Microsoft will omit anti-virus protection in Vista, the next version of Windows, which it plans to ship late this year. As with previous versions of Windows dating back to Windows 2000 at least, Redmond is promoting Vista as a landmark improvement in Windows security. Jim Allchin, co-president of Microsoft's platform products and services division, told reseller magazine CRN that safety and security, improved user experience, and mobility features will be key additions in Vista. But there will be no anti-virus software, the Windows development supremo said during a questions and answers session with CRN. For unspecified business (not technical) reasons, Microsoft will sell anti-virus protection to consumers through its OneCare online backup and security service.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2005-07-06
Only partly correct. Microsoft screamed blue murder when the EU made them take out media player. Microsoft's own claim was that it is an inseparable part of the OS. Of course it isn't really, and Microsoft eventually complied - but we both know Microsoft lied through their teeth about this. Perhaps I should say Microsoft like to pretend this is an inseparable part of the OS (of course they lie, but that is a totally different point now isn't it).
Microsoft never claimed WMP was an inseperable part of the OS. Their argument was that removing WMP (just as removing IE) would cause many ISV products to not function correctly because developers depended on it as a default applications platform. In-box applications like Windows Movie Maker would also not function for the same reason. Just as with IE, their argument wasn't about the code being unremovable, it was about loss of functionality in dependant applications, especially from a large market of ISVs.
Why do people always feel the need to "put words in MS' mouth" instead of sticking to facts?
Member since:2005-07-06
Member since:2005-07-06
"The utility to remove IE is provided by a separate vendor. As far as Microsoft is concerned, Microsoft say IE is inseparable, and Microsoft themselves provide absolutely no way to remove IE."
Here, I'll explain it for you. You CAN remove the IE components, and still use Windows. HOWEVER, some parts of windows WILL break. For example, you will be unable to use the Help & Support, since it uses the IE rendering engine. This is why Microsoft will NOT support any official tool to remove IE, as it will break something else in the OS. Not to mention some third party vendors RELY on the IE rendering component (shdocvw.dll) being there, so they HAVE to keep it there for legacy purposes anyway.
"Don't take my word for it. Try googling for +windows +security +warning. 13,000,000 hits. 13 MILLION HITS!!"
+Linux +security +warning gets 11,400,00 hits. So, I guess linux is only ~10-15% more secure 
Edited 2006-01-31 16:49
Member since:2005-11-11
"+Linux +security +warning gets 11,400,00 hits. So, I guess linux is only ~10-15% more secure "
That's a fair cop! 
OK, so how about this then:
Results 1 - 10 of about 12,900 for "Windows security warning". (0.22 seconds)
Results 1 - 10 of about 102 for "Linux security warning". (0.56 seconds)
That makes Windows over 120 times less secure than Linux.
Member since:2005-07-06
> Only partly correct. Microsoft screamed blue murder when the EU made them take out media player ...
Debunked by someone else.
> Yes, it is. There are 0 day critical exploits for Windows, and also unpatched vulnerabilities, and there are myriad black hats and literally thousands of live threats out there. By being very careful it is possible to avoid having your Windows system compromised, but you absolutely have to know what you are doing and this is WAAAAY beyond an average Windows user in charge of their own system and exposing it to the internet.
Broadband router - $30 OR Built-in firewall - $0
Firefox - $0
Thunderbird - $0
Benefit? Priceless.
So for a total of $30 (or $0), 99% of Windows users can defend themselves against 90% of the threats out there -- and without this secret knowledge that is "WAAAAY beyond" the average Windows user.
>All of this you state above is correct. None of it means Windows is actually secure.
I'll let the engineers and security analysts be the judge of that. Linux kiddies said the same thing about IIS 6 ... yet since its release, it has had two minor non-critical vulnerabilities, both patched.
> WMF vulnerability showed us this very clearly indeed. Windows embeds execute instructions within file formats
If you got your information from Steve Gibson, I'd double-check that. There's been some debate about the topic. :-) As for the existence of the WMF vulnerability ... I guess F/OSS software is perfect in that regard eh. LibPNG -- Need I say more?
> Windows happily executes things that no local user has authorised to execute
Prove it. Show me something. Show me a vulnerability report that still applies. Show me an IE script that does it. Show me *anything* to back up that statement that isn't some obscure vulnerability from 2004 that has long since been patched.
> Backwards compatibility for binaries that expect the win32 API from days circa Win95 alone means that Windows can never be secure and retain that backwards compatibility
So you're saying that some old software out there requires the presence of some of these vulnerabilities in the compatibility code to *operate*? Get a clue. Since that is not the case, it is just as possible to fix vulnerabilities in that aging code and still retain 100% compliance with what it was supposed to do in 1995.
> Don't take my word for it. Try googling for +windows +security +warning. 13,000,000 hits. 13 MILLION HITS!!
Yeah, Google is a very accurate tool for measuring the quality of computer code. Google is a trained and highly-renowned security analyst. If this is the best you can do, then you are weak. A child poster has already pointed out the fault in this argument.
