[MaestroSartori]

I don't really know whether it's good or bad that MS is going down the route of having actual security products & schemes.

On the one hand, as many people here have said, it'd be useful if they concentrated on making the OS itself robust and less vulnerable to exploits etc. That's just common sense, and if their press is to be believed they're doing that. Time will tell.

On the other hand, they could release Vista, no exploits are found or at least publicised, and that wouldn't mean it was perfect. Antivi

All the Linux distro vendors need to watch it to

[SocietyoftheFist]

What is that crap with iptables, that is patently unfair. Let me choose what I want, don't ship or make your own seperately available security software.

Re:LOL what?

[SocietyoftheFist]

Why is it built in to the kernel? They can just put whatever they want in it?

Paying twice...

[jferris]

Judging from the article, Microsoft's security offering will be a separate product line and not a part of the OS. This is my slant on it...

I believe that Microsoft has an obligation to provide this as a core functionality of the OS. Otherwise it is the equivalent to buying a house without a roof, and then having to pay again so that it is livable/usable. While it should be appreciated that Microsoft has recognized that there is a legitimate need to correct these issues, doing so by offering a new produ

Comment removed

[account_deleted]

Comment removed based on user account deletion

I'm not sure there's a problem here.

[kennyj449]

Frankly, some of the products being complained about are things that by all rights should've been incorporated into the OS years ago... and which are already standard offerings for almost every other popular operating system in the industry. At the very least, there are very valid reasons for MS to include network security features in their OS - they simply BELONG THERE. In some cases, Microsoft is only doing what the rest of the industry has been doing for decades.

Now, the anti-malware provisions are a different story. In many ways this is Microsoft cleaning up their own mess. If they provide the products free of charge (as with the Anti-Spyware Beta) I really don't see a problem - they're addressing their own issues. At the end of the day, Symantec's (and others') cash cow is a product that makes up for another product's deficiencies. This would be like Fram getting PO'd about Ford making gas inlet doors that can't be opened from the outside, because that reduces their market for locking gas caps.

If MS sells the crap, though... just plain wrong. I'd use a Microsoft security product as a supplement to other solutions if it were free, but I sure as hell won't actually pay them for it. They created the security holes in the first place; I'll accept proactive solutions but I won't pay for a reactive workaround by the same people responsible.

My Problem with it

[ZachPruckowski]

From the Full Article (emphasis mine):
It's still not completely clear how either of Microsoft's desktop security products will be delivered, how deeply integrated into the operating system or Microsoft servers they could be, and how they will be priced

If Microsoft wants to create an unbreakable OS that spyware, malware, viruses and whatever are useless against, more power to them. That should be their job.

But if Microsoft wants to charge for the OS and not make it secure, they can't go out and sell

How this going to make things safer?

[oztiks]

I dont see how having a "microsoft" brand or "norton" or whatever is a big difference to the end user.

Unless micrsoft can actually make money off this endevor then its a waste of time for them, which means they are shipping a defective product and this will have backlashes on microsoft.

Heck we need to consider what AV really is, its just some tool that sits and stops brittany-nude.jpg.exe from being open or allowed to do harm on the pc. The malicious program can still do the harm and cause the same problems

There is a legal aspect to this too

[Been on TV]

If Microsoft starts charging for antivirus software, they may under various legislation be seen to ship a defect product that can only be fixed by making an additional purchase of a Microsoft product. This will open up the field for numerous lawsuits including class action in those countries that have it in their legislation.

The thing is that if Microsoft knowingly ships a product with open attack-vectors, and these can only be fixed by applying another product from Microsoft for which there is an additional charge, I am sure it can be argued under various legislation that they have shipped a defect product and you are entitled to a replacement product without the defects and/or a compensation.

Microsoft shipping an anti-virus product for their own operating system is significantly different from anti-virus firms shipping such products for Windows. Since Microsoft is 100% responsible for the design and production of their operating systems and applications, and have sufficient knowledge to produce a product to prevent attacks from viruses and spyware targeting their operating environment, they are also 100% capable of clearing those attack-verctors from their own products either by re-design or re-writing the software being attacked.

So the solution, both from a legislative and technical point of view, is to fix the original defect products, hence there will be no need for the second product and no business can be made from it.

Protection from the people who brought you...

