Once Again, Security Company Suggests Microsoft Making Its Own Software Secure Is An Antitrust Violation

from the rock-and-a-hard-place dept

Fri, Nov 12th 2010 8:55am — Mike Masnick

For many years, we've pointed out that Microsoft is in a bit of a rock and a hard place when it comes to security software. The company more or less created an entire outside industry in having its software be so incredibly insecure that various other firms had to step up to secure it. But, that puts Microsoft in a really tough position. Does it fix its own security flaws... or is doing so a way to abuse its market position to put the security firms out of business? It's hard to see how that latter position makes much sense to anyone other than those who work for the security companies, but they continue to make those claims. The latest is from Trend Micro, who is complaining that Microsoft Security Essentials (MSE) is an antitrust violation. The article linked here notes that this is even more ridiculous than you might expect, in that MSE is an optional download. Either way, it seems like a pretty huge stretch to claim that fixing your own security holes could possibly be an antitrust violation. The real problem may be that Trend Micro jumped into a business that relied on another company continuing to suck.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: antitrust, security
Companies: microsoft, trend micro

38 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 12 Nov 2010 @ 8:59am

Here we go with the bogus anti trust violation allegations again. Anti trust laws are never used for a legitimate purpose, only for things that are not relevant to anything.
[ link to this | view in thread ]
crade (profile), 12 Nov 2010 @ 9:14am

" The real problem may be that Trend Micro jumped into a business that relied on another company continuing to suck."

Well, this is Microsoft we are talking about here. It's a pretty safe bet.
[ link to this | view in thread ]
Bruce, 12 Nov 2010 @ 9:27am

Trend Micro is trending down.
Trend Micro is wasting time and money with that claim unless TM can show collusion between MS and one of TM's competitors, such as Symantech. Acting alone, MS can do security. TM will go down in flames on that case unless they have proof of collusion. TM might look to Avast! for a better business model, rather than taking a flyer on a longshot litigation like this. This nowhere close to the powerful antitrust claim MS beat on IE. Trend Micro is trending down toward becoming an insignificant micro-business.
[ link to this | view in thread ]
Joseph Durnal, 12 Nov 2010 @ 9:31am

MSE is the Ford Fiesta of AV
It does a reasonably good job for what you pay for it but there are better options available for those who are willing to pay more. I used to use AVG Free on my non business related systems but it got a little bloated and intrusive, so I switched to MSE. I've always kept ClamAV installed with a scheduled scan as a secondary measure.

Professorially, the big problem with MSE is that it really isn't manageable. I suppose that a small company with a hig risk tolerance would be OK with MSE but most businesses, organizations, & government agencies need something more. Even Microsoft competes with MSE, with their Forefront client security product.

The bottom line is that if you can't make an AV product that is better than MSE, you are getting what you deserve if folks aren't buying it.
[ link to this | view in thread ]
out_of_the_blue, 12 Nov 2010 @ 9:37am

M$ inherently has inside info that gives it unfair advantage.
If M$ wants to promote security, they can do it from the direction that they *utterly* control: the original code. If they were competent at writing an OS -- instead of attempting the accessories and thereby leveraging against other companies -- then they actually *could* cut out most security programs in a legal way. But, being M$, they profit from their flaws, and being M$ partners means profiting in the ecosystem that thrives on those flaws, and being M$ customers means a slavish acceptance that M$ is the only *possible* choice.

Anti-trust to reduce a monopoly -- even if it were "natural" -- is entirely a good purpose in line with historical use. The world basically is held hostage to M$'s stupidity besides cupidity, and if a really good virus is written, it could bring the whole house of cards down. It's too much risk to place on a company with M$'s history of unethical competition.
[ link to this | view in thread ]
Anonymous Coward, 12 Nov 2010 @ 9:58am

Re: M$ inherently has inside info that gives it unfair advantage.
Oh, right, MS should just take a lesson from all those other pieces of software that can't be exploited...

Oh, wait, there is NO SUCH THING as unexploitable software.
[ link to this | view in thread ]
A Dan (profile), 12 Nov 2010 @ 10:03am

Re:
The good part of antitrust laws is the prohibition on collusion. That's the part that actually accomplishes its purpose.
[ link to this | view in thread ]
Bengie, 12 Nov 2010 @ 10:18am

Re: M$ inherently has inside info that gives it unfair advantage.
Ummm.. Win7 has very few exploits, about in line with Linux.

