Reinforcing Windows: Help or hindrance?

Despite the much vaunted launch of its Trustworthy Computing Initiative nearly two years ago, security concerns are continuing to impact on Microsoft's bottom line, with large customers reported to be holding back orders as a result.

In terms of security, Microsoft has had an awful 2003, with a summer of [http://news.zdnet.co.uk/internet/security/0,39020375,39115844,00.htm] endless patches and security alerts. Things got so bad that a virus actually managed to penetrate the hallowed grounds of the Microsoft Professional Developers Conference in Los Angeles last month. According to one attendee, who wishes to remain anonymous, delegates were unable to access the conference's wireless network due to a security problem. Apparently, the Wi-Fi network was brought crashing down on the first day because a number of laptops -- belonging to the crème de la crème of Microsoft's developer community -- were infected with the MSBlast worm. Not a great start by any means.

Despite the recent rash of viruses it seems the call for firewalls, antivirus (AV) software and patching has fallen on deaf ears. Foreseeing this kind of problem, in June 2003 Microsoft acquired GeCAD Software, a small antivirus vendor based in Romania. Experts believe this could lead to future versions of Windows having a basic antivirus program bundled into the main OS. True to form, Microsoft is playing its cards close to its chest and keeping plans for GeCAD's technology a secret. At an analyst conference earlier this month, chief executive Steve Ballmer reaffirmed that security is top of the Microsoft agenda. "We rarely fail at something that is our top priority, and this is absolutely our top priority. It's not like horseshoes -- we can't just come close," he said.

The software giant isn't new to antivirus technology. Back in the early 1990s, the company included an antivirus utility made by Central Point Software in its MS-DOS and early Windows operating systems. MSAV, as it was known, was short-lived, however. It was dropped from Windows shortly after Symantec acquired Central Point Software in 1994.

More recently, Windows XP was the first Microsoft OS to include a built-in firewall, but because the default setting is off, the majority of users -- including the PDC delegates -- remain unprotected. To get round the problem Microsoft claims that when Service Pack 2 for XP is installed, the firewall will automatically default to on. But while this will improve security for some users, it could leave others frustrated and confused. If the firewall is automatically on, large numbers of users, especially in enterprise environments, may complain they have to spend time and money switching the feature off as it interferes with internal applications. On the other hand, consumers will undoubtedly prefer the firewall to protect them from the Internet without any tinkering.

Microsoft is facing a similar dilemma as it decides whether to embed AV software in Windows, or offer it as a stand-alone product. For corporate users that deploy AV clients on every desktop, the inclusion of an embedded application could cause problems. James Governor, principal analyst at RedMonk told ZDNet UK that Microsoft needs to be careful in how it implements the technology. "Different antivirus software doesn't tend to play well together in one system and given Microsoft's history of bundling, it would certainly make sense for them to be careful how they implement any strategy in this area," he says.

Larry Bridwell, content security manager at ICSA Labs, an independent research division of security specialists TruSecure, says generally, antivirus programs conflict with each other, unless they have been configured correctly: "Do not have both of them operating in what we would call 'on-access mode' at the same time," he explains, referring to the mode where AV software actively scans for infection instead of waiting for files to be opened.

As antivirus products are designed to detect malicious code they have to be invasive and get close to the kernel, says Bridwell. They also look inside file reads and writes which other programs would not do. "They have to look at certain bits within the stream to see if macros and certain types of activities are involved. When they do that, an antivirus program might step on another program because it feels it needs higher priority," he says.

RedMonk's Governor agrees that antivirus applications argue over system resources. "You can guarantee that some organisations will have that problem because applications argue for each other's resources in a Windows environment." But, he thinks that Microsoft will avoid the problem altogether by not taking on the antivirus companies directly, but instead use its newly acquired technology to change the playing field. "Microsoft is looking to change the game a little -- it is looking at 'behaviour blocking technology', which is where the system is prevented from executing certain operations."

ICSA Labs' Bridwell is also convinced Microsoft will not challenge AV vendors directly, even though the company has purchased the technology and hired personnel to build antivirus products: "We have been told there are no plans to bundle this and make it part of the operating system or the office products. Instead of turning over the same product they purchased, Microsoft is going to redesign the antivirus program from the ground up and build a new product or service, but they have not been clear which one of these it is going to be," he claims.

But according to Governor, although Microsoft doesn't want to get into the same business model as the antivirus vendors, it has to protect its own interests. "When John Connors, Microsoft's chief financial officer, says that some companies have delayed their purchase of Microsoft software partly because of security fears, it is not a problem you can leave to someone else. Microsoft needs to prevent, or at least think about, the damaging behaviour of viruses."

Governor also believes despite boosting the profits of some companies, the AV community has actually been damaged by the recent spate of malicious attacks: "The antivirus community is not immune from spreading FUD [fear, uncertainty and doubt], and these organisations have hardly covered themselves in glory. We have an ongoing virus problem and yet these companies call themselves antivirus software vendors," he says.

So if Microsoft does not produce antivirus software to challenge the current offerings, how will it use the technology it has acquired from GeCAD? Both Governor and Bridwell are convinced that Microsoft will make the best use of GeCAD's technology when it launches the next major version of Windows, code named Longhorn.

Although there is no public timetable for Longhorn's launch, the operating system is not expected for at least three years, by which time the Trustworthy Computing Initiative should be well established. In the seven years between Microsoft launching Windows 95 and Windows XP, there has been an improvement in reliability, stability and usability -- the jump to Longhorn should hopefully be just as significant in terms of security. All programs -- such as file system drivers, utilities, antivirus and firewall products -- from Microsoft and its partners will have to be designed to stringent new standards that will ensure they do not step on one another while they are running, says ICSA Bridwell.

Microsoft will also make the settings and configurations in Longhorn programmable, which should ensure that applications behave in the manner set by the user or security manager, not in the way an attacker would like them to, explains Governor. "It is often the configurations that allow a particular behaviour to take place. Currently, you tend to have to go out and set the settings at each machine. Microsoft is opening its APIs to change those settings," he says.

But he warns that by opening certain APIs, the company could be inviting virus writers to "really have some fun". "As is often the case with Microsoft, they will give with one hand and possibly take with the other. But providing that is done in a sensible fashion, it will help with behaviour blocking."

Governor adds that if Microsoft does embed an antivirus package into its OS, it should include a reliable uninstall utility: "Providing an easy way to uninstall and install the software would be very, very good start -- including an off button has not always been Microsoft's speciality, but in this case it might not be such a bad idea," he claims.

So although there isn't going to be a magical cure for virus attacks, the future is looking slightly brighter. Windows users will have to continue taking sensible precautions in order to keep their systems virus-free, at least for the next few years. Microsoft could include an AV scanner into the next Service Pack for Windows XP, but the company seems intent instead on tearing GeCAD's code apart and fusing it with Windows.

We can only hope that a combination of the Trustworthy Computing Initiative, the increased functionality of Windows and more openness from Microsoft will mean that come the Professional Developers Conference in 2007, Microsoft's communications director will not have to run around telling delegates to get off the network because "we've got that blasted Blaster going around".