"Bowing to pressure from European antitrust regulators and rival security vendors, Microsoft has agreed to modify Windows Vista to better accommodate third-party security software makers. In a press conference Friday, Microsoft said it would configure Vista to let third-party anti-virus and other security software makers bypass 'PatchGuard,' a feature in 64-bit versions of Windows Vista designed to bar access to the Windows kernel.
Microsoft said it would create an API to let third-party vendors access the kernel and to disable the Windows Security Center so that users would not be prompted by multiple alerts about operating system security. In addition, Redmond said it would modify the welcome screen presented to Vista users to include links to other security software other than Microsoft's own OneCare suite. From the article: 'It looks like Microsoft was really testing the waters here, sort of pushing the limits of antitrust and decided they probably couldn't cross that line just yet.'"
News source: Slashdot via Back Page News
Microsoft said it would create an API to let third-party vendors access the kernel and to disable the Windows Security Center so that users would not be prompted by multiple alerts about operating system security. In addition, Redmond said it would modify the welcome screen presented to Vista users to include links to other security software other than Microsoft's own OneCare suite. From the article: 'It looks like Microsoft was really testing the waters here, sort of pushing the limits of antitrust and decided they probably couldn't cross that line just yet.'"
News source: Slashdot via Back Page News
Microsoft SO should have stood their ground. This is just bollox.
Edit: actually thats worse that it sounds. An api for 3rd party vendors to access the kernel?
So that means viruses and spyware etc could use that api to access the kernel....
Nah, sorry, thats just not cool
In fact, this is way overblown. They're adding extensions to the API so third party consoles and kits can supress the warnings from Security Center to avoid double warnings. They can't "bypass" PatchGuard, it's still there and slashdot or someone have twisted the story to become more than what it is.
Finally, the third issue that the Commission advised we should address relates to computer security. The Commission raised two issues regarding security. The first relates to Windows Security Center and the sending of alerts to computer users by Windows Security Center when there is an alternative or competing security centre also installed on a PC. Following some very constructive conversations, we developed a new engineering approach and have created a new Application Programming Interface (API). With this new API, Windows Security Center will not send an alert to a computer user when there is an alternative security console installed on a PC, and when that security console is sending that same alert itself.
Some security vendors expressed some concerns to the Commission, and to us, that they had previously used access to the kernel to facilitate features in their own product and that they would no longer be able to do so. We were concerned that it would be a mistake for the future of computers if PatchGuard were to be removed or eliminated. We devised a new engineering approach that will create and extend new kernel level APIs so that PatchGuard will be retained, the security of the kernel will be protected, and yet security vendors will have an opportunity to meet their needs through these kernel level API extensions. We felt that this was again the right kind of solution that meets the needs and obligations that we have under competition law, whilst also meeting the needs of computer users around the world.
It's still somewhat unclear as to whether this will affect all versions or just the EU versions. If ms doesn't change the US versions, they risk further anti-trust complains down the road.
No it's not:
This makes me angry that some dumbass EU judges have undermined the enhanced security of Windows Vista x64 around the world. Symantec doesn't need kernel access! Trend Micro's AntiVirus scanner has been working perfectly fine in the x64 edition of Windows Vista. In fact, Symantec even has a version of Symantec AntiVirus that works fine in Vista x64.
This stink that Symantec raised about Windows Vista was my final straw for them. I will absolutely not recommend any more of their products. I will probably start recommending Trend Micro. They have really done the best in delivering Vista compatibility.
Last edited by Chugworth on 15 Oct 2006 - 17:36
No it's not:
This makes me angry that some dumbass EU judges have undermined the enhanced security of Windows Vista x64 around the world. Symantec doesn't need kernel access! Trend Micro's AntiVirus scanner has been working perfectly fine in the x64 edition of Windows Vista. In fact, Symantec even has a version of Symantec AntiVirus that works fine in Vista x64.
This stink that Symantec raised about Windows Vista was my final straw for them. I will absolutely not recommend any more of their products. I will probably start recommending Trend Micro. They have really done the best in delivering Vista compatibility.
hmm, perhaps it is you who is wrong
i took this from a CBC article
"Based on this guidance, we have made changes to ensure that we're in compliance with our competition law obligations, and we are moving forward to make Windows Vista available on a worldwide basis."