Anti-malware is only useful because people don't care what they install and they click yes to everything.

MS can't protect their OS against user stupidity, but they can offer a free semi-useful anti-malware to try to help users not shoot themselves in the foot.
[ link to this | view in thread ]
Anonymous Coward, 12 Nov 2010 @ 10:24am

Re: Re:
When has it ever been used to accomplish its stated purpose? The last example one can think of maybe the telco example and that was how long ago?
[ link to this | view in thread ]
Anonymous Coward, 12 Nov 2010 @ 10:25am

Re: Re: Re:
is maybe the telco example *
[ link to this | view in thread ]
Anonymous Coward, 12 Nov 2010 @ 10:28am

Re: Re: M$ inherently has inside info that gives it unfair advantage.
Give me a sledgehammer and a reasonably powerful electromagnet and I can make any system unexploitable and its data unstealable. :)
[ link to this | view in thread ]
Alatar, 12 Nov 2010 @ 10:33am

Mike, I have to disagree, this is an antitrust violation
If Micro$oft were publishing fixes and system patches to correct the flaws, I'd be fine with that.
But here they intentionnally don't fix it and push their antivirus solution. So this is unfair competition
[ link to this | view in thread ]
mjb5406 (profile), 12 Nov 2010 @ 10:46am

Re: Mike, I have to disagree, this is an antitrust violation
You're kidding, right? They "intentionnally [sic] don't fix it and push their antivirus solution"? Nowe, if Microsoft (a) Prevented other AV solutions from working and (b) if they CHARGED for MSE, that argument may have a shred of validity, but MSE is free... there are plenty of people out there who don't want a do-all, end-all security suite, so they opt for the free software. And, by the way, is AVG or Panda ALSO guilty of antitrust, since they, too, provide free solutions (AVG Free and Panda Cloud Antivirus)? Anybody? Anybody? Buehler?
[ link to this | view in thread ]
telnetdoogie (profile), 12 Nov 2010 @ 10:51am

I'm lost...
This isn't about "Does it fix its own security flaws... or is doing so a way to abuse its market position to put the security firms out of business?"

Do people honestly believe that the reason Windows is more vulnerable to viruses is because MS's product is or was fundamentally insecure? (OK OK, Internet Explorer was a pretty big open door for a long time) - No, it's because most people use Windows and it has the largest exposure!

It's about MS making a great anti-virus / anti-malware program and Trend can't stand that their customers are dwindling.

Before I started using MSE I did a lot of research... I wanted a native 64-bit app that had a small memory and CPU footprint and that had exceptionally good virus / malware interception capabilities with few false positives. In the studies I found, MSE met or exceeded every one of my requirements.

Why, then, would I pay for a Trend Micro solution? Let's imagine MS is out of the picture for now and MSE isn't available to me for free (or for pay) - I STILL don't choose Trend's AV product / suite because it's simply not as good as other products out there (even the free ones)

I just realized this post makes me sound like a huge MS fanboy and I have to tell you that is FAR from the truth. I just don't have much patience for Trend Micro and the like with their shitty, overpriced products that slow your machine down to a crawl and no-one in their right mind (after doing even modest research) would actually go buy.
[ link to this | view in thread ]
telnetdoogie (profile), 12 Nov 2010 @ 10:54am

Horse Manure!
Alatar, that's total horse manure. You think they're ACTIVELY NOT fixing fundamental flaws discovered in their OS and instead address them with MSE? That makes no sense. If that were the case then Trend's solution would be just as capable of doing the same, so MS would be letting ALL BIDDERS (including Trend) solve their problems for them.
[ link to this | view in thread ]
Alatar, 12 Nov 2010 @ 11:58am

Re: Re: Mike, I have to disagree, this is an antitrust violation
"You're kidding, right? They "intentionnally [sic] don't fix it and push their antivirus solution"? Nowe, if Microsoft (a) Prevented other AV solutions from working and (b) if they CHARGED for MSE, that argument may have a shred of validity, but MSE is free... there are plenty of people out there who don't want a do-all, end-all security suite, so they opt for the free software."

