It is the sort of no-brainer question that ordinarily you wouldn’t waste any time on: does a Windows OS need additional antivirus protection to be considered a safe platform? Obviously, the answer is yes, unless you are the Co-President, Platform and Services Division of Microsoft Corp, it would appear.
Jim Allchin was answering questions during a telephone conference with journalists this last week and seemed to imply that antivirus was not necessary. In response to questioning about just how confident he was that Vista would be a more secure platform than Windows XP SP2, Allchin surprised the press pack by stating "I'll give you an example: My son, seven years old, runs Windows Vista, and, honestly, he doesn't have an antivirus system on his machine. His machine is locked down with parental controls, he cannot download things unless it's to the places that I've said that he could do, and I'm feeling totally confident about that. That is quite a statement. I couldn't say that in Windows XP SP2."
Of course, what he was really saying was that the combination of the new parental control system in Vista and its Address Space Layout Randomization (ASLR) that frustrates malicious code by rendering the object code of the system kernel in memory differently every time, meant his son was relatively safe even without antivirus protection.
The bit of the response that got ignored, by and large, was perhaps the most vital: ‘his machine is locked down with parental controls’ which tends to suggest that he could only visit approved, whitelisted sites. The chances of these being home to malware, or exposing him to risk, being very small to say the least. His son also has no access to email or instant messaging and does not run as an administrator of the machine. The trouble is, as I am sure you will have spotted by now, is that Allchin took the opportunity to puff up the security aspects of Vista without really qualifying the statement enough. He should not, therefore, have been all that surprised when the press pack turned on him in print and all the ‘Vista doesn’t need antivirus, says Allchin’ headlines appeared.
But surprised he was. Enough to issue a rebuttal in his official Windows Vista blog “Wow, you describe a specific situation and suddenly people extrapolate something completely different!” he exclaims. Get a grip Jim, you dug the hole and can’t complain when people want to bury you in it as a result. “After reading the transcript, I could certainly see that what I said wasn’t as clear as it could have been, and I’m sorry for that.” That’s better, a climb-down of sorts, but quickly devalued with “My point in bringing up this extreme example was really meant to emphasize that importance of defense-in-depth measures we put in Windows Vista—both the number of defenses and their combined effectiveness.”
Well, Jim, perhaps that is what you should have said then.
I must defend the chap in as far as he did not actually state that Vista does not need antivirus, no doubt about that. But by using the example that he did, in the way that he did, it is not at all surprising that it was interpreted this way. The cynics amongst you might even suspect it was meant to be interpreted this way, and that any debate about how strong the security in Vista is compared to XP cannot be seen as a negative thing so close to launch.
The truth, however cynical you are, is clear: Windows Vista will need the same levels of antivirus and malware protection as any Windows platform. Microsoft understands this as much as anyone, and is investing big time in OneCare, for example, something it really would not do if it truly thought that Vista was the great IT security panacea. Clearly, it does not believe this, and equally clearly Vista isn’t. A step in the right direction, sure. A more secure platform than XP, no doubt. The answer to all your security problems, yeah right...