Smith also said Microsoft had changed Vista in Korea to meet requirements there.
since it specifically mentioned that they changed Vista in Korea, maybe they only changed it in europe and korea, and not in the US/Canada
i think the whole "worldwide basis" thing meant they want it to be available on a worldwide basis, and not changing it on a worldwide basis
Summary of Windows Vista in Europe
Based on this discussion, we agreed to make these changes in Windows Vista on a worldwide basis, and we committed to the Commission that we would retain these changes in Windows Vista regardless of the outcome of the case currently pending before the Court of First Instance.
This is right below the "Amendments to Security Features" part. So I think it is clear these changes are being made to all versions, so Chugworth is correct.
There is another section dealing with availability:
Our plan is to provide this to volume license business customers next month, in November, and then provide it on a worldwide basis for general availability in January.
Perhaps you should try actually reading about the changes, rather than just bashing the EU regardless. The changes do not undermine security but recommend non-Microsoft software and reduce duplicate messages, allowing 3rd party software to be better integrated. I'm all for Microsoft improving security but they HAVE to play fair with regards to competition. Microsoft have responded to criticism and tried to improve their product - they haven't been forced to make these changes. You don't help the situation by not reading posts properly - you're just contributing to the filth and misinformation that plague the web.
Perhaps you should try actually reading about the changes, rather than just bashing the EU regardless. The changes do not undermine security but recommend non-Microsoft software and reduce duplicate messages, allowing 3rd party software to be better integrated. I'm all for Microsoft improving security but they HAVE to play fair with regards to competition. Microsoft have responded to criticism and tried to improve their product - they haven't been forced to make these changes. You don't help the situation by not reading posts properly - you're just contributing to the filth and misinformation that plague the web.
Totally agree that they should make sure 3rd party security software should be better integrated.
But I think there is a line of security and access levels (kernal access, ring0, whatever) )which they HAVE to draw.
In XP that line wasn't there and loads of products (and companies built up around those products) which sat there and looked what was accessing that gap. In Vista they can't see what's happening in that zone because they can't get access. Thus they think it's somewhere their product should be allowed to look at and a potential security risk because it can't. They built their businesses on the flaws Microsoft had in XP. If Microsoft want to fix those problems, putting certain aspects of some businesses out of action, then they still should be allowed to do that, regardless of the fact that they might destroy some companies.
I'm not saying we don't need anti virus solutions, just they don't need to be as all encompassing if Microsoft do their job right. Hopefully with Vienna they will be even lesser role for Antivirus companies.
If Vista is strong enough for these antivirus companies to actually NEED to ask to be able to get access to it. Then I don't think it's a problem they should be able to question, at least not yet.
That's what this news is, they are being able to question it. And that's why it's not good, and why Microsoft should get some new, bigger, balls. The fact that this is now and before Vista's kernal has been proved, in any way, to be at risk; means that this is purely to protect their profit projections. And Microsoft should issue a statement which says. "We have tools ready, if this thing goes tits up then you can have them and Vista will be all ready for your products to protect it. If it has no problems, then you don't need this contingency information."
Whilst that might sound simple the reality is very different. You're talking about millions of dollars, thousands of jobs and an entire industry built around protecting Windows users. You can't just have companies like Microsoft just deciding to wipe out an industry... it's not good for the consumers and it's not good for the economy. Also, you have to be careful that Microsoft don't fix security this time but let it slip for the next version of Windows - then the antivirus industry has already been destroyed and Microsoft can step in with their $40 a year subscription model. I'm not saying they would but that's what governments are there / should be there for - to protect the consumer. The EU is far more consumer centric than the US, hence the problems that Microsoft has had with them... it's in contrast to the pro-business mantra of the US.
I don't think that Microsoft should be opening up huge holes in the OS to cater to a few companies that make money from Microsoft's flaws - that's not what I'm advocating. However, Microsoft has an obligation to makes sure developers can properly support a platform and that they have the same access to the OS, via APIs and such, as Microsoft antivirus developers have. My understanding is that they're not opening up huge holes but just allowing the competition closer access, particularly to the Windows Security Center - if that's the case then there's no problem and it is a good move (despite people's objections to Norton/McAfee).