(a) They have an advantage because they know the inherent code, whereas AV vendors don't.
(b) Are you sure MSE will always be free?
[ link to this | view in thread ]
Anonymous Coward, 12 Nov 2010 @ 12:01pm

Re: Mike, I have to disagree, this is an antitrust violation
How do you fix users clicking and downloading every file that gets emailed their way?

Or do you honestly think that drive-by infections are the main issue?
[ link to this | view in thread ]
interval (profile), 12 Nov 2010 @ 12:04pm

Re: I'm lost...
You have several interesting & valid points, the plain fact of the matter is that in between the market manipulation and the anti-trust issues there is some genuine innovation that happens at Microsoft; Surface and the F# language are two examples. But when you come from a Unix/Linux background to the Microsoft world, and examine Windows and the like under the covers, some very strange architectural choices come to light, and many of those strange choices are in the security layer of the file system, as a negative example. NTFS has a very complicated and cryptic file protection scheme compared to permissions on a Unix file system. They've made some pretty frankly strange decisions in that arena and that cuts right to the heart of the matter. Also, in making their systems easy to use the decision default " on " all services and subsystems was a pretty bad one. Each and every service on a windows PC is a possible attack vector for malicious 'sploiter to 'sploit. Linux certainly has its own share of problems, the X display system is full of security concerns, for their bad example. But basic security is part of the Unix family, not an afterthought or a "feature".
[ link to this | view in thread ]
CommonSense (profile), 12 Nov 2010 @ 12:04pm

Re: Re: M$ inherently has inside info that gives it unfair advantage.
"MS can't protect their OS against user stupidity"

They should be able to...it's their OS that trained the users to be so stupid and ignorant as to click 'yes' or 'continue' to everything...
[ link to this | view in thread ]
Bill, 12 Nov 2010 @ 12:05pm

Re: M$ inherently has inside info that gives it unfair advantage.
It sounds like you are saying that if Microsoft wrote software without bugs that we wouldn't need antivirus software. That could not be any more wrong. The reason there are no viruses for Apple computers is because not that many people use them comparatively speaking. Apple OS is full of just as many bugs/security issues as Windows, it's just that no one bothers to exploit them because the impact isn't great enough. Antivirus software will always be necessary no matter if the OS is bug free or not.
[ link to this | view in thread ]
Anonymous Coward, 12 Nov 2010 @ 12:09pm

Exploit This
#include
using namesapce std;

void main() {
cout
[ link to this | view in thread ]
Jeff, 12 Nov 2010 @ 12:17pm

Wow
Well, it just shows that Microsoft is stepping up to fix stuff that they overlooked and making it secure, safe, and better.

It's their software, they can do whatever the hell they want with it.
[ link to this | view in thread ]
Anonymous Coward, 12 Nov 2010 @ 12:20pm

Re: Re: Re: M$ inherently has inside info that gives it unfair advantage.
Uh...

MS did not make the first GUI OS, nor were they the first to have confirmation boxes...
[ link to this | view in thread ]
sniperdoc (profile), 12 Nov 2010 @ 12:35pm

Give me a break
This comes from an IT Director that had Trend OfficeScan on a network of over 230 workstations and found that Microsoft Security Essentials did a better job than Trend in keeping malware off of the systems.

When we switched from McAfee 8.5 to Trend Micro's OfficeScan 10(?) we had a huge influx of systems infected with malware through drive-by installations such as the AntiVirus 2008-2010 bug. That bug was so tough that Malwarebytes wasn't able to remove it 90% of the time and because of this we re-formatted 100% of systems that came in that way.

When I worked for the state, they were using Trend and it worked very well, but Trend has gotten extremely complacent. Their AV was extremely heavy, slowed systems down a lot, and even though it seemed to be scanning heavily, it wouldn't do an on the fly deletion of most drive-by bugs. It'd let them get to the temp folders and then sent out an email stating "Trend couldn't remove or quarantine X bug from C:\blahblahblah". What good is your crappy ass antivirus product then???

Why should I pay over $4500 for a yearly license when your product doesn't stop squat!?

MSE at least seems to be a decent on-demand virus scanner and according to AV-Comparatives was better than Trend Micro , catching 96.3% of bugs vs Trend's 90.7% and it's FREE!!!

Trend Micro's product also had the highest incidence of false positives out of a test set of 1.2 million malware sample. Trend dinged 38 false positives vs MSSE at 3... THREE! Rhymes with FREE!!!