> This is not true. Normal users cannot "uninstall" IE, ActiveX, Messenger and WMP. They remain on the system and are used by external actors even if the local user never invokes them. Similar story for Windows Update and remote "help" or whatever it is called. Normal users can't get rid of them nor can they close the security risks they represent.
Messenger and WMP can be uninstalled with *ease* -- that's one thing. The second thing is that if you already have something on your computer that is maliciously invoking some IE/WMP capability, but did not use that capability to get there in the first place, then your problems lie elsewhere (most likely with the user). Please tell me how I am at risk by having IE/WMP on my system if I never personally touch them. Back it up. Show me some evidence, rather than just your ramblings.
That is all. You have nothing substantial or worthy to say.
Member since:2005-11-11
"Prove it. Show me something. Show me a vulnerability report that still applies. Show me an IE script that does it. Show me *anything* to back up that statement that isn't some obscure vulnerability from 2004 that has long since been patched."
Just the recent WMF vulnerability alone will do this. Not all Windows is XP or Win 2000.
Operating Systems % Total OS
Windows NT 0.92% Vulnerable
Windows 95 0.56% Vulnerable Of all Windows
Windows 98 9.65% Vulnerable Vulnerable 14.70%
Windows ME 2.05% Vulnerable
Windows 2000 14.49% Patch Patch 85.30%
Windows XP 62.01% Patch
All Windows 89.68%
Therefore, about 15% of Windows Systems in current use are vulnerable for just that one exploit.
Then, shall we consider the number of the 85% of Windows systems for which a patch is available but on which the patch has not been installed? Let's be generous and say on 20% of Windows Systems fro which a patch is available the patch has not been installed. That makes and additional 17% of Windows systems - or 32% in all.
So that proof makes perhaps one third of all the operating Windows computers out there - vulnerable to black hats executing whatever by remote - and I didn't even have to try hard.
"Please tell me how I am at risk by having IE/WMP on my system if I never personally touch them. Back it up."
Strawman.
I did not say that your personal system was vulnerable. But it is absolutely trivial to show that AT LEAST a third of the Windows Systems IN USE, ON THE INTERNET (original figure are percentage of page hits) are vulnerable.
Member since:
2005-11-11
>>Wrong. Media Player is easy to get rid of completely. Internet Explorer is a bit more difficult, but it is still possible with a utility and a few clicks. Neither will render Windows unusable. <<
Only partly correct. Microsoft screamed blue murder when the EU made them take out media player. Microsoft's own claim was that it is an inseparable part of the OS. Of course it isn't really, and Microsoft eventually complied - but we both know Microsoft lied through their teeth about this. Perhaps I should say Microsoft like to pretend this is an inseparable part of the OS (of course they lie, but that is a totally different point now isn't it).
The utility to remove IE is provided by a separate vendor. As far as Microsoft is concerned, Microsoft say IE is inseparable, and Microsoft themselves provide absolutely no way to remove IE.
>>Obviously AV is not a "REQUIRED" part of the OS.<<
Yes, it is. There are 0 day critical exploits for Windows, and also unpatched vulnerabilities, and there are myriad black hats and literally thousands of live threats out there. By being very careful it is possible to avoid having your Windows system compromised, but you absolutely have to know what you are doing and this is WAAAAY beyond an average Windows user in charge of their own system and exposing it to the internet.
For 99.99% of Windows users - their systems WILL get compromised, and they WILL require an antivirus.
>>Done. SP2 improved security dramatically. Vista will do so even more. All signs and information point to security in Vista being much improved. <<
All of this you state above is correct. None of it means Windows is actually secure. WMF vulnerability showed us this very clearly indeed. Windows embeds execute instructions within file formats, and Windows happily executes things that no local user has authorised to execute. Backwards compatibility for binaries that expect the win32 API from days circa Win95 alone means that Windows can never be secure and retain that backwards compatibility.
>>I'll ignore the last part of that, because you simply are not a security analyst, so your word is worth squat. <<
Don't take my word for it. Try googling for +windows +security +warning. 13,000,000 hits. 13 MILLION HITS!!
>>No one forces anyone to use IE and WMP. If you use Firefox and VLC, IE/WMP are not touched, and do not pose a risk.<<
This is not true. Normal users cannot "uninstall" IE, ActiveX, Messenger and WMP. They remain on the system and are used by external actors even if the local user never invokes them. Similar story for Windows Update and remote "help" or whatever it is called. Normal users can't get rid of them nor can they close the security risks they represent.
>> I'd like to know where you get your sensational information from -- a Linux fanboi forum perhaps? <<
13 MILLION HITS, remember?
"In all cases, Microsoft do that which is **EXACTLY** the opposite of the best interests of the end users."
OK, I'll correct. "In all cases mentioned within the post, Microsoft do that which is **EXACTLY** the opposite of the best interests of the end users."
>>In all cases, Linux developers do *EXACTLY* the opposite of the best interests of the end users.<<
Now that is truly retarded. Linux developers **ARE** Linux end users. Are you saying they shoot themsleves in the foot, and show the whole world exactly how they go about it?
Pfft. In the words of the immortal Bugs Bunny - "What a maroon!".
Edited 2006-01-31 10:57