I don't see that they are protecting the consumer with this. I think they protecting business. Something like Office having access to OS data which competitors can't get IS something they should be working to stop. Which they did. Fine. But security is different. They should be making Microsoft supply as bullet proof an OS as possible. This doesn't help that.
Like I said before Microsoft should draw a line in the sand and defend it like they do their intellectual property. That line would be a section of the OS (kernal?) which they provide security within. Anti-virus software shouldn't need to be past it. And they should provid basic tools, like virus scanning (heuristic/signature based) and firewalling, to protect it.
That should come in the box. If the OS isn't safe out of the box (to reasonable levels) then THAT'S what the EU (and everyone else) should be coming down on them for. In others words granny shouldn't have to worry about 99% of security problems with basic training.
Now, if some company wants to provide a different, lower level (ie with EVERY other bit software the system runs), anti-virus solution for email, incoming web traffic, exe's, packed files..... etc. Then they can and Microsoft should provide them with everything they need.
But that's a rant... I think we are saying the same thing.
I have to say I would like the day to come soon when companies like symantec are only for corporate sectors. I hate the fact that I have to spend money on anti-virus subscriptions because Microsoft can't make their product to a level I can trust that nothing is going to worm it's way in.
This looks like the first indication that don't have 100% faith in their product.
And getting this API to disable security centre alerts, is the first step for a virus writer to get something into the system without indication for the user. It sounds like they are giving out something with switches of the OS's CCTV.
It's bad news.
Last edited by joeydoo on 16 Oct 2006 - 03:38
And people disliking the EU at all just because of microsoft is stupid. They are definitely more consumer centric. For example, there is a "HD ready" label here, which is some kind of standard that means that a TV is capable of displaying 720p and 1080i signals, that the TV has a digital input (HDMI or DVI) and that it has HDCP on at least one digital input. This is an advantage because the consumer can be sure that the TV will be compatible with whatever they release in the future. There are many TVs that have a higher resolution than the standard HD that are not really HD, that dont have HDCP, etc. This standard makes it easier for consumers!
And a lot of more things!
It's microsoft the one deciding here. They are saying "Well, now you will get a less secure OS because of your laws". My guess is that before they release anything, they want to be sure they won't be fined the hell out of them. Maybe they want the EU to say "Wait! don't un-patch the kernel. We prefer a safer OS".
And people disliking the EU at all just because of microsoft is stupid. They are definitely more consumer centric. For example, there is a "HD ready" label here, which is some kind of standard that means that a TV is capable of displaying 720p and 1080i signals, that the TV has a digital input (HDMI or DVI) and that it has HDCP on at least one digital input. This is an advantage because the consumer can be sure that the TV will be compatible with whatever they release in the future. There are many TVs that have a higher resolution than the standard HD that are not really HD, that dont have HDCP, etc. This standard makes it easier for consumers!
And a lot of more things!
It's microsoft the one deciding here. They are saying "Well, now you will get a less secure OS because of your laws". My guess is that before they release anything, they want to be sure they won't be fined the hell out of them. Maybe they want the EU to say "Wait! don't un-patch the kernel. We prefer a safer OS".
Hd ready is also in the US. I don't know how a sticker really benefits anybody, anyways.
Pro-business IS pro-consumer. Think about the word. CONSUMER. They consume products, made byy businesses. If business can't compete, ther's no products to be CONSUMED.
Will you be using a third part virus scanning software? or something like that.
Anyway this only affect the 64bits version.. 32bits doesn't have PatchGuard, i wonder if vista64 will be so used besides with some geeks...
It better do - it's a shame that Microsoft even bothered with a 32-bit version, as it only serves to split the userbase. I fear that too many 64-bit computers will be loaded with 32-bit Vista by OEMs trying to preserve compatability (ironically making 64-bit compatability a lot worse due to a lack of demand). I think the OEMs will really decide its fate.
We dont lose out.
What's funny is that Microsoft has spare time to do that, but they can't fix a Windows 3.1 font dialog. Funny.
Seriously PLEASE get over that. How often do you install fonts that way?
