EC Watching Microsoft Security Moves

Rob writes "The European Commission is looking into Microsoft Corp's recent moves into the desktop security market, according to Symantec Corp, one of the companies that stand to lose the most if Microsoft leverages its monopoly to compete. We've not filed any official complaint," a Symantec spokesperson said. "We've responded to a request for information from the European Commission... we were not proactive, they came to us." Microsoft announced last week that it will offer an enterprise desktop security package comprising antivirus, antispyware, firewall and centralized administration. That's in addition to its OneCare consumer offering, currently in beta."

This is just laughable

[schestowitz]

How about making an O/S that is secure to begin with? Charging people or supplying add-ons to fix one's own problems?

Re:This is just laughable

Exactly.

Microsoft's new anti-virus/anti-spyware should be called "Windows XP SP3" and it should be free. We didn't pay for software that almost works.

Re:This is just laughable

[LurkerXXX]

If it's worms, etc, that take over your whole system, then yes, tehy should. The problem is a lot of malware these days are things people deliberately install on their maachines, through websites or email attachments. Securing the OS so that they can't take over the whole machine is good, but they can still trash the user data which is really the important thing on the machine. Add-ons like this are still needed to protect the users data files from dumb things the user installs/runs, even if the underlying OS is protected.

Re:This is just laughable

[Savage-Rabbit]

How about making an O/S that is secure to begin with? Charging people or supplying add-ons to fix one's own problems?

Since when has Microsoft elected to do things the easy and efficient way when they can do things the really complicated and inefficient way? From my point of view it is really kind of funny that they might now get into trouble with the EU because they are trying to muscle into (and probably kill off) an industry that largely owes its existence to Microsoft's incompetence and its long-standing reluctance to fix the gaping security holes and design flaws in it's own operating system.

Re:This is just laughable

[British]

And if MS released Vista WITH the fixes, thus rendering antivirus sw/anti-malware sw obsolete, people on here would complain about "WHY do I have to pay for this upgrade to fix the problems they didn't in previous versions?!?". It seems with this situation, MS is damned if they do, damned if they dont. Damned if they do: Accused of trying to leverage out Symateic, damned if they dont: blasted for insecure OSes. Damned if they do pt 2: Put fixes in Vista software, and are accused of trying to gouge customers out of more money for an upgrade.

Re:This is just laughable

[FidelCatsro]

That's not really the issue .
one of the issues is that they are going to be charging people to protect them from their mistakes .
Also in doing so MS creates a situation where creating a bug free product will lose them profits .
Not to mention the fact that they can leverage their position to gain dominance in the market and wipe out the competition

Re:This is just laughable

[Chris+Burke]

It seems with this situation, MS is damned if they do, damned if they dont. Damned if they do: Accused of trying to leverage out Symateic, damned if they dont: blasted for insecure OSes. Damned if they do pt 2: Put fixes in Vista software, and are accused of trying to gouge customers out of more money for an upgrade.

See what happens when you write shitty, insecure code and do nothing to try to fix it until several years after it is a major problem? Sorry if I'm not gushing with sympathy for this horrible situation they put themselves in.

Re:This is just laughable

[m50d]

If you ship a shoddy product you deserve to be in a damned-if-you-do damned-if-you-don't situation. It's more damned-for-shipping-an-insecure-os-in-the-first-pl ace.

What's the Fuss?

[putko]

This issue -- MS moving into the security market -- has always struck me as a non-issue.

If MS just did their job and made a secure OS, like OpenBSD (or the other BSDs), there wouldn't be a huge market for security band-aids.

E.g. suppose MS began to apply formal methods, semi-formal methods, code reviews and so on in an effort to eliminate sources of insecurity -- yet did not sell a single "security" product. Not even a Snort.

Would the EU then claim that MS was taking away their oxygen supply of the "security" band-aid selling companies?

Re:What's the Fuss?