[NullProg]

Code Red - IIS.
I Love You - Outlook.
Sasser - LSASS.
Slammer Worm - MS SQL Server.

The best thing Microsoft could do for thier users today is to return progman.exe as the default shell and allow IE to only run in the users context. Give users full control over what programs can run as a service (including Microsofts own services). Fix the NT kernel so user space programs cannot hook into the system.

Enjoy,

We need secure computers, not necessarily Symantec

[FlorianMueller]

I'm also wary of Microsoft and its near-monopolies, but as a computer user I don't want to pay separately for essential functionality that should really come with the operating system. The world needs secure computers, not regulatory interference to artificially sustain business opportunities for companies like Symantec.

The European Patent Office has granted numerous anti-virus and firewall patents, which the EU Commission wanted and still wants to legalize in Europe:
ZDNet UK: EC slipping software paten [zdnet.co.uk]

Virus Scanners are all smoke and mirrors

[codepunk]

Having had to run around and help clean screwed up machines twice this year. Hit by zero day virus outbreaks I firmly belive that the only thing a virus scanner is good for is telling you that you are already screwed and usually after the fact.

What we really need is some script kiddie with a attitude release one of these worms with a truely destructive payload, then and only then are we gonna see any real change. Imagine something like a code red worm that stayed alive long enough to propigate itself say 48

A couple of comments on this issue.

[MtViewGuy]

1. Note thet Microsoft is going to sell their security products as a separate cost item, not integrated them into the operating system (and that appears true even with Windows Vista). As such, this leaves the customer to choose the best solution for their needs regardless of the vendor (Microsoft, Symantec, McAfee, Grisoft, Trend Micro, Panda, etc.), which means Microsoft will likely not run afoul of any authority around the world.

2. I hate to say this, but hackers/crackers target Microsoft because it's the

Re:Dammed if they do...

[Foofoobar]

Actually, that's not really doing something about security... it's a bandaid. Fixinf their OS would handle most security problems. Not integrating their products into the OS would fix the other half.

Slapping anti-virus and anti-spyware tools on top of it is just a bandaid and another excuse not to fix the inherent flaws in the OS.

Re:Dammed if they do...

[AviLazar]

Symantec, their product, went crappy a long time ago. I had used it since it was Dr. Norton; and years ago it would have itself shutdown by exploits (i tolerated this)....then when i got anti-virus 2005 it would constantly shut down, corrput my (brand spanking new dell laptop), etc. I finally switched to CA ezTrust. Symantec has gone down hill.

And it is responsible, very responsible, of MS to offer anti-virus in their OS.

Re:Dammed if they do...

[Foofoobar]

Responsible? Wouldn't responsible be defined as fixing critical security holes that have been open for over 2 years? Wouldn't responsible be not integrating the browser into the OS? Wouldn't responsible be not running all applications as root?

You have a wierd definition of responsible my friend. Personally, I'd find it more responsible of them to fix inherent problems with the OS. The 'band-aid' of the antivirus system is nice but by no means is it a permanent fix. Still, this is the way Microsoft will pitc

Re:Dammed if they do...

[AviLazar]

Wouldn't responsible be defined as fixing critical security holes that have been open for over 2 years

I cannot comment about this because I am not familiar with the internal working's of this issue and MS, and unless you work for MS (directly) neither are you.

Wouldn't responsible be not integrating the browser into the OS

That's a matter of opinion...While I use FireFox, I am happy that IE comes with my computer - you know, so that way I can get on the Internet for the first time and download me a co

Re:Dammed if they do...

[Foofoobar]

Actually you can comment on it as Symantec and others have mentioned this several times. They often comment about how it takes them 6 months to even acknowledge that the hole exists.

Second, having the browser integrated into the OS has made many non-critical holes even more critical as a result. Not opinion when every security agency tells you to dumb IE because of it's threat to your OS.

Yes, by default, all applications run as root. In XP, they tried to fix this but it causes issues with several programs s

Re:Dammed if they do...

[AviLazar]

Actually you can comment on it as Symantec and others have mentioned this several times. They often comment about how it takes them 6 months to even acknowledge that the hole exists.

I am not sure who others is, but I raise an eyebrow to a competitor neigh-saying it's competitor. I am not saying they are wrong either, but again, there is a difference of view from the outside then the inside.

Second, having the browser integrated into the OS has made many non-critical holes even more critical as a result

Re:Dammed if they do...