What's funny is that Microsoft has spare time to do that, but they can't fix a Windows 3.1 font dialog. Funny.
*sigh*, MS added a few extensions so that third party developers can suppress the warning dialogues from Security Center. They didn't open expressways to the kernel for anybody to use.
I really thought the EU would see sense on this one. What's next? Making car manufacturers make cars without car alarms, to keep the companies that make the steering wheel locks in business?
I really thought the EU would see sense on this one. What's next? Making car manufacturers make cars without car alarms, to keep the companies that make the steering wheel locks in business?
How does this benefit customers? The quality of Neowin articles has gone down hill but damn that's the stupidest question I've seen here in a while. Just because they are beta testing and have parts of it working does not mean they would have full features that other versions provided. I also believe the issue here was more specifically the anti-trust laws (ie Microsoft not allowing equal access to other software suits through the Security Center and/or Welcome Center - similar to issues that arose regarding the default search engine in IE). If Microsoft were allowed to make this move, regarding anti-trust laws, who is to stay that they couldn't just keep pushing that line a little more until it really seriously affects customers as they have done in the past.
I'm not blaming any one party. Microsoft did not have to make the kernel changes, no, but I'm sure they would of received a few leters from the EU regarding it and they obviously knew it was in their best interest to do so.
IMO, all that microsoft has to do is include some links to install antivirus from other vendors and that's it. Symantec can go to hell and let other worthy antivirus do the job.
I don't think the EU would have ever told microsoft "Hey, you patched your kernel to block symantec. go unpatch it". But including links to one care, and bundling windows defender, that's something competitors don't like at all, let's face it.
After all, it was in the US where they got the big "ie integrated into windows" thing. The EU was some stupid "bundle windows without wmp, please"
IMO, all that microsoft has to do is include some links to install antivirus from other vendors and that's it. Symantec can go to hell and let other worthy antivirus do the job.
I don't think the EU would have ever told microsoft "Hey, you patched your kernel to block symantec. go unpatch it". But including links to one care, and bundling windows defender, that's something competitors don't like at all, let's face it.
After all, it was in the US where they got the big "ie integrated into windows" thing. The EU was some stupid "bundle windows without wmp, please"
damn so all these anti virus companies get free advertising?
That's better than the consumer being completely oblivious to alternatives. It's not in consumers best interests to have Microsoft dominate every market just because they can slap in adverts everywhere, whilst at the same time making it more difficult for the competition to properly integrate their products into Vista. That does not mean that Microsoft should be forced to bend over to the competition but it does mean that they have to be monitored to prevent abuse and promote open and fair competition.
no what happens when things like that are done is only a few choice select alternatives are given to the consumer. what about products that are not well known? its not necessarily in the consumers interest to know only standard alternatives. ... its like politics in america; republicans and democrats think its just perfectly fair if they get free ballot access and airtime they don't have to do anything for at taxpayers expense (justified not legally by election results or political power but their "historical role"
I agree. The links should reflect the products out there, not who has the best relationship with Microsoft. However, I fear that is asking too much.
I for one will use Avast, AVG or maybe OneCare - never again will I use McAffee or Norton as they and their bitching disgust me.
You hit the nail dead on the head!! Stupider than a box of rocks!!
First, all drivers have to be signed to get access to the kernel - that means purchasing a $300 certificate. If malware/rootkits do get signed, ms can easily blacklist their certificate.
Second, drivers already have access to the kernel. It's already possible to hide registry entires and files using fully supported means.
The argument for patchguard should be stability not security. The unsupported patching that many vendors do is inheritely unstable (once you install a hook you can't unload it safely). What ms should do is create a stable api (which they might be doing according to this article) to patch the SDT.
Please understand the implications of patchguard before posting total nonsense!
Hopefully stupid users will realise the UAC is now more important to them and just not idly click yes to everything.
The EU is partly to blame as they love suing MS. The Symantec/McAfee bitch fest is just the excuse they needed.
however the second paragraph makes it sound more like only the security center and promptts are disabled
I really dont see them giving vendors kernal access, Im sure they are more aware than anyone that if they leave a backdoor or hole to trusted vendors it will eventually be compromised.