You wonder why Trend is losing out to MSE...??? Really? You have to ask?

AV Comparatives has four ratings: Advanced+, Advanced, Standard, and TESTED. MSE received the Advanced rating compared to Trend which only received a TESTED rating.
AV Compratives Feb 2010 Report(pdf).
[ link to this | view in thread ]
The Mighty Buzzard (profile), 12 Nov 2010 @ 12:52pm

Re: Re: Re:
It got me like $15 from the CD price fixing class action. Not that they changed their prices much afterwards but it's better than nothing.

It's also gotten MS to offer less bundled versions of Windows over in Europe and they now offer you up a choice of default browser in the same.

They really do need to be more widely and thoroughly applied though.
[ link to this | view in thread ]
The Mighty Buzzard (profile), 12 Nov 2010 @ 12:59pm

Re: Re: M$ inherently has inside info that gives it unfair advantage.
That was a really terrible argument. A) who said anything about Apple or any other OS? B) No, if your OS has no bugs/security holes it cannot be exploited. C) If your OS cannot be exploited (completely impossible but for the sake of argument...) it does not need anti-virus software.
[ link to this | view in thread ]
Transbot9, 12 Nov 2010 @ 2:21pm

Hrm...
This reminds me of when Norton and others (I think Trend was one of them) were suing Microsoft over in Europe for Microsoft to put the security holes back into Windows Vista that Microsoft used to have in XP.

Obviously, that didn't go far.

Heck, I don't even know if Microsoft markets Security Essentials beyond their own website. I was pretty surprised that the CNET rating was rather positive on the product, especially on a product that Microsoft put out only because people kept demanding it.

Ironically, Trend Micro trials are often found on newly purchased PCs - and Security Essentials has to be downloaded and installed. Too bad Trend Micro didn't pay attention to what happened to Norton, because now they're in the same shoes as Norton was a few years ago (losing market share as their program became bloated and not as effective).
[ link to this | view in thread ]
Bengie, 12 Nov 2010 @ 3:04pm

Re: Re: Re: M$ inherently has inside info that gives it unfair advantage.
Anti-virus does not protect against exploits, it protects against user stupidity.

Anti-root kits protect against exploits there days.
[ link to this | view in thread ]
BearGriz72 (profile), 12 Nov 2010 @ 6:19pm

Re: Re: Re: Mike, I have to disagree, this is an antitrust violation
C) Micro$oft were publishes fixes and system patches to correct flaws on a regular basis (at LEAST monthly)
D) Anti-Virus Software has very little to do with system patches and more to do with ID10T & PEBCAK issues in a modern environment. (IE the moron that does not UPDATE their software on a regular basis)
[ link to this | view in thread ]
RandomGuy (profile), 12 Nov 2010 @ 7:58pm

Re:
Beat me to it.
[ link to this | view in thread ]
Anonymous Coward, 12 Nov 2010 @ 9:26pm

Re: Re: Re: Re:
You mean this one.

http://www.usatoday.com/life/music/news/2002-09-30-cd-settlement_x.htm

Lets see.

"Former FTC chairman Robert Pitofsky said at the time that consumers had been overcharged by $480 million since 1997 and that CD prices would soon drop by as much as $5 a CD as a result. "

Yet they only had to pay

"Monday to pay $67.4 million and distribute $75.7 million in CDs to public and non-profit groups to settle a lawsuit led by New York and Florida over alleged price-fixing in the late 1990s. "

Wow, what a bargain.

"It's also gotten MS to offer less bundled versions of Windows over in Europe and they now offer you up a choice of default browser in the same."

Wow, that really sounds like it accomplished a lot of good.

/sarcasm
[ link to this | view in thread ]
Havvy, 12 Nov 2010 @ 10:35pm

AV Software
All programs have security issues. Not all of them are fixed or knowable to fix right away. Hackers will eventually get into any large system through the various holes. They will leave a virus. Antivirus software cleans up the virus when the signature is known. It is the last line of defense against a virus before reformat.

Also, who cares if Microsoft has better knowledge of their own systems? If you are not allowed to build something because you know what others, what are you allowed to build?

Any improvement in the OS could be blocked by such a flimsy argument. Remember, an OS includes programs in it.
[ link to this | view in thread ]
MikeLinPA (profile), 13 Nov 2010 @ 2:59pm

Re: M$ inherently has inside info that gives it unfair advantage.
I agree with you.

