by Playfuls Staff |
2nd October 2006
Microsoft promised that Windows Vista will be the most advanced and secure operating system they have ever built in a decade. But does that mean we won’t have to worry about buying additional software to protect our PCs?[more]
Let’s face it, Microsoft is not the best software company ever. Although it has a dominant position in the field and a lot of innovating products, it is still hated by many, due to its ambition to be ubiquitous in domains that haven’t been from the beginning among its strong points (the recent Zune MP3 player rings a bell? Or the Xbox console?).
But this preoccupation to be present in every new domain apparently leads to forgetting your priorities. We all know that Windows XP, IE and the Office suite are full of bugs and flaws and that we all had to suffer from them (at least at a time when we DID use Windows XP…). So we all agree that Microsoft should consider making its flagship products more reliable and secure first, and only after that concentrate on other things.
Well, anyway, Microsoft has been intensely criticized for its policy concerning not only the bugs in the code but also for the time to respond to the discovered threats (which is around a month…). Windows XP has “managed” to bring Microsoft an extremely bad reputation but has also been the source for the thriving anti-virus (or anti-malware) industry.
Anti-virus market is estimated today to be around 3.9-4 billion dollars per year and is estimated to reach around 5.5 billion dollars by 2008-2009. All this money goes to anti-virus producers like Symantec, Softwin, Kaspersky or Panda and not into Microsoft’s pocket. But the anti-virus software also implies that in addition to buying a Windows OS you (and I mean the end-user or any other company) will have to buy another piece of software to get the protection for your PC that Microsoft just cannot provide.
This has of course two implications: 1. some companies/end-users will eventually turn to Linux or Mac, which have a lot less security breaches than XP (which means almost no damage coming from Internet attacks); 2. the need for an anti-virus software creates the impression that Windows is a badly designed product, and that buying it only leads to more and more costs. Redmond officials cannot accept that.
This is why Windows Vista has been from the beginning built having security as prime target. The code was not “borrowed” from XP, and this is why it took so much to have Vista on the market (Vista, previously code-name Longhorn, was first announced in 2001): it was built from scratch.
By making its next Vista OS more secure (it is the main reason for its delayed release in Q1 2007) MS hopes to determine customers (corporate or home users) to revise their opinion about its main product and to rethink their cost forecasts, including renouncing almost completely at buying anti-virus software.
And this is where Symantec and McAffee (along with a suite of other security software manufacturers) come into the scene.
By far, the most active member of the anti-Microsoft party in recent months has been Symantec, a surprising and ironical turn of events for the security giant, after the fruitful relationship maintained with Redmond (until the announcement of Vista).
Symantec has been a privileged partner for Microsoft, accessing technology and parts of software code in XP needed to rapidly fix vulnerabilities in the OS. With Vista, things are actually going to change dramatically and this is why Symantec makes a lot of noise, especially in the EU space.
The situation is like this: Symantec and other security software companies argue Vista OS will make it more difficult to protect customers because for the first time, they have been denied access to the core of the operating system.
But this is just the tip of the iceberg. Symantec has been fighting a cold war with Microsoft since the first rumors about OneCare, the Redmond-built security software for Windows. OneCare offers firewall, antivirus, and antispyware protection—the main elements of a security application. It also keeps the system tuned for best performance and can make local backups of essential files.
Microsoft defends its entry on the anti-virus market with the fact that no one knows better than them how to protect Windows, since they are its constructors (an argument that should have been included long ago in Microsoft’s customer policy, wouldn’t you agree?...)
Moreover, in 2003 the Redmond colossus bought the anti-virus technology that was powering GeCAD’s RAV (Romanian Anti-Virus) a popular and reliable solution for many users at that time. Of course since that acquisition the Romanian based company was no longer allowed to develop security technologies. Microsoft had in mind to include features from RAV into Vista and thus to eliminate third-party security developers because, hold on to your armchairs, Vista is completely safe and bulletproof against virus attacks! And if eventually it proves to have some minor (…) flaws, you always have OneCare to…take care of things!
In return, Symantec strived to prove that Vista is not at all secure and even induced the idea that it might be delayed again (from the official date of “January 2007”).
Symantec first revealed a missive about the bugs in the next-generation OS in mid-July, stating that networking is one of the weak points. A second report implied that what Microsoft calls advanced security features could actually be the next cadaver to be scavenged by worms, viruses and hoax, serving as loopholes.
In particular, Symantec detailed a handful of vulnerabilities that affect Vista’s UAP (User Account Protection) feature. The UAP is designed to help companies reduce the impact of an infection with a virus, banning the malicious code to escalate its privileges on infected machines in order to further propagate itself or inflict other damage on affected computers.
Symantec insisted on the fact that the UAP, also known as LUA (Least-Privilege User Accounts or Limited User Accounts), is a weak spot in Windows Vista, since it can be circumvented by outside attackers, based on several implementation flaws, allowing the possibility for someone to elevate a computer's access privileges and take over a desktop running the OS.
Security has been a main concern for engineers and programmers at Redmond and the implementation of new feature in this area is a key to the future success of Vista. But Symantec warns that the very tools that Microsoft has developed are sensitive to attacks.
According to Symantec, a new feature in Vista known as mandatory integrity control, which is also designed to help confine privilege escalation capabilities, could also be used as an exploit to take control over an infected machine.
Despite the addition of the tools, the security company contends that attackers could still conceivably bypass the system to escalate their ability to attack computers.
The once-ally and now-rival of Microsoft says the flaw could allow an ActiveX control to plant a file that would essentially bypass Microsoft's security levels feature, meaning that even an "unprivileged" user could have his or her account taken over to do harm to the system.
Symantec's researchers also said that the task of completely rewriting Windows' sprawling code base without introducing any loopholes may be too much to expect from any vendor.
Microsoft replied that the critical vulnerabilities signaled by the security company are not to be found in the final version of Vista.
Throughout the company development of Vista, the software giant has applied a new process known as its SDL (Security Development Lifecycle), which requires that all of the operating system's code is scoured for potential problems before being added into the product.
Through SDL and "fundamental architectural changes" that will help make customers more secure from evolving threats, including worms, viruses and malware, Microsoft says that it has effectively minimized Vista's "attack surface area."
The final purpose of these security updates inside the Redmond giant is to deliver a release version of Windows Vista that could help companies and organizations secure and better isolate their networks.
But that also implies the potential death of anti-virus producers, since their main source of income just got…better! Although it’s hard to believe that Vista will be totally safe and that OneCare will be enough to relax while Web-surfing, the recent moves from Microsoft (making code-access impossible, launching concurrent anti-virus solution) clearly show the company’s intentions to once again eliminate rivals. On the other hand I certainly would NOT mind having a secure Windows, which could at least stop the attacks at a lower level, before any virus starts messing-up my machine. And which would also allow me to spare money for other security solutions (including OneCare…).
This is actually the core of Symantec-Microsoft war. The anti-virus industry was build upon Windows` weaknesses. Now that Windows grows stronger the industry sees its existence threatened and tries to fight back.
I am eagerly awaiting a result for this situation, but I wonder: is it good to have Windows the winner?
