Microsoft Vista, Security Vendors, and “Antitrust” Silliness

The silliness surrounding Vista and its relationship to third-party security vendors seems to be building to some kind of peak, as McAfee and others wave the magic “antitrust” flag around in order to protect their ISV businesses. I’m not one to reflexively defend Microsoft, and despite the fact that I (briefly) worked there, I don’t have a Windows computer on my desktop. But in this particular case Microsoft is doing exactly the right thing, and hopefully regulators will not bow to lobbying by ISVs worried about their business models.

For years, McAfee and others have built businesses around gaps in the Microsoft core offerings, in this case security. All ISVs who build around gaps in the product offerings, know that these gaps, and thus their business models, are subject to change as their ecosystem changes. Especially, in this case, since the entire world — experts, trade press, governments, and customers — have been hammering Microsoft to improve operating system security for years.

Well, Microsoft is doing so, and that inevitably means that some of the gaps in security software will be filled by the core operating system itself. This is inevitable because if Microsoft had not provided their own software, and instead continued to rely on ISVs to fill those gaps, the world would have claimed that Microsoft “wasn’t taking security seriously.” The only way they can take security seriously is to (a) ensure that the core platform contains fewer exploitable APIs and subsystems, and (b) provide needed features and tools in the core distribution instead of bundling “extra” software. And since not all security issues are API exploits but instead are structural (i.e., viruses and other code can enter a system in a variety of perfectly valid ways), tools and features are required, not optional. The only question is whether these features and tools come with the operating system, or need to be provided (at separate cost and sometimes separate distribution) by third parties.

From a regulatory perspective, it might appear that Microsoft faces a tough choice: if they do what’s best for customers (and what customers demand of them) and get “serious” about security, the business model of several major ISV partners will suffer, or they can stay lax on security and protect the ISVs. Regulators need to think carefully about that choice before going along with the notion that this is an “antitrust” issue.

From Microsoft’s perspective, the choice isn’t so difficult at all. The current hullabaloo is merely the predictable whining of companies who face a major change in their business and are still in denial about it.

The best thing that could happen for computer security right now is for customers, experts, and the trade press to tell McAfee and others to shut up and get busy reinventing themselves, because a Microsoft that is making serious strides on security is exactly what its customers need, regardless of the impact on its former partners.