[Foofoobar]

Symantec, CERT are just two who have been saying this long before Microsoft ever became a competitor and to date, Microsoft is still NOT a competitor because they have YET to launch a product. How are you able to label them as a competitor when they have yet to even enter the race? And regardless, these are things that have been said for the last 5 years... not recent news. Even if Microsoft is considered a competitor without even launching a product, how do you explain that it's been being said for years.

Re:Dammed if they do...

[danaris]

As I have said before, having the browser integrated allows me to go online and get hte browser that I want to use...and guess what, I don't have to worry about IE anymore - that is unless Mozilla distributers are including viruses in their version of firefox...oh wait.

Um, no. Having the browser BUNDLED allows you to go online and download Firefox. And Microsoft could just as easily include IE, Firefox, Mozilla, and Opera as co-equal browsers on the default install, and let you pick your favourite the

Re:Dammed if they do...

[AviLazar]

Um, no. Having the browser BUNDLED allows you to go online and download Firefox

I am pretty sure I said this, wait let's see "As I have said before, having the browser integrated allows me to go online and get hte browser that I want to use"....yea that's what I said... so why are you disagreeing with me?

And Microsoft could just as easily include IE, Firefox, Mozilla, and Opera as co-equal browsers on the default install, and let you pick your favourite the first time you boot the system.

1) Isn't t

Yeah, yeah, IHBT, whatever

[danaris]

Um, no. Having the browser BUNDLED allows you to go online and download Firefox

I am pretty sure I said this, wait let's see "As I have said before, having the browser integrated allows me to go online and get hte browser that I want to use"....yea that's what I said... so why are you disagreeing with me?

Please read my post. Bundled != integrated. Then go back and read it again, and maybe you'll get it.

1) Isn't that bloatware? I mean, do I really want to jam four different browsers in my computer

Re:Seriously now...

[Red Flayer]

" Microsoft SHOULD include antivirus in the OS, they should have years ago.

Yes, it will make Norton, McAfee and the like totally irrelevant"

It would hardly make them irrelevant, since there is no way that a single source for AV/AS software would block all malware. The problem is that it would make them unprofitable, and therefore non-existant, even though the need for them would still be there.

Re:Symantec deserves to die

[Red Flayer]

"And why SHOULDN'T AV/anti-spyware be part of the operating system? I mean, really. Those seem like OS functions to me. Anything security-related should be built-in."

And of course, MS would release updates to protect from and/or remove known exploits within hours/days.

A single-source supply of AV/AS software is simply not enough. If MS bundles AV/AS with Windows, then Symantec etc will be driven out of business, or at least shrunken so much that their update teams can't handle new threats in a timely

Re:Good thing

[HaydnH]

I love the way a lord of the rings reference gets a score of -1, Troll - very funny whoever modded that ;P

Haydn

Re:This is ridiculous

[99BottlesOfBeerInMyF]

The fact is, Windows, as terrible as it may be can come with as much [spyware infested] programs as they want, for it's their product.

The fact is, Monopoly Inc.'s product, as terrible as it may be can come with as many bundled other products as they want, for it's their product.

Oh wait, or we could pay attention to all the antitrust laws that have been written and all the economics we have learned in the last 400 years and realize that monopolies tying new products to an existing monopolized product results in them completely bypassing fair trade and competition and results in them taking over more and more markets, products that are inferior (since the benefits of competition no longer apply), products that are unfairly priced (again competition is bypassed), the economy suffering (since one company gets more money than the value of the work/product they provide), the industry suffering (since their is no motivation/oportunity for innovation), and eventually (in theory) a single company taking over all markets.

I take it you slept through your freshman economics course? It is illegal for monopolies to bundle products and that is exactly what MS is doing and has been convicted of doing in the past. Unfortunately all of the punishments and remedies have been largely ineffective.

Re:Key difference between monopoly and comprehensi

[99BottlesOfBeerInMyF]

Comprehensive is having everything you need in one package, a monopoly is not allowing anyone to provide replacements for parts of that package.

Nope. A monopoly is having enough of a market share for a product or service that their is no effective competition (from a market perspective not a technical one). Windows has dominated the desktop OS space to such an extent it has been ruled a monopoly by the courts in many different countries. Once a company has a monopoly, it is easy for that company to do se