Will the EC Mandate "Windows Vista, Security-Less" Edition?

Published: September 13, 2006

by Alex Woodie

As is commonly the case in new versions of mature operating systems, the upcoming release of Microsoft Windows Vista and Windows Server "Longhorn" will deliver new features that they previously relied on third-party providers to deliver. In the case of Windows Vista, Microsoft is adding considerable new security features that it says are necessary to safeguard users from evolving threats. For better or for worse, the new features are making life more difficult for security vendors, and could raise anew the ire of European regulators.

As we've documented in this newsletter, there's no love lost between Microsoft and the European Commission, the antitrust arm of the European Union that has been prosecuting the software giant over the last two-and-a-half years for its practice of bundling Windows Media into Windows XP, and for not making it easy enough for competitors to utilize the "communications protocols" used in client-server implementations.

Now, the EC is apparently considering new action against Microsoft to prevent the addition of new security features in Windows Vista that may hurt the "diversity and innovation" of the security software market, and which may not comply with the EU's antitrust laws, according to reports.

The rumor is that the EC will ask Microsoft to "decouple" some of Vista's security features, such as the BitLocker drive encryption, Windows Defender, and Windows Security Center. If the EC did request such a decoupling, it would cause considerable delays in the delivery of Windows Vista (which has already been delayed countless times), a Microsoft spokesman said in an interview with Infoworld.

Some antivirus vendors have reported doing unnatural things, such as hacking into the Windows kernel, to get around the new sandbox features in Windows Vista that eliminates the wide-open, administrator-level privilege to make system-level changes that practically all programs have enjoyed by default for years, and which has been the single biggest cause of security headaches in the Windows operating system.

For example, ZoneLabs, a developer of free antivirus software, reports it has had to resort to such activities to gain the necessary level of access to make its products work with Vista, according to England's BBC. Antivirus software typically requires low-level access to kernel resources, and is commonly affected by major operating system changes. But the changes in Windows Vista are likely to make Windows XP Service Pack 2 look like a minor update.

If the EC does press the issue, it will open up some interesting questions. For example, does a system vendor have the right to close security holes in its products that have been the basis for a lucrative security tool aftermarket? One would think that such a position would be ludicrous to take in the face of the constant consumer outcry Microsoft has endured for years over the security problems in its products. At the same time, even modest security improvements will inevitably impact the security tool aftermarket, but is that price worth paying for security progress?

If the security decoupling is enforced in Vista, perhaps Microsoft Europe will take a queue from its approach to the EC's demands to separate Windows Media Player from Windows, which it accomplished by creating Windows XP Home Edition N and Windows XP Professional N, where the N stood for "Not with Windows Media Player": The new editions of Vista sold in Europe could be called "Windows Vista S," for "security-less" edition. Then, maybe, everybody would be happy--except the European users, of course.