Microsoft Realizes No One Wants To Pay Microsoft To Fix Its Own Security Flaws

from the that's-how-it-works dept

Back in 2005, when Microsoft was first mulling the idea of offering security software, we noted that the company was between something of a rock and a hard place. If it decided to charge for the software, people would accuse the company of trying to get people to pay to protect themselves from the security vulnerabilities in Microsoft's own software. Yet, if they went free, then they would face screams about antitrust violations for undercutting competitors in the security software market. We also suggested a third option: design better software that doesn't need security software. But, failing that, Microsoft chose what I think was the worst of the three options: selling security software. Perhaps not too surprisingly, not too many people took Microsoft up on the offer. It could be a combination of reasons why. First, Microsoft just doesn't have a good reputation when it comes to security. Second, that whole issue of paying the same company that created the security holes in the first place. Finally, it might just be inertia. People buy from McAfee or Symantec because they're two names that have been around forever and are recognized (and, most importantly, bundled on many brand-name computers).

So, after a couple years of failing to make much of a dent in the market, Microsoft has abruptly shifted to option number two. It will no longer be selling its OneCare security software and, instead, will be offering a free security suite for users, though with fewer features than the old OneCare offering. The various security software companies put out statements saying, of course, that this is no big deal, but you have to believe they're now doing whatever possible to stir up some complaints out of the Justice Department that this is an antitrust violation. Maybe a few years down the road Microsoft will simply move on to option three, and make software that doesn't require separate security software.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: antitrust, free, security, software
Companies: mcafee, microsoft, symantec


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Ajax 4Hire, 19 Nov 2008 @ 7:49am

    Add another example to oxymoron

    Two words that do not go together:
    Microsoft Security
    Military Intelligence
    Deafening silence
    Pretty Ugly
    Resident alien
    Nondairy creamer
    Jumbo shrimp
    Civil War
    Microsoft Security

    link to this | view in chronology ]

  • identicon
    John Doe, 19 Nov 2008 @ 8:15am

    There is a flaw in the logic that MS should create an OS that doesn't need security software. It can't be done, there will always be security holes as there are a handful of guys developing the OS and thousands trying to break it. Just look at the music and movie industry. They have spent billions of $ and their protection schemes are usually broken before it hits the shelves.

    link to this | view in chronology ]

    • identicon
      Chronno S. Trgger, 19 Nov 2008 @ 8:51am

      Re:

      Yeah, but Microsoft could backup and release an operating system that is just an operating system and not an experience. Let the user decide if we want Windows Media Player, Internet Explore, Outlook Express, Windows Defender (vista), and however many other programs that come with a flat install of windows. There are only a few true Windows updates, the rest are to patch a security hole in one of the added programs.

      link to this | view in chronology ]

      • identicon
        Wesha, 19 Nov 2008 @ 9:15am

        Re: Re:

        Oh, you mean Linux?

        link to this | view in chronology ]

        • identicon
          Chronno S. Trigger, 19 Nov 2008 @ 12:40pm

          Re: Re: Re:

          No, I seriously do not. I've found that Linux is just as bloated if not more so than Windows, same with the new Mac OS.

          I mean more like Windows 3.1. It came with notepad and a calculator. Put in a vary basic browser so people can get online and download the full IE or Firefox and then they can download the other programs of their choice. From there, the third party programs aren't a security vulnerability for windows any more.

          link to this | view in chronology ]

          • identicon
            Cixelsid, 19 Nov 2008 @ 4:07pm

            Re: Re: Re: Re:

            You've been using the wrong distro. Linux kernel fits on a 1.44 MB stiffy. You don't need to install ALL the window managers. Get a book and educate yourself.

            link to this | view in chronology ]

  • identicon
    Old_Paranoid, 19 Nov 2008 @ 8:47am

    On software without defects

    I should note that I joined Micrsooft about 5 years ago, and have been working on security for the entire time.

