Service Pack 2 Post Mortem

Service Pack 2 Post Mortem.

Today officially is Computer Security Day, something HP is commemorating with new protective services and products
for consumers and small and medium businesses. I expect other vendors
to respond, too. I see this as an appropriate day to do a post mortem
on Microsoft's security efforts around Windows XP Service Pack 2.

Given the number of big Microsoft partners launching new security
initiatives in the last 45 days, I have to conclude that SP2 didn't go
near far enough–and that's no intended disparaging of Microsoft's
efforts, which were commendable. To recap, Dell unleashed new consumer
security services, AOL released the Security Edition version of its
online client and today HP unveiled the aforementioned security
products and services. So, three of Microsoft's largest partners in the
consumer market have all bolstered their independent security offerings
post SP2. And in talking with the three companies, they all struggle
with essentially the same problem: Consumer PCs overrun with spyware.

Who do customers call when their PC starts running slowly or their
Internet connection runs slower than maple sap during a Maine winter?
The vendors–AOL, Dell or HP, among others. These companies get saddled
with heavier support calls and customers get really frustrated at the
vendors; the result may be those customers shopping for some other
vendor's product or service. Nearly every consumer PC vendor I've
talked to since SP2's release has seen an increase–right, not a
decrease–in security support calls. Consistently, spyware ranks high
on the list of problems, and it can be a tough one to diagnose and fix.

Absolutely, I see spyware as a security problem largely overlooked in Windows XP SP2. Sure, ActiveX and pop-up blocking are deterrents, but they don't stop the mechanisms by which spyware too easily installs on PCs. I've repeatedly argued (blogs here and here)
that Microsoft needs to do something to fix Windows rights. Unix-based
Mac OS X administers rights differently than does Windows XP. Highest
level rights are turned off by default, and programs generally prompt
for user name and password before installing. Mac OS X's finer rights
granulation largely protects against the kind of stealth installations
that too easily can occur in Windows. In an April blog, I recommended that Microsoft treat rights and spyware as more serious security issues.

Unfortunately, I have yet to see any information suggesting
Microsoft will fix the rights problem in next-generation Windows
Longhorn. And even if Microsoft attempted to solve the problem then,
it's really too long to wait. Considering how long it has taken the
mass of consumers and businesses to move to Windows XP, any meaningful
rights resolution would be years away. If Microsoft can release
Longhorn WinFX subsystems for Windows XP, why not a better utility for
managing rights or at least attacking the spyware problem?

Still, it's not fair to chuck all the blame for the spyware problem on Microsoft, as I blogged about here.
Consumer behavior is another problem. Just like there are bad
neighborhoods in big cities, the Internet has its rough neighborhoods.
For example, people illegally trading songs, videos or software using
P2P software expose themselves to unnecessary spyware or virus risk. I
don't believe Microsoft should be responsible for consumers' bad
behavior or poor judgment.

That said, much spyware is installed through innocent behavior, as I blogged about here and here.
Maybe that free holiday screen saver or theme pack isn't so free,
because it packs hidden spyware. Microsoft might be able to solve some
of the problem through finer rights demarcation. But eventual solution
there, if any, is likely a long way off.

So, I commend vendors like AOL, Dell and HP for doing the right
thing for their customers and trying to solve security problems SP2
left unresolved. All three companies have bolstered security protection
software and services and provide consumers with more educational
resources. I'd like to suggest two additional actions.

First: All three vendors offer digital music sales
or services to consumers. Now would be a good time to include security
in digital music marketing, as an alternative to file trading (a.k.a.
stealing) that carries higher risk of spyware or virus infections.
There are plenty of ways to promote these services, particularly during
the holidays.

Second: Offer a safe software zone where consumers
can download holiday screensavers and other applications without risk
of spyware or antivirus infection. Linking to Microsoft's Windows Marketplace
could be a starting place, as the company claims software there is
spyware free. Longer term, vendors could set up safe software sites in
partnership with third parties, such as Tucows. The sites also could be
a way of drawing customers back to the main Website and to offer them
additional products or services. Dell and HP could use existing desktop
alert notification mechanisms to highlight newest safe downloads.
Assuming customers switch totally to the safe zones, security risk
would likely diminish and spyware/virus support calls with them.  [Microsoft Monitor]

Leave a comment