Blog Alert
When a new post is published, we'll deliver it to your inbox.

Enter your email address

Search The Blog
Categories
Archives
<   November 2009   >
MonTueWedThuFriSatSun
      1
2345678
9101112131415
16171819202122
23242526272829
30      
Recommended Links
Contact
To learn more, please contact:

Gartner
Office: + 1 203 964 0096
sitefeedback@gartner.com
help@gartner.com

Contact Us Form
Worldwide General Contacts
Terms and Conditions
About Gartner Blogs: FAQ
05 October, 2006 04:37 PM EST
Microsoft and the EU Spar Over Security Functionality in Windows Vista
Posted By: Neil MacDonald, VP Distinguished Analyst

It was widely reported last week that Microsoft and the EU are once again disagreeing on the extent to which Microsoft can bundle additional functionality into Windows — in this case, security functionality into Windows Vista. There is a chance that Windows Vista availability will be delayed in the EU (see "Events Aligning to Make Vista Delay More Likely").

Let's set straight a couple of things up front. First, there is a difference between Microsoft's efforts to deliver more-secure code with Windows Vista and its efforts to deliver more security functionality in Windows Vista. The former reflects Microsoft's ongoing efforts to integrate security into its software development life cycle process to produce more-secure code. This is not at issue. The EU's issues are with the latter — specifically, where Microsoft is adding additional security functionality into Windows Vista, which may adversely affect competition in the market.

The second thing to note is that, while the U.S. may accept monopolistic behavior that hurts competition if, ultimately, the consumer benefits, the EU does not. The EU has ruled that Microsoft's monopoly position in desktop operating systems should not be used to unfairly enter or adversely affect competition in other markers.

I believe the EU has some valid concerns in some specific areas reported. Let's look at two: Windows Defender and PatchGuard.

Windows Defender. This is Microsoft's integrated and on-by-default antispyware engine, complete with signature updates. To the extent that stand-alone antispyware vendors still offer products, this gives Microsoft an advantage. However, we believe there is no long-term sustainable market for stand-alone antispyware software (see "Stand-Alone Spyware Blockers Won't Become Separate Market" and "How to Get Free Anti-spyware (or Antivirus) Protection"), just like there is no long-term sustainable market for stand-alone personal firewalls (see "Desktop Personal Firewalls: When to Buy, When to Wait"). The firewall (present for many years in Windows) does not appear to be an issue, but the situation with the collapsing market for stand-alone firewalls and antispyware is almost exactly the same, regardless of Microsoft's bundling. The market trend is toward converged desktop security offerings that combine firewall, antivirus, antispyware and other forms of security protection. Symantec, Trend, Panda Software and others provide integrated antispyware and personal firewall capabilities for their users at no additional cost.

Microsoft's antispyware and personal firewall offerings can be deactivated if another vendor's offering is used. The only purpose for the EU to take action here would be to nominally prolong a contracting market. In theory, Microsoft could offer a version with Defender disabled or, alternatively, removed altogether. In either case, Microsoft must ensure that while offering its add-on security products (OneCare for consumers and Forefront for enterprises), having Defender in place does not make it easier for Microsoft to offer its combined antivirus and antispyware product as compared with other independent software vendors (ISVs).

PatchGuard. This is Microsoft's built-in protection to keep software from directly modifying the kernel with the 64-bit version of Windows. This capability is not new with Windows Vista — it was first introduced with Microsoft Windows Server 2003 SP1 and Microsoft Windows XP Professional x64 Edition. However, we believe this is an issue because the 32- and 64-bit versions are shipped as a single product with Windows Vista (with a decision made as to which version made at installation). There is a legitimate concern here. Many third-party security products (especially behavioral integrated plant system products) directly patch the kernel and its system tables to link in their functionality. Therefore, they will not work on Windows Vista in 64-bit mode.

Although PatchGuard was not raised as a significant issue with Windows Server 2003 SP1 or XP Professional x64 edition, these were separately charged products and, more importantly, Microsoft hadn't yet made its intentions clear to enter the host security market. On the positive side, operating systems (Oss) need to be made more secure, and all OSs should evolve mechanisms, such as PatchGuard, to protect the kernel. However, as a monopoly desktop provider, Microsoft has a legal obligation to ensure that it doesn't disadvantage competitors — especially in security, where Microsoft now competes.

Microsoft should have included ISVs in developing PatchGuard. It should also have developed mutually acceptable mechanisms for legitimate, trusted security software to use kernel hooks much in the same way as signed device drivers are used to control the introduction of third-party drivers. This would require significant rework and could delay the release of 64-bit Windows Vista in the EU. It also would likely delay the release of the 32-bit to remove the 64-bit option from the installation process and media.

As a shorter-term alternative, Microsoft could modify Vista to enable administrators to disable PatchGuard and assume the risk, much like what Microsoft has done with Data Execution Prevention, which can be disabled.

Submit a Comment | Permalink