lheal's Journal: Viruses, security, and the Street

The Sad Situation

Wall Street increasingly runs on Linux. Maybe the irony of Microsoft selling antivirus software will drive that trend to continue. What's that? You don't see the irony in Microsoft selling antivirus software?

Computer experts talk about security flaws and software bugs as if they're separate things. A security flaw is just a bug that someone can exploit to affect the system somehow, even to take it over completely. A virus, or any other program that moves from computer to computer more or less on its own, has to exploit a bug in the host operating system.

Viruses, worms, trojan horses, and spyware are all examples of "malware", or what I'll call automated attack software. Increasingly the purpose for automated attack software is to coordinate control of computers to accomplish some goal, such as to send spam or collect private data, rather than simply to create havoc as in times past.

The Redmond Response

If Microsoft follows its usual pattern, its antivirus (AV) group will have access to the Windows source code. The AV group will also interact with the Microsoft marketing team, which means that A) they will sell a lot of AV software and B) they will tend to coordinate bug fixes with the marketing department.

As malware reports come in to Microsoft's antivirus group, the engineers (from the AV group or elsewhere inside Microsoft) will eventually look at the Windows source code and discover the flaw that the malware exploits.

But the antivirus group won't be able to release a bugfix to Windows. Such fixes have to be examined for effectiveness and to make sure they don't create flaws of their own. Fixes also tend to be aggregated together to lessen the burden on users to keep up to date.

What the antivirus group can do on their own is to release new malware detection and removal definitions. Such changes don't go into Windows itself, but into the add-on antivirus software.

So rather than fixing holes in the OS as they come in, Microsoft may tell users to buy the AV software.

It will provide them a way to shed criticism over vulnerabilities while actually profiting by them. The bugs uncovered by the AV group may eventually be fixed, but the company will have motivation to delay fixing Windows in order to generate sales of AV software.

So that's why it's ironic that Microsoft is selling antivirus software. They should fix the OS rather than sell AV software. However, selling the software will give them an easy out when future problems are discovered. They can dissemble for a while, calling a bug a simple virus matter.

Never mind that viruses should not exist. No operating system is totally impenetrable. Every program has bugs, and operating systems are no exception. These flaws should be limited, and no operating system vendor should add a single feature to their software while an exploitable bug exists. To have an entire industry devoted to removing automated attack software is ridiculous, and shows the incredible inattention to quality in the market leader.

Maybe the government, consumers and business will be more motivated to look away from Microsoft for software solutions because of Microsoft's entry into the antivirus market. Maybe the drive to squeeze another profitable quarter out of software that compares poorly with its freely available competitors will, in a loop-closing irony of its own, drive the Wall Street software installers away from Windows - while the brokers are buying Microsoft stock.

But probably it will only serve to put more pressure on some smaller AV companies that are just squeaking by, forcing them or to change their model or even to go out of business.

And few things make for happier tidings in Redmond than dominating yet another market segment.