    It is not that it is impossible to make such software, but that nobody would want it: Formal methods and verification methods are available that can come very close, but only for very small systems.

    Protocols that are provably correct are very simple and are not the ones that are deployed in the market. Customers scream when you break app compat and are always looking for new neat feature sets. Increasingly, the feature and the vulnerability are one and the same, the difference is the intent, look at the issue of web mashups, neat when used as you intended, not so neat when used maliciously.

    We have been heavily criticized for our "overempahisis on security" in Vista -- people want features and ease of use first.

    As for me, I run Server 2008 on my notebook. It doesn't have all those neat features.

    link to this | view in chronology ]

    • identicon
      jonnyq, 19 Nov 2008 @ 9:15am

      Re: On software without defects

      "We have been heavily criticized for our "overempahisis on security" in Vista -- people want features and ease of use first."

      No, MS has been criticized for a poor implementation that trains users to click "OK" on everything that pops up and can still conceivably be worked around. The other OSs still have a better security model, and they don't sacrifice usability in the process.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Nov 2008 @ 9:34am

      Re: On software without defects

      So what you're saying is that it's a balance of
      security vs. (convenient)features.

      Would it be overstating to say that at your company,
      the emphasis is on features...

      -cmh

      link to this | view in chronology ]

    • identicon
      Cixelsid, 19 Nov 2008 @ 10:09am

      Re: On software without defects

      You know what I want? Windows 2000 with DirectX 10. Will MS give it to me? No.

      I have to say its pretty fucking typical for a dev to blame his users for the crap in his software. I dont care about your problems. If you want me to pay for your software then make it work and make it useable.

      link to this | view in chronology ]

    • identicon
      TW Burger, 19 Nov 2008 @ 10:40am

      Re: On software without defects

      I have to disagree with you on customers screaming for new features. I have stopped using MS Office and moved to Open Office due to the constant churning of the software interface and introduction of features very few people want or use and the rearrangement or deletion of those that they do use.

      I design and code software for a living. Users want new versions of software that work better. This means faster, more easily, more securely, more intuitively, and with less (hopefully no) problems. They do not want another layer of mostly useless crap to learn.

      Security can be a painless part of any software if designed correctly.

      It's interesting you run Server 2008 on you notebook. This shows that you also prefer functionality and speed over the glitzy but limited and often irritating interface offered with Vista. I would run a Windows Server OS on my machines too, if I could afford the license (Windows Server 2008 Standard: $999 (with five Client Access Licenses, or CALs)

      source: http://www.microsoft.com/presspass/press/2007/nov07/11-12HyperVPR.mspx).

      link to this | view in chronology ]

    • identicon
      finid, 20 Nov 2008 @ 2:27am

      Re: On software without defects

      Are you sure that nobody would wnat software that's well written and secure? Have you tried Linux?

      link to this | view in chronology ]

  • identicon
    William C Bonner, 19 Nov 2008 @ 9:18am

    I have been Happy enough with OneCare

    I've been using OneCare for the past 10 months, and have been much happier with it than any of the consumer grade Norton or McCaffee products I've used recently. I'm sad to see MS appearing to be giving up on the product space.

    The problem with any of the antivirus warnings is that the end user overrides an installation prompt. Some people are just that much more likely to become infected than others.

    link to this | view in chronology ]

  • identicon
    HMMMMM, 19 Nov 2008 @ 9:47am

    Microsoft Security?

    Since when has Microsoft been into security? They have been busy trying to patch what they code for everything else. One Care was a joke. Microsoft is a JOKE! You want real security? either buy a MAC or get involved with Linux. Get real people Microsoft will always be the biggest joke of any OS known to man.

    link to this | view in chronology ]

    • identicon
      Jason, 19 Nov 2008 @ 10:49am

      Re: Microsoft Security?

      Microsoft is no worse for security then either of those operating systems, as mentioned earlier, the only real secure OS is one that doesn't interact with other PC's, Users or Programs.

      Programs need security holes opened to work, once people figure out what holes are opened they can abuse it, it's quite simple.