M$ shouldn't be making security software. They should make secure software.

I am not talking about the idiots that will click on anything, either. I am talking about the drive-by downloads that still happen in IE8, (That was supposed to stop being possible in IE7,) and the fake AV that invaded a Vista computer though M$ Outlook. XP was supposedly the safe OS. Then Vista was supposedly the Security First software. I haven't heard any nightmare stories on Win7, yet... (Except the nightmare of trying to administer it. I can't make heads or tails out of Vista or 7. Yuck! No fun at all!)

I asked this question almost a decade ago. Win2K had some security flaws. Supposedly, XP was more secure, but it was like 7 times the size. Then Vista came out and it was like 9 times the size of that. Now Windows 7 is still bigger, (but not quite as drastically, I don't think.) My question is this:

If a million lines of code has a thousand potential exploits in it, how can 7 million lines of code have less?

More code cannot give you less potential exploits. It isn't logical. It is way past time to de-bloat the OS.
[ link to this | view in thread ]
MikeLinPA (profile), 13 Nov 2010 @ 3:18pm

Re: Wow
Now if only they would de-bloat it. Patching is good, but rewriting would be much better.

Every good or bad idea that has ever come across the user experience has been integrated into Windows. Windows needs to take programs out of the kernel. The kernel should be impenetrable, so the OS isn't so easily corruptible. Root kits should not be possible!

The anti trust nonsense that occurred in Europe wasn't about M$ giving away a free browser, but that the browser was integrated into the kernel and could not be uninstalled. Give away all the crap you want, just don't incorporate it into the kernel so it cannot be removed, and be so easily exploited.
[ link to this | view in thread ]
SLK8ne, 13 Nov 2010 @ 10:23pm

Good points but....
I can't speak to 7 or Vista (which I have limited experience with) but, I can speak to XP, 2000. The encrypted file system works, but, only if you deliberately encrypt a file. Any Linux live CD or UBCD4 Windows can cut right through the security of any file that is not deliberately encrypted and password protected.

And I agree that no piece of software is absolutely secure, nor can it be. But, there seems to have been a deliberate calculated decision to leave the security holes open and to plug them after the OS goes to market. Microsoft products have been left vulnerable for many other explanations to make sense. Yes, no software can be made un-exploitable, but, the shear quantity of exploits against Microsoft software leads one to think that the beta testing for security has been somewhat lax.

Further, I'd point out that most of the world's web servers run some flavor of Linux using Apache, and there has been relatively few exploits against these systems. Some yes. But, RELATIVELY few.

I think Microsoft's biggest problems (historically speaking) are a) sloppy coding and b) as MikeLinPA pointed out, software bloat. Trying to do to much without taking time to look for security holes will always render software vulnerable.
[ link to this | view in thread ]
AW, 13 Nov 2010 @ 11:06pm

Security process for Windows: Download file--->possibly popup asking for admin access--->File is downloaded computer is infected. This is as complicated as it gets.

Security permissions for Linux: Download file--->Change file to allow executable--->Change permissions on file to root---> Sudo/$/Root--->run the file---> some small tiny area of your computer is infected...maybe...if a patch hasn't already come out in the 2 days since it was found to completely nullify it.

Mac Security process: Buy Virus because Steve Jobs said so. Install Virus...Call it OS something and name it after a large cat. Automatically deduct from checking into Steve Jobs checking.
[ link to this | view in thread ]
Christopher (profile), 14 Nov 2010 @ 1:27am

Ah, but here is the argument.....
Microsoft is NOT making their software secure, but rather covering up or trying to patch design deficiencies (some of which come from Microsoft's "Run Anything on our OS!" point of view) with their OWN offering.

There is some argument to say that since Microsoft knows where the holes are AND has the source code, they are better able than say.... Symantec to be able to offer solutions that use less memory and CPU power.
[ link to this | view in thread ]
Opinionated Bloviator, 18 Nov 2010 @ 11:45pm

Actually MSE is a very clever corporate strategy, what better way to improve your security product that ot throw it out ot the unwashed masses to use, collect the data then profit. Having said that, the time will come when a version of windows designed from the ground up as a "default deny" kernel will in fact be secure. We may even see it by 2020.
[ link to this | view in thread ]