Microsoft is beeing a bit childish on this. They kinda went on and said "Hey, EU, is vista legal enough for you, or you have something to comment? Because we can delay the european vista release to adapt it to your liking". And the EU said "it is up to you to follow the law".
They HAD!
EU said: we thought out a way to sue your to the ground. But we will not tell you how until you ship Vista. Or the fish can get away from the hook.
Howeverthey added an API that lets' virus verdors disabel the MS security center, so that if they're not happy about rebranding the built in one, they can add their own security center and have the built in disabled so you dont' get dual prompts.
THE KERNEL PATCHGUARD IS STILL THERE
Folks, a whole industry has grown up around Microsoft's horribly flawed operating systems. Companies like Symantec, Norton, et al, have staked everything on the antivirus/ant-malware market, that sprung up in the first place because . . . . . .
***drum roll**
WINDOWS IS (AND WAS) INSECURE BY DESIGN. Period. End of story. I'll get back to this point in a little bit.
And now, after years of serving the Windows community (on which these antivirus companies depend), they are faced with a situation in which they will be locked out. If I was at a board meeting with Norton or Symantec execs and my livelihood depended on feeding antivirus software to consumers, I WOULD BE DAMNED if that board simply allowed MS to suddenly walk away with an operating system which not only locks us out of our current business relationship, but seems to (at least in principle) take away the consumer's choice (which they have had for years) in regard to protective software. Put yourself in the shoes of this antivirus industry, and you'll understand why execs, programmers, and distributors take a dim view of MS giving the virtual finger to 3rd party developers of antivirus software and associated products.
It's simply too late for MS to provide its own security solutions and walk away. Blame Microsoft. MS has blown off security concerns for years, and has happily opened the door to 3rd party developers to come in and fill the need.
One would have thought that security concerns would have been taken care of with Win95 and 98, ME. But Windows XP Home Edition shipped with five ports open!!! And in 2001, no less. Mac OS X, by comparison . . . you guessed it. No open ports. Anything that tried to install itself on Windows, did. Not even a basic password prompt to warn users that crap was being installed onto their hard drive. It's so simple, so basic. But the last thing MS was going to do back then was to provide their own security solutions (as if ! ) when they knew full well that 3rd party developers would pick up the slack and fill store shelves with their own solutions. Far cheaper for Microsoft. Except who ended up paying for it? YOU. The user.
And now, here we are. The move by the EU and the cries of foul by antivirus developers is understandable. MS can't simply walk away from their business model without the interested parties blocking the exit. And only Microsoft is to blame.
As for Vista, I have no vested interest in it, as many of you have come to realize. I run OS X. But my best advice to you is this: either live with the lingering security problems that will certainly exist in Vista (on whatever scale), or just stick with XP for as long as you can before you deem Vista secure enough to use. Time will tell. If all else fails, you know that there are operating systems out there that can serve you just as well, at least in the home.
Last edited by LTD on 15 Oct 2006 - 13:22
ITs more of the companies fault for basing there business around something that could change.
Put yourself in the shoes of Microsoft, and you'll understand why execs, programmers, and distributors take a dim view of the antivirus industry demanding that they open up the kernel so that the antivirus industry doen't lose their business model.
All the other companies are getting on with it, and working around it. Symantec has (instead) made the OS insecure for users so they can make a buck. Makes you wonder who is really making viruses...
MS ignored secuirty for years. THEY caused the antivirus industry to grow with the speed and power that it did. Somewhere between Win 3.1 and Win95, whether MS anticipated security issues or not, someone was paid quite a bit to decide that MS should just farm out security development to 3rd parties. Bad move, obviously. Did they realize it back then? That's not for me to say.
Angry consumers, yes, alot of you are. But don't let that cloud your reasoning with respect to economics.
And no, I most certainly will *not* put myself in MS' shoes. The guilty party in all this can stand as guilty. They'll get no compassion from me. And sorry, nor will the angry consumers who refuse to understand that they have basically been shafted by MS' irresponsibility (ignorance?) from the very beginning.
majortom: I'm not sure I understand the first part of your argument. Please restate.
Fair enough. You're defending MS' efforts to finally handle security *on their own.* It's a noble, consumer-centric effort by them. Problem is, it's too late for that from an economic perspective.