      The only reason you see time after time, microsoft getting hit, is because of a 90% market share. Who do you think the Virus makers are going to target someone with 90% market share or the 10% which is spread between Unix, BSD, Linux, Mac OS, all which have different kernals and different security holes opened?

      link to this | view in chronology ]

    • identicon
      Spectere, 19 Nov 2008 @ 11:20am

      Re: Microsoft Security?

      You want real security? either buy a MAC

      Mac OS X is certainly not known for its security. The only reason you don't see more attacks against Macs is because of their relative obscurity.

      If Mac OS X had the same market share as Windows XP and Vista, Apple would be having as many problems as Microsoft has had.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Nov 2008 @ 9:50am

    if it was not for MS computers would not be easily accessable by the average person. People forget to mention that and give credit where positive credit is due to them.

    WHen MS warned that vista was not going to be backwards compatible no one listened until it was too late and then all they could do was complain. THen MS had to change it.

    Unix would never had thought of a gui interface if it was not for the work of MS. So people do all your complaining that you want about the MS but give them the credit thats due to them in a honest way and not a critical fashion. Otherwise if you cant do both then SHUT UP!!!!!!!

    link to this | view in chronology ]

    • identicon
      hegemon13, 19 Nov 2008 @ 10:02am

      Re:

      "Unix would never had thought of a gui interface if it was not for the work of MS."

      Um, I agree that Microsoft has been indispensably influential, but don't you think your above claim is just a bit far-reaching? There were other GUIs before MS, and it is a pretty natural evolution to go from UI to GUI.

      link to this | view in chronology ]

    • identicon
      Cixelsid, 19 Nov 2008 @ 10:19am

      Re:

      What the fuck are you talking about? First GUI interface was developed by Apple you fucking moron.

      The only worthwhile OS developed by MS was NT and that was largely designed by an outsider called David Cutler and was based on his experience with DEC's RSX-11.

      The only thing MS has ever done right is marketing.

      link to this | view in chronology ]

      • identicon
        Andrew, 19 Nov 2008 @ 10:29am

        Re: Re:

        The first real GUI was developed by Xerox, as was the mouse.

        link to this | view in chronology ]

        • icon
          Mike (profile), 19 Nov 2008 @ 10:57am

          Re: Re: Re:

          The first real GUI was developed by Xerox, as was the mouse.

          Actually, the mouse was invented by SRI, and then copied by Xerox (well, some SRI guys went to Xerox).

          link to this | view in chronology ]

      • identicon
        squirrelworks, 19 Nov 2008 @ 10:59am

        Re: Re:

        @cixelsid

        you know - the immediate jump to idiomatic swearing shows a... lack of intelligence...

        but putting that aside... here are the facts that you brutally misrepresented

        The honor for producing the first working GUI goes to Doug Englebart – at the time an employee of Stanford Research Institute. Englebart and colleagues created a program called the oNLine System in 1965-‘68. This program used the first mouse, a windowing system, and hypertext, and was based on a description of a system called “memex” proposed by Vannevar Bush in 1945. The name “mouse” comes from this period. The mouse used in oNLine had three buttons on one end and the line coming out the other end. Apparently, the buttons for eyes and nose, plus a cord for a tail, reminded the users of a mouse and the name stuck.

        Years later, still in a time when nobody knew what the future of computers was to be, Xerox put together a team of researchers who did nothing more than put ideas together to see what they produced. The team, located at the Xerox Palo Alto Research Center, was convinced that Englebart’s model would work on computers available for individual work stations, and they produced two working models, the Alto and the Star. The Star was made available to the public, mouse and all, in 1981. But it was very expensive, and they sold only 25 thousand of them. But this was the first GUI-based OS available to the public.

        sorry to burst your bubble...

        link to this | view in chronology ]

        • identicon
          Cixelsid, 19 Nov 2008 @ 4:10pm

          Re: Re: Re:

          Fuck whatever. I read like the first few lines of your boring post. Point is: it wasn't MS. SOrry you had to spend 3 fucking hours writing that shit.

          link to this | view in chronology ]

      • identicon
        Anonymous Coward, 21 Nov 2008 @ 2:36am

        Re: Re:

        Yet another Mac Fanboy I guess, jumping up and down till his face turns blue 'cos no one's listening to his cries. Get the facts before you call someone a moron, moron.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Nov 2008 @ 10:44am

      Re:

      UH, pall Xerox invented the GUI, Apple bought the GUI, Microsoft coppied the GUI.

      link to this | view in chronology ]

    • identicon
      TW Burger, 19 Nov 2008 @ 11:07am

      Computers for Everyone

      I disagree. This is like saying that if it were not for the existence of General Motors no one would be able to buy a car.

      Gates was in the right place at the right time and had the ability (rich parents) to take advantage of the opportunity. If not Microsoft another company or companies would have provided a solution. And remember, the first IBM PC cost about $1600 in 1981 (about $5000 to $6000 in today's dollars). Hardly an everyman's budget.

      Given different circumstances the PC market would be dominated by a much different company that rewrote UNIX or another OS for the PC (instead of buying a version of CP/M ported from the Z80 to the 8080 CPU) and called that operating system IBM-DOS.

      Microsoft should be commended for donations to schools, charity works and other contributions to the people of the world. They deserve no credit for creating a PC market or making computers affordable. Free enterprise and democracy did that. Consumers must complain about a company's products in order for them to improve, the best way is to treat companies like politicians and vote with your dollars.

      The problem is that MS controls the market and is dictatorial in it's policies. This may be why German government bodies, being more somewhat more aware and sensitive to the ramifications of acquiescing to fascism, have been world leaders in adapting non MS PC solutions (Linux).

      link to this | view in chronology ]

    • identicon
      redhatnation, 19 Nov 2008 @ 3:25pm

      Re:

      "Unix would never had thought of a gui interface if it was not for the work of MS. So people do all your complaining that you want about the MS but give them the credit thats due to them in a honest way and not a critical fashion. Otherwise if you cant do both then SHUT UP!!!!!!!"

      BS. MS didn't invent a windowing system. That came out of PARC and Xerox. Unix had windowing systems years before MS. Moron.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 3 Dec 2008 @ 7:13pm

      Re:

      GUI's existed in Unix years before Microsoft Windows. Sun had a workstation long before Microsoft had a GUI.

      link to this | view in chronology ]

  • icon
    Killer_Tofu (profile), 19 Nov 2008 @ 9:52am

    Antitrust violation?

    I apologize but I do not see how it could be an anti-trust violation. It is just a program that is meant to help clean up the mess they created.

    Windows Media Player comes bundled with Windows. Yet there are plenty of alternatives to it that are doing quite well. Just about everybody I know uses either the iTunes player or Winamp.

    Isn't it something along those lines? Or is the fact that its about security and not music really change it into a possible antitrust violation that easily? Or, am I right in my assumptions here, and it is just that the security companies are probably going to try to complain through those channels because they don't want more competition?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Nov 2008 @ 9:52am

    People still use Norton or McAfee? Years ago I dumped those turds down the ceramic punch bowl for making my PC's FUBAR. A good firewall, open source anti-virus and common sense is all that is needed.

    link to this | view in chronology ]

  • identicon
    TDR, 19 Nov 2008 @ 11:42am

    Wrong, Spectere. Even if Macs had more of a market share, their high security level would not change. The same is true of linux. This is because the underlying architecture is inherently more stable and secure than the architecture used in Windows. File storage is also handled differently, which is why in linux and MacOS you don't have to defrag or virus scan or any of the other traditional maintenance tasks.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Nov 2008 @ 1:48pm

      Re:

      strange. he gave a link to his sources. you didn't. macs have always been hacked faster than vista. thats a known fact. so, its hard to say the Mac is more secure.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Nov 2008 @ 11:50am

