Microsoft, EC tangle over Vista security

The European Commission warned Microsoft again Tuesday that planned security features in the upcoming Windows Vista operating system could run afoul of EU antitrust laws, prompting Microsoft to say that an adverse ruling from European regulators could further delay Vista's ship date.

Free IT resource Open Source Business Conference (OSBC) May 22-23, 2007 Sponsored by OSBC Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft Return to Vista report TALKBACK Share your views on Microsoft's Vista

In a statement Tuesday, EU Commission spokesman on competition Jonathan Todd said that the Commission believes that diversity and innovation in the security software market could be threatened if Microsoft doesn't allow reputable third-party security vendors to compete on an equal footing for customers.

The statements came in response to questions from journalists who had been briefed by Microsoft, Todd told InfoWorld.

Microsoft is reaching out to members of the press to express concern about the EC's stance on Vista security and to explain the reasoning that went into the company's decisions to integrate some security functions in the Vista operating system, according to Stephen Toulouse, of Microsoft's Security Technology Unit.

"We're doing what everyone asked us to do and making Vista secure," Toulouse told InfoWorld on Tuesday. "We believe we've set the security foundation higher in Vista than in other operating systems and we don't want to lower that," he said.

Microsoft is committed to delivering an EC-compliant operating system, and would abide by requests from the European Commission to remove security features if necessary, Toulouse said.

Unraveling security features such as the BitLocker drive encryption, Windows Defender and Windows Security Center from Vista at this late date would be a monumental task, however.

"I can't even speculate on how we'd deal with a request like that," Toulouse said, although he didn't rule out delays in the global release of Vista.

Todd rejected the idea that the EC would give a "green light" to any particular version of Vista, but said that Microsoft would have to produce a product that complies with EU competition rules, or risk an antitrust ruling from the Commission.

"We've made it clear to (Microsoft) for some time that it's up to Microsoft to make products that are fully compliant with EU competition rules, particularly in light of the March 2004 ruling on its abuse of its dominant market position," Todd said.

NeelieKroes, the European Commission's competition commissioner, wrote to Microsoft CEO Steve Ballmer in March to express concerns about the security features and requesting more information on them, but the company delayed responding to the letter until the end of August, Todd said. 

Microsoft did a full court press on Tuesday to try to counter the EC's statements about antitrust concerns with Vista's security features, emphasizing the company's work with independent software vendors.

Speaking with InfoWorld, Toulouse, until recently program manager for Microsoft's Security Response Center (MSRC), explained the company's reasoning in adopting security features such as Patchguard, a feature on 64-bit versions of Vista that prevents applications from "patching," or modifying the Vista core processing center, or "kernel."

Patchguard was necessary to stop unauthorized applications and malicious programs from modifying the Vista kernel to take control of the operating system. Legitimate third party products, however, such as behavioral detection products, also need access to the kernel.

Symantec Corp. executives have complained that Microsoft is using its dominance of the operating system market and hard line stance on kernel patching to stifle competition, but Microsoft allows third parties to extend the Vista kernel using signed, kernel-mode drivers, Toulouse said.

Microsoft's security products, such as Windows Live OneCare and Forefront, don't get an inside track to Vista features, Toulouse said.

"We play by the same rules with our own products," Toulouse said. "Nobody patches the kernel."

Toulouse also downplayed the impact of Patchguard, saying that adoption of 64 bit Vista would be slow, given that fewer applications have been written to run on it, and the 32-bit version of Vista runs on new, 64-bit platforms.

On other security features, such as the Windows Security Center user interface, Microsoft allows ISVs to use the features or ignore them. The company has also made it easy for competitors to turn off default security features like the Windows Defender anti-spyware product and Vista desktop firewall silently during installation, Toulouse said. 

Microsoft has made great efforts to give third party vendors such as Symantec access to Vista, such as giving Symantec employees office space at the company's Redmond, Washington, headquarters and access to Vista source code and builds, Toulouse said.

The EC isn't opposed to Microsoft improving the security of Vista, but believes that there needs to be diversity in the security market to stimulate innovation, Todd said.

The EC is still evaluating the information Microsoft sent in August on the Vista security features and hasn't decided what additional guidance it will give Microsoft.

There were similarities between the EC's position on Vista's integrated security features and the Commission's ruling on Microsoft's bundling of the Windows Media Player, Todd said.

That dispute resulted in a €497 million fine against Microsoft in March 2004 for anti-competitive practices. Todd acknowledged, however, that security features also had a unique status.

"There's an extra dimension with security products. If I have a computer without a media player, it's not the end of the world. But a computer without security countermeasures is in deep trouble," Todd said.

"Clearly we don't expect Microsoft to sell software that would be vulnerable to security problems," Todd said.