[99BottlesOfBeerInMyF]

E.g. suppose MS began to apply formal methods, semi-formal methods, code reviews and so on in an effort to eliminate sources of insecurity -- yet did not sell a single "security" product. Not even a Snort. Would the EU then claim that MS was taking away their oxygen supply of the "security" band-aid selling companies?

No, because their is a fundamental difference between improving an existing product in a market where you have a monopoly and using that existing monopoly to move into a new market. The first is legal, the second is not. If MS improves their OS so that it uses no electricity, that is fine. It has made the product better, and while this will have an adverse effect upon electricity sales, it does not move MS into the electricity market by leveraging their existing monopoly. That is the part the law objects to, because that is the dangerous part of a monopoly and one that removes all the competitive benefits of a free market. What MS cannot (legally) do is start to give away electricity for free with copies of their OS or bundle it in any fashion.

MS is undermining itself

[revscat]

The fact that Microsoft can do this is just astounding. I understand their freedom within the marketplace, yes, but should their anti-virus segment prove profitable then they would then have a financial disincentive to fixing their security flaws that is directly proportional to the underlying success of their security product. This can be neither good for Windows nor the world at large.

Microsoft: Spend your energies fixing the problems, not undercutting them! This seems to me like the smoker who uses asthma medicine to take care of his wheezing. It's a temporary fix, sure, but the larger problem remains.

Wny Anti-Virus is an OS function

[G4from128k]

As much as I dislike MS, I can see four arguments that antivirus is an OS function.

1. A key function of an OS is to regulate, allocate, and manage the hardware and software resources of the machine. Controlling which chunks of code/processes/threads have access to which other chunks of RAM/filesystem/IO seems core to both an OS and to controlling malware.

2. Anti-malware software needs to operate at higher level of privilege than the malware to avoid malware countermeasures. If the anti-virus is just another application, even if its at the admin level, its going to be vulnerable to being turned off by malware that explicitly tries to avoid detection and removal. Anti-virus needs to run at a privilege level above most user and admin processes. This puts it deep into the OS and should probably load before any 3rd party extensions or any form of networking stack.

3. Malware often exploits holes in the OS. All jokes aside, the OS vendor is one of the most likely organizations to understand these vulnerabilities and make a semi-competent decisions on whether to patch the OS to close the vulnerability or use anti-malware to expunge or repel the malware.

4. Defense against malware should be a default-feature of the OS, not an add-on. No car could be sold with bumpers, locks, and seat-belts sold separately. In an age of consumer PCs and botnets, it becomes part of the system provider's responsibility to deliver a "safe" product.

It's right and it wrong

[erroneus]

It's right for Microsoft to be interested in security. It's wrong for them to attempt to profit from it. I don't think I need to go into any lengthy discussion about those notions.

If you ask me, Microsoft should create a mode of operation in Windows that will disallow all programs and libraries except for the ones indicated in some list. This would be most useful for corporate desktops but could also be useful for a bunch of other users as well. It would prevent the installation of software that is unwanted and all manner of things. It would change the way people use their computers, of course, but then I think it should change. It would do wonders for Microsoft's security reputation and I can't imagine it would be particularly difficult to implement. But we already know most people would simple turn that off anyway -- it impedes their access to the wonderful experience of "internet browsing" and downloading cool new things. (They get what they deserve IMHO) And since MS still essentially controlls the desktop, it's not like anyone would consider switching because Windows became a little more annoying...

Re:It's right and it wrong

If you ask me, Microsoft should create a mode of operation in Windows that will disallow all programs and libraries except for the ones indicated in some list.

They already do. It's called Microsoft Bob

Re:Dammed if they do...

[Foofoobar]

Actually, that's not really doing something about security... it's a bandaid. Fixinf their OS would handle most security problems. Not integrating their products into the OS would fix the other half.

Slapping anti-virus and anti-spyware tools on top of it is just a bandaid and another excuse not to fix the inherent flaws in the OS.

