Just a couple of months before Windows Vista ships to businesses, Microsoft is worried that the project may be delayed again, or delivered with reduced security — though only in Europe. If that happens, you can mostly thank United States software giant Symantec, which has been loudest in its opposition, although another security vendor, McAfee, has also been agitating for change.
Microsoft reckons two parts of Vista are at risk. First is the Windows Security Centre, introduced into Windows XP with SP2 (Security Pack 2). WSC pops up a warning if a PC doesn’t have a working firewall or anti-virus (AV) software, or if Windows Update is turned off.
The second is PatchGuard, which is not even included in standard 32-bit Windows. This was introduced in 2003 only in 64-bit Windows, to stop rogue applications from changing (or patching) the core operating system kernel. (Typically this happens when a virus replaces a bit of Microsoft’s core code with its own, compromising the operating system.)
Compatible solutions
Although both seem straightforward introductions, and have previously attracted little or no attention, they have put Symantec in high dudgeon mode.
Symantec spokesperson Cris Paden said last week that the company had not formally complained to the EU’s Competition Commission: ”That’s absolutely not the case. It’s always been on a reactive basis. We — and not only us — have been responding to EU enquiries. It’s a dialogue, not a complaint.”
Paden is also adamant that Symantec does not want to reduce the level of security implemented in Vista: ”We don’t want them to remove PatchGuard at all,” says Paden, ”We absolutely do not want Microsoft to remove anything from Vista. We would simply like to have the interfaces so that our solutions will be compatible, and customers can choose what they want to use.”
Curiously, Microsoft says this too, and claims it has been working towards it in consultation with more than a hundred independent software vendors (ISVs) who have joined Microsoft’s SecureIT Alliance.
Microsoft regards WSC as a key enabler of compatibility and competition. Ben Fathi, corporate vice president of Microsoft’s security technology unit, says it is providing application program interfaces (APIs) so that all ISVs, both large and small, have equal access — and Microsoft’s own security software developers ”have to abide by the same rules. There’s nothing special that we do for them.”
WSC is just a dashboard, not a technology. It enables both customers and rival programs to disable Microsoft’s firewall and Defender anti-spyware software, if they wish. If you have another security program already installed, WSC will link directly to that vendor’s site. If you want a choice, it will take you to ”a free marketing portal” that enables PC users to find suitable products to replace them.
The WSC can also tell other applications the security status of a PC, These applications can then decide whether to allow, say, banking or shopping applications.
Symantec’s Norton 2007 already disables the Windows Security Center in XP, so it stops working, and Paden wants to do the same in Vista. That way, users will only see Symantec’s security centre, ”the one they’ve paid for”.
He claims that having two security centres is confusing for customers, and compares it to having to watch two sets of gauges while driving.
Fathi replies: ”Some larger AV vendors don’t want Windows Security Centre to work: they don’t want users to see the other choices available to them. Smaller vendors see it as a great marketing channel.” The point is that Microsoft’s WSC provides users with a vendor-agnostic view of different options across different functions.
This lets them choose, say, one company’s firewall and another’s AV software. Symantec’s approach is to provide users with a complete suite of its own products.
Its security centre is a shop, and with so much AV software coming pre-installed by PC vendors, it’s hard to see how it does anything but reduce customer choice.
Even the European Commission, which has been accused of pursuing an anti-Microsoft vendetta, might find it hard to see this as ”fairer”.
Does Sophos, a leading British security software company, have any problems with WSC? Graham Cluley, its senior technology consultant, replies: ”Oh no, absolutely not! We’ve had some niggles in the past, but as it stands, we’re very happy with it now.”
Yet in betas of Vista, Symantec’s security centre seems to send incorrect information to the WSC. I raised this with Sophos, which replied: ”We believe that Symantec is deliberately ‘fibbing’ to Windows Security Centre in order to prevent it from popping up and warning users of the status of their anti-virus protection — presumably so people use Symantec’s security centre [which does correctly report the status of Symantec’s protection] instead.”
Telling the WSC everything is fine even when it isn’t is one way to stop it from popping up an extra message, adds Cluley. The problem was quickly fixed, but does suggest that amidst the cut-throat security software business, users are actually better off having two gauges rather than one. And millions of people already do. Dell sells desktops with both Microsoft’s WSC and McAfee’s security centre pre-installed — giving McAfee an icon on the desktop and in the SysTray, so it’s impossible to miss. It’s also impossible to confuse the two dashboards.
When it comes to PatchGuard, Fathi argues that, for historical reasons, software vendors have got away with changing core operating system code. However, ”this has never been supported and has never been endorsed by us. It introduces insecurity, instability, and performance issues, and every time we change something in the kernel, their product breaks,” he says.
Unblocking innovation
For Symantec, Paden says PatchGuard is ”a good idea, but it shuts us out,” while the EU seems to want Microsoft to provide a way to turn it off.
Fathi says: ”No. If we do that, the first thing the virus writers are going to do is turn it off. And once a piece of code makes it into the kernel, we can’t tell whether it’s malicious or not.” But, he adds, ”We do have interfaces and a very clean architecture for extending the kernel for doing that kind of AV monitoring. The majority of AV solutions, firewalls, everything, use these supported mechanisms now. We’re not blocking their innovation.”
On PatchGuard, Sophos’s Cluley says: ”We don’t share the same concerns [as Symantec]: we don’t feel we’re being locked out of anything. It sounds like there’s a communications problem …”
Beyond the spat that Cluley describes as ”handbags at dawn,” Microsoft is finally trying to clean up its act with 64-bit Windows. But why now? Fathi says that Bill Gates’s Trustworthy Computing memo in 2002 ”was really a turning point for the company. We now feel it’s our obligation to do as much as we can to secure the platform — and we make zero money on this.”
Bob Tarzey, an analyst with the Quocirca consultancy in the UK, agrees. ”Symantec realised years ago that Microsoft was heading in this direction, so in my personal view, it would be a mistake for the European Union or any other body to say Microsoft is not entitled to make its operating system more secure, to the benefit of its customers.”
The EU’s competition commissioner, Neelie Kroes, has already written to the Financial Times denying that’s what she plans to do (http://tinyurl.com/mbvfx). Fathi says the EU won’t tell him what it wants, but ”from the questions they are asking us, the implications are that they want us to take the Security Centre out. That will mean a less secure version of Windows in Europe.” – Guardian Unlimited Â