    I thought the major reason why MS released OneCare as a pay only product rather than for free (as it was supposedly intended to be) was that Symantec and McAfee threw big fits over monopolization of the market, yadda yadda? If this is really the case, then MS shouldn't be entirely bashed for doing what they intended to do in the first place.

    link to this | view in chronology ]

  • identicon
    RealisticComputer, 19 Nov 2008 @ 12:52pm

    Apple fan boys are the worst. They surf the net with their over priced PC's thinking they are immune to everything. Ever think why Macs are not massively adopted by corporations? IT personnel will tell you they are not secure. Even the best architecture is not immune to security holes. The only reason this hasn't been realized yet is due to it's relatively small user base.

    While this doesn't prove anything, I found it interesting in some recent hacking tournament between Windows, Linux and OSX; OSX was exploited first and early in the tournament. The Apple fan boys cried.

    Whether people want to believe it or not, Windows is relatively secure. I have nothing against OSX, I think they have done a great job overall especially with the UI design and could give MS a serious run for their money if they released the OS on non Apple PC's for general home use where top security is not as important.

    - posted using an Ubuntu box

    link to this | view in chronology ]

  • identicon
    Lawrence D'Oliveiro, 19 Nov 2008 @ 5:53pm

    But...

    ...other companies (Norton, Kaspersky etc) seem to be able to make a comfortable living off Microsoft's security flaws. So Microsoft's inability to do the same is clearly not down to the fundamental impossibility of the task, it's probably just the poor quality of Microsoft's particular products.

    link to this | view in chronology ]

  • identicon
    Fowl, 19 Nov 2008 @ 7:55pm

    I don't think people understand, most of the security problems affecting current versions of windows, are not what most people in security research would consider "flaws". Sure there are the 1 or 3 remote code execution vulnerabilities every month or 2, but the main problem is that Windows will run code that a user tells it to. The Horror! There is no way, other than a black/white list (or perhaps some sort of heuristic, maybe) that an operating system (which is *designed* to RUN CODE) can tell the difference between an screen reader and a key logger, or a torrent client and a spammer, etc.

    All an operating system can do is run code that it was told to run, if there is a lot of code out there, then of course there is going to be more malicious code.

    All of this talk about "architecture this" and "inherently more secure that" is meaningless, Windows and Unix have, at the core, a very similar and comparable design. Historically, the principle of least privilege has been less ingrained in the community - UAC in Vista has been a wake up call for ISVs and Admins on the Windows platform - but Microsoft has been promoting it for *Years*.

    It all comes down to user behaviour and the sheer scope of target audience.

    link to this | view in chronology ]

  • identicon
    finid, 20 Nov 2008 @ 2:23am

    It's madness

    It's pure madness: a software company writes crappy code, and instead of re-writing or fixing it, wants you to pay for software that fixes the buggy software. Like fools, a lot of their users will actually pay for the fix.

    I have a pretty simple solution: switch to a free and open source operating system like Linux or BSD.

    link to this | view in chronology ]

  • identicon
    Twinrova, 20 Nov 2008 @ 4:48am

    Security risks are Microsoft's fault? Sorry, but I absolutely disagree.

    In a recent blog, many readers challenged me about my opinion on how websites are using Safe Harbors to protect themselves from users. Many replies stated it was impossible to screen every entry.

    Yet now these same readers, many are anti-Microsoft, blame the company for its security flaws.

    Explain to me how this situation is any different? Websites take care of issues when they're addressed just as Microsoft does.

    The problem here is most people don't understand how software works. They don't understand the key links between what you're using and how it relates to the CPU. There are quite a few vulnerability points, some can't be closed due to legacy issues without breaking other software.

    Granted, there are times where Microsoft does seem to drag its feet to rectify the situation, but expecting a company to build 100% security proof software is a dream no company will ever attain, but strives to do so.