Re:Bloatware

[Evil+W1zard]

I'm not the biggest proponent of MS, but why should they learn from the success of Linux? They are a corporation and thusly are in the business of making money, and that business has been extremely good. Lets face it they make OS's and Apps for the masses. By including more security software in their portfolio they stand to make a nice profit and that is what drives the business.

To be fair...

[iamacat]

Windows badly needs a bundled Anti-Virus/Anti-Spyware solution. Perhaps MS shouldn't be punished for doing the right thing for the users for once.

Your bloat, my convenience

[AviLazar]

Maybe you think having anti-virus pre-built into MS is bloatware, but I find it to be useful and frankly it should have been incorporated years ago. Bloatware is putting in things that are useless, like AOL ;)

Antivirus, spyware protection, firewall, internet browser (to name a few) --- these are things that should come in any OS product. In fact, they should be as mandatory as TCP/IP protocol.

If anything this will help those people who never buy anti-virus software...they just unpackage their computer, plug it in and turn it on...and then they get slammed with viruses.

Re:Your bloat, my convenience

[Phisbut]

Antivirus, spyware protection, firewall, internet browser (to name a few)

A firewall should never be required to run any PC, because no PC should ever respond to a connection attempt that it wasn't designed/configured to handle. A firewall's sole purpose is to close ports that should not have been open in the first place.

Re:Your bloat, my convenience

[TheRaven64]

Half right. It's useful to be able to prevent partially-trusted programs from initiating connections as well. This would be better done with an app-level sandbox, or something like systrace, but a local firewall can also be useful.

Paying twice...

[jferris]

Judging from the article, Microsoft's security offering will be a separate product line and not a part of the OS. This is my slant on it...

I believe that Microsoft has an obligation to provide this as a core functionality of the OS. Otherwise it is the equivalent to buying a house without a roof, and then having to pay again so that it is livable/usable. While it should be appreciated that Microsoft has recognized that there is a legitimate need to correct these issues, doing so by offering a new product line is the wrong way to go about it.

As a software developer, I could only wish that I could get away with selling a product that could only be secure/viable/etc. by having the user buy another product to plug the leaks. How about trying to improve system testing or cooperating with other vendors to isolate and contain threats? Nah, that would be way too productive.

Comment removed

[account_deleted]

Comment removed based on user account deletion

I'm not sure there's a problem here.

[kennyj449]

Frankly, some of the products being complained about are things that by all rights should've been incorporated into the OS years ago... and which are already standard offerings for almost every other popular operating system in the industry. At the very least, there are very valid reasons for MS to include network security features in their OS - they simply BELONG THERE. In some cases, Microsoft is only doing what the rest of the industry has been doing for decades.

Now, the anti-malware provisions are a different story. In many ways this is Microsoft cleaning up their own mess. If they provide the products free of charge (as with the Anti-Spyware Beta) I really don't see a problem - they're addressing their own issues. At the end of the day, Symantec's (and others') cash cow is a product that makes up for another product's deficiencies. This would be like Fram getting PO'd about Ford making gas inlet doors that can't be opened from the outside, because that reduces their market for locking gas caps.

If MS sells the crap, though... just plain wrong. I'd use a Microsoft security product as a supplement to other solutions if it were free, but I sure as hell won't actually pay them for it. They created the security holes in the first place; I'll accept proactive solutions but I won't pay for a reactive workaround by the same people responsible.

Re:let me know of some OS that is immune

[twiddlingbits]

When the default browser (IE) is NOT a trusted app then you know you got problems. In fact I wouldn't consider the OS itself a trusted app. So just booting up Windows makes your machine insecure.

How this going to make things safer?

[oztiks]

I dont see how having a "microsoft" brand or "norton" or whatever is a big difference to the end user.

Unless micrsoft can actually make money off this endevor then its a waste of time for them, which means they are shipping a defective product and this will have backlashes on microsoft.

Heck we need to consider what AV really is, its just some tool that sits and stops brittany-nude.jpg.exe from being open or allowed to do harm on the pc. The malicious program can still do the harm and cause the same problems.

