Zenscope Studio

Microsoft Sends Mixed Messages on Security, Piracy

Monday October 15, 2007

1 comments so far

The 'e' from the Internet Explorer icon, wearing a pirate eye patch and band-aid

Last week, Microsoft announced that it will allow pirated copies of Windows XP to download and install the Internet Explorer 7 (IE7) browser. This is a reversal of the company’s earlier policy, which locked out pirate copies of all its software from anything but the most critical updates.

Treating Cancer With a Band-Aid

Microsoft has said that it made this change to help ensure the security of the world’s most-used operating system. IE7 has vastly improved security compared to IE6, and security flaws exploited on a pirated copy of Windows could endanger users of legitimate copies.

This official position seems logical on its surface, but falls apart on closer examination. Microsoft uses its Windows Genuine Advantage validation program to prevent non-validated (presumably pirated) software from getting updated with anything but the most important security patches—those labeled “critical” according to the company’s severity rating scale. Critical patches address “a vulnerability whose exploitation could allow the propagation of an Internet worm without user action.”

The next level on the severity scale, “important,” deals with vulnerabilities that allow an attacker to gain control over a PC and its files or operations. As pointed by ZDNet Australia, it’s a short step from this level of control to spreading viruses or spam through a compromised computer. Despite this, “important” patches are unavailable to software that fails WGA validation.

Not only is Microsoft’s patch policy irresponsible, they also keep an important preventative security tool—the Windows Defender anti-spyware program—locked up behind WGA validation. Making this software available for non-validated copies of Windows wouldn’t just protect the users of that pirated software, it would help head off security risks to Windows users around the world.

Questionable Motives

The obvious flaws in Microsoft’s official statement have caused speculation over the real motives for unlocking Internet Explorer 7. The general media consensus is that the un-WGAing of IE7 is actually a counterstrike against competing browser Firefox.

This open source rival, along with other IE alternatives, continues to chip way at Microsoft’s share of the browser market. The trend is especially prevalent in some European markets, where one in four Web users prefer Firefox over IE.

Microsoft is undoubtedly aware of these trends. For them, Internet Explorer isn’t just a browser. It’s a development platform on which other tools and products are built, not just by Microsoft but also by third-party developers and its enterprise customers. Ensuring widespread adoption of the latest version is surely a priority for the company.

Though security issues probably played a role in the decision to unlock IE7 for everyone, the declining market share of the IE platform must have also been a strong deciding factor. It’s just good business sense.

Finding a Balance

The Windows operating system is staggeringly ubiquitous: around 97% of the world’s PCs run some version of the operating system. Internet Explorer likewise remains the most popular Web browser on the planet despite recent losses, with a market share of around 78% last month1. Many of these computers are indirectly connected to one another through the Internet, making the security of each one—even those running a pirated version of Windows—an important factor in ensuring the security of the Windows ecosystem as a whole.

On the other hand, software piracy is a huge resource drain for the industry. According to a 2006 study, pirated software represents 35% of the entire software market. This adds up to billions of dollars lost by companies like Microsoft and Adobe, who then spend even more money trying to combat the problem. Ultimately, this cycle makes software more expensive for those who do pay.

Microsoft finds itself in a delicate position: stuck between the responsibility to turn a profit for shareholders and its responsibility to secure the Windows ecosystem. These conflicts always seem easier to solve from the outside, of course, but I can’t help thinking that Microsoft is making this balancing act harder than necessary.

In the great Internet tradition of unsolicited advice, here’s my three-point suggestion for how Microsoft can find the right balance between fighting piracy and maintaining security:

  1. Either allow non-validated users to install both critical and important patches, or elevate to “critical” status any patch for an exploit that grants full system access or administrator privileges.
  2. Allow non-validated users to install and update Windows Defender, giving them better protection against spyware. Microsoft isn’t even charging for this product, so it’s not like they’ll be losing money by removing the WGA restriction. If Microsoft won’t unlock Windows Defender, it should at least direct non-validated users to free alternatives like Spybot Search & Destroy.
  3. Continue fighting piracy through better built-in activation methods, market incentives for legitimate purchase, and cooperation with the governments of poor countries where software might be unfordable at regular prices. UPDATE (10/26/2007): Earlier this week, Australian computer magazine APC revealed that a legitimately-purchased copy of Windows Vista can be rendered invalid and forced into reduced functionality mode2 by something as simple as updating a device driver or replacing a video card. This kind of ludicrously strict and unintelligent hardware profiling is an example of what needs fixing in Microsoft’s current activation scheme. UPDATE (12/5/2007): According to NewsFactor, the upcoming Service Pack 1 for Vista will replace reduced functionality mode with nagging reminders to activate the software.

These ideas seem so simple that I’m sure some of the smart people in Redmond must have thought of them. I know for a fact that my third suggestion is at least partially in place already.

I also know that Microsoft employs some brilliant folks with good ideas, who have to struggle with corporate bureaucracy to make things happen. I wish them luck in bringing some sanity to Microsoft’s dual fights against piracy and computer crime. The company and its customers only stand to lose when Microsoft offers empty half-measures supported by vague, and seemingly duplicitous, explanations.

Footnotes

1 Down from a high of around 95% in 2004.

2 Reduced functionality mode isn’t quite as bad as the APC article makes it seem, but it’s bad enough. To a less experienced user, it would be baffling and scary. ZDNet has a screenshot gallery that shows you what to expect from RFM and how to get the most out of it until you can re-activate Vista.

by Adam Messinger

Filed Under: Business, Security

Comments (1 so far)

  1. Thnaks for sharing, makes a lot of sense after all it’s Microsoft…

    Bob Hussley
    http://www.ezedir.com

    by Bob Hussley on Aug 3, 07:45 pm

Comment Subscription Feed

Got Something to Say?

Join the discussion by adding your comment:

Required Fields Marked With *

(never published)

Tip: format your comment with Textile
(Textile Help)