    I find it absolutely appalling you would expect Microsoft to take "option #3" when many of these vulnerabilities weren't the fault of Microsoft at all. Case in point: Last year, over 200 vulnerabilities were found in Windows XP Service Pack 2 upgrades which were discovered using non-Microsoft software! In fact, Mozilla's Firefox coding team found 2 using beta testing.

    This is what happens when many processes are attacking a central location (CPU, which processes the data instructions). It's only then when "opportunities" are discovered by those who intentionally (damn, there's that word again!) try to find them.

    If the software were to work as expected, there would be no breach. Instead, companies spend millions finding these breaches to alert software vendors to fix them, often times finding they can't without causing product to stop functioning without a complete redesign of the software (or have none of you Vista users figured this out yet?).

    Sorry, but this blog message is wrong. It takes a combined effort, not just a sole responsible party. Find solution #4. You owe them that much.

    link to this | view in chronology ]

  • identicon
    mobiGeek, 20 Nov 2008 @ 6:42am

    Fourth option

    Why does MS have to get into this product space at all? Given a review of the other three options (charge, free, make better s/w), the obviously missing fourth option is to do nothing at all and stay the course.

    Of course, now that they've messed up with option #1 and are going to fail with option #2, this fourth option is more of "pull out" rather than "do not enter".

    link to this | view in chronology ]

  • identicon
    william, 20 Nov 2008 @ 7:51am

    The article is basically wrong. The comment by Fowl is a much more accurate description of the situation. The majority of viruses and malware are not exploiting OS security holes.

    link to this | view in chronology ]

  • identicon
    TDR, 20 Nov 2008 @ 11:40am

    What hacking tournament would that be, RealisticComputer? What, where, how, and when? Interesting you don't give any details about it.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Nov 2008 @ 4:25am

      Re:

      TDR, you've already been called out above by an AC for not giving links supporting your POV, whereas Spectere backed up his comments with one.

      So why the heck do you want to look like a fool (unless you are one, in which case the point's moot) and keep rehashing the same tired old crap when you are the one who's unable to back up his comments with factual links?

      Here is a link to the original comment (that no doubt RealisticComputer was referring to as well), in case you find it difficult to scroll the page or search for it:

      http://www.techdirt.com/article.php?sid=20081119/0056492875&threaded=true#c374

      And here's AC's comment that you conveniently ignored, only to raise the same point once again:

      http://www.techdirt.com/article.php?sid=20081119/0056492875&threaded=true#c438

      Now if you aren't just a Mac Fanboy but actually support the platform based on informed opinion and hard facts, then present the same (instead of ignoring what's in front of your nose 'cos it doesn't dovetail with your flawed view of the universe), or else just shut your trap and allow the adults to have an unemotional and informed conversation.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Nov 2008 @ 10:06am

    Listen up MS dum-dums - If Apple OSX had the same market share as Windoze, it would STILL have far less problems because of the architecture.

    Windoze is STILL a multi-threading OS. It is far easier to jump threads than processes.

    Windoze is a monolithic kernal architecture and Internet Exploder is an integral part of the OS. If you can comprimise IE, you get the keys to the kingdom.

    Windoze security policy implementation is a sad, sad creature. The linux access controls are orders of magnitude more manageable and mature.

    Unrelated, but the cherry on top, is the registry. This alone guaruntees degrading performance every time you install something.

    When you hear this tired schlock about market share and security, you can be sure the person spewing it:

    - Probably doesn't want that MCSE to lose value
    - Only understands one OS achitecture, if that
    - Might have submitted an 'I'm a Pee-See' video

    link to this | view in chronology ]

  • identicon
    Adam, 10 Dec 2009 @ 7:00am

    This makes sense, only because any other option would make zero sense. Can you imagine if MS had tried to make different versions of Windows 7 (undoubtedly this was discussed at some point), based on level of security. Windows 7 TITANIUM, for the ultimate in data protection!!! Fact is, the onus is on Windows to keep their own product secure, but I would like to see their security software integrated into the OS, instead of even being discussed as a separate product..

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.