Insted of making a system to actully fix the problem realistically, ms is putting yet another bandaid on the situation _trying_ to make them look like the victors to the consumers.

Big pull wool over ya face deal here, still the same nonsense ms tactic. What ms needs to really worry about is biting too many hands that feeds them, they've started being more aggressive in the market then ever before and they can only pick so many fights before they start loosing them.

I yearn for the day when ms is just another software developer and not the only software developer, freedom to code slowly slips away from us when we condone yet another market in which microsoft will successfully plug away from the rest of us. We shouldnt let that freedom disappear for the OSS developer or other Businesses. If such a concept does not concern you then why would you really care what happens ... norton, ms, mcaffee they all turn your pc into a slug and eat your resources to a dim.

Also i would be looking at code maturity here as an issue as well, norton has been playing the AV game for a while, MS is about to embark on this, i wonder how hard it is for the next worm to break this wonderous AV that is currently in beta stage and cause more millions in losses for people ...

I guess MS is just one of those businesses that people get burnt by they then the same person just sticks their hand back into the fire ... Dont you find it the least bit curious that they are realeasing it with Vista, and not with their last office package which makes more sence because thats where outlook is packaged and not with the os! or its last service pack with all of its other security components they released? All they are trying to do is sell Vista as being more secure, DUH!

Heck this virus issue has been around since when? the days of 286! virus' have always been an issue, why now all of a sudden MS gets the idea that its time to implement AV? simple more hype so people will blindly purchase MS products and not stear away to linux, which realistcally holds a big threat for them.

I think i was preaching this nonesense since windows 98 was out and about and since then very little has changed, how come all of a sudden its going to change now with this magical vista os appearing, i remember the same bs was said about xp, unhackable, secure, safe ... pfft whatever ... whatever sells i guess.

Re:Dammed if they do...

[AviLazar]

Wouldn't responsible be defined as fixing critical security holes that have been open for over 2 years

I cannot comment about this because I am not familiar with the internal working's of this issue and MS, and unless you work for MS (directly) neither are you.

Wouldn't responsible be not integrating the browser into the OS

That's a matter of opinion...While I use FireFox, I am happy that IE comes with my computer - you know, so that way I can get on the Internet for the first time and download me a copy of firefox.

Wouldn't responsible be not running all applications as root?

I'm pretty sure not all applications are run as root

Personally, I'd find it more responsible of them to fix inherent problems with the OS. The 'band-aid' of the antivirus system is nice but by no means is it a permanent fix

You, as well as everyone else here, knows that the band-aid method is the best method. With millions, and billions of lines of code it is impossible, even for a large organization like MS, to find every loophole...point in case, FireFox - as it is gaining more popular, more loopholes are being found - and what is Mozilla doing? They are band-aiding it up. See every company utilizes that method - it's called a patch, and they have been around for as far as I can remember, and I have been using computers all the way back since commodore 64 and 386 pc clone.

There is a legal aspect to this too

[Been+on+TV]

If Microsoft starts charging for antivirus software, they may under various legislation be seen to ship a defect product that can only be fixed by making an additional purchase of a Microsoft product. This will open up the field for numerous lawsuits including class action in those countries that have it in their legislation.

The thing is that if Microsoft knowingly ships a product with open attack-vectors, and these can only be fixed by applying another product from Microsoft for which there is an additional charge, I am sure it can be argued under various legislation that they have shipped a defect product and you are entitled to a replacement product without the defects and/or a compensation.

Microsoft shipping an anti-virus product for their own operating system is significantly different from anti-virus firms shipping such products for Windows. Since Microsoft is 100% responsible for the design and production of their operating systems and applications, and have sufficient knowledge to produce a product to prevent attacks from viruses and spyware targeting their operating environment, they are also 100% capable of clearing those attack-verctors from their own products either by re-design or re-writing the software being attacked.

So the solution, both from a legislative and technical point of view, is to fix the original defect products, hence there will be no need for the second product and no business can be made from it.