It's Microsoft's business history with these manufacturers/developers that is in consideration here. These developers were there from the very beginning. These relationships that were forged so closely and which were so *dependent* on one another, at this point cannot easily be severed without serious implications, even legal.
From an economic perspective, MS doesn't own their operating system. Had this issue surfaced back in 1998, we would probably see MS winning hands-down. But MS happily continued to farm out security development for years and years. It's too late now. The interested parties are not backing down. MS wants to sell their crap. But everyone else depending on MS does too.
This is one aspect of the problem that provides the legal/legislative framework for the current action taken against MS.
With that reasoning, Microsoft basically forced to create a fundamentally insecure OS forever, just because a whole market of parasitic security applications exist?
3rd. party security products are not just like any other application, where the user can decide whether to have them or not, they are there basically to fix someone else's (MS) mistakes.
The whole 'windows security' market is a fiasco, it's completely stupid for companies like Symantec or McAfee to base their bussiness on someone else's mistakes. If that 'someone else' one day decides to stop making the mistakes, their whole bussiness goes down the drain.
IMHO of course
Bingo, other vendors already have Vista compatible editions. If they dont want to invest the R&D to bring their product up to scratch then thats really their problem, not Microsofts. Their arguement that they coukdnt secure the OS went out the door as soon as other companies ported their antivirus apps to Vista.
IMHO Symnatec and co are too busy updating the UI and adding new features to want to recode the core of their suite which is why they are now throwing their arms in the air.
With that reasoning, Microsoft basically forced to create a fundamentally insecure OS forever, just because a whole market of parasitic security applications exist?
3rd. party security products are not just like any other application, where the user can decide whether to have them or not, they are there basically to fix someone else's (MS) mistakes.
The whole 'windows security' market is a fiasco, it's completely stupid for companies like Symantec or McAfee to base their bussiness on someone else's mistakes. If that 'someone else' one day decides to stop making the mistakes, their whole bussiness goes down the drain.
IMHO of course
Sekhmet, agreed.
Part of the problem is the kernel-access issue. Consumer choice is also an issue, though technically, if MS locks down Vista so well, consumers won't actually *need* a choice in this area. It's already there, and it should work (although time will tell.)
Is it ever too late to start caring for the security of your product? Good question. The answer from a moral, business-ethics prespective is: no, it's never too late. But why not in 1995? And after the security fallout from 1995-98, then why not in 1998? Fair enough, alright. XP was a new effort, a departure from the 9x code. Here's a chance to really make a difference in 2001. by 2001, surely, there were so many of us online, in businesses and homes that MS would have taken the reins themselves and shipped an OS that was plugged-up and stuffed full of security meausures like a Christmas pig. Didn't happen. WinXP shipped as an astoundingly insecure OS. What the hell?? There was 95, 98, 98se, ME, 2000, am I missing one? Oh wait, McAffee and Symantec et al have already been providing security measures - imperfect, but there they were. MS saved lots of $$$ in R&D. The focus on security at that point would have still been very expensive. Plus, buying 3rd party antivirus software was by now normal and expected. Like putting oil in your car. Besides, to focus on in-house secuurity solutions would have taken away time and money from MS' REAL goal: to make their software work better together, i.e., Office.
So is it too late to do the right thing in 2006-07, that should have been done years and years ago? No, it's never too late. But now MS isn't alone. It's a big bed and there's lots of people in it with their own business interests. Don't forget, MS invited them over in the first place.
Some sleepover, lol.
But there are lots of businesses around the globe that profit by fixing others' mistakes. And if those mistakes aren't fixed by the originating party for a length of time, they are in effect economically wedding themsleves to those who provide the solutions. It can be extremely profitable for those providing the solutions, and yes, they do have their day in court when they seek their own protection down the road.
Alright, that's fair. But whichever solution provider implemented its software in xyz-pathway (i.e., registry access, kernel eaccess, etc.) now has to re-write or change its software in ways they themselves deem to be significant or economically-taxing, they are going to have their say and will be given an opprtunity to air their grievances. It could indeed be laziness, but they'll have to be given an opportunity to complain.