Tim Anderson's ITWriting

September 20, 2006

Securing Windows: why Microsoft is fighting its third-party partners

Microsoft is right to do battle with the security industry. Admittedly the problem it faces is largely of its own making; but it has to take radical steps to improve Windows security and to compete with Apple in the consumer market.

The issue in a nutshell is that a lucrative industry has grown up around Windows insecurities. Consumers are told that after purchasing their PC complete with genuine Windows, they must take out an additional subscription to secure it. At a minimum, this third-party software hooks into Windows networking, replacing the Windows firewall, runs constantly in the background looking for viruses, and extends the user's email client to look for malware and perhaps spam.

What's wrong with that? Several things.

First, the quality of these third-party products is mixed, and while the main contenders probably do a competent job, they invariably overreach themselves, befuddling the user with alarmist reports about mostly harmless features like cookies, or interfering with useful OS features like the Windows Scripting Host. Of all the products that a user installs, the security suites are the most likely to slow down performance and break other software.

Second, users frequently do not maintain their subscriptions. I don't know the exact figures, but I see so many machines with expired security software that the problem must be huge. In the case of anti-virus software which depends on up-to-date signatures - a broken model - that makes it worse than useless. Yet users often think they are somehow secured by this software and take more risks with things like email attachments.

Third, the user experience offered by security software is often poor, with intrusive dialogs and confusing alerts. It is not clear to users which elements are essential to their security, and which ones are unnecessary bloat. Bearing in mind that Apple has raised the bar on user experience, this is detrimental to the quality of the operating system as well as being bad for security - a confused user makes bad choices.

If Microsoft is to have any hope of securing Windows, it has to make the operating system itself secure, rather than being dependent on third-parties for this critical feature. Microsoft's efforts began in earnest with Windows XP Service Pack 2, with its security center and much improved firewall, and has continued with the free Windows Defender, which counters spyware. Vista has an array of new security features including the contentious User Account Control; and then the thing that most upsets the third parties, the subscription-based Live OneCare, which undercuts their business.

No wonder the third-parties are rattled, claiming that this is just another example of anti-competitive Microsoft pulling new features into the operating system and damaging their business. This is why we are getting the curious claim that the EU is threatening Vista security. The third parties want to be able to replace key elements of Vista security (like the firewall) with their own stuff, and to prevent Microsoft pushing users towards OneCare.

The argument is not wholly without substance, but there is much more at stake here. Security matters to us all and insecure Windows boxes don't only impact their users; they bombard others with virus-laden spam, for example. The current third-party based solutions are ineffective; this whole security circus has got to change radically.

Why would users choose to adopt a paid-for alternative to features built into the operating system? To understand this, you need only unpack a shiny new computer from Dell; I am picking on Dell because I did exactly this recently, but others are likely equally bad. Setting up a new Dell is like walking through Las Vegas; a constant bombardment of advertising. Cleverly worded dialogs appear unbidden, and it requires skill and effort not to modify your system and to accept 90-day promotions of various pieces of security software. Some things that you may or may not want are already in place.

The deal here is that Dell gets its prices down by being paid to pre-install all this stuff. The ensuing horrible user experience is presumably what the third-parties call a level playing field; but it is not. It could also be called an enticement to break your operating system, particularly if you take up 90-day free subscriptions and then do not renew.

You don't get this on a Mac, because Apple controls the whole shebang, from coding the OS to designing the box. That's also part of the reason why Macs cost more. The entire scenario is laden with irony, since Microsoft's success is founded on its third-party partners.

The bottom line is that the mass-market, consumer-oriented PC security industry is bloated out of all proportion. Users should be able to do reasonably secure computing out-of-the-box, and with non-Windows systems - OS X, Linux - they already can. I am right behind Microsoft in its efforts to extend that to Windows systems as well.

Tags: security microsoft windows apple antivirus