A controversy has developed over comments that were made by Jim Allchin, Microsoft Co-President of Platforms and Services, a couple days ago.
I’ve always been one to question Microsoft’s motives and double-speak. But it is completely misleading to paint Allchin’s acknowledgement that his son — running a heavily locked-down, parental-control-ridden PC, in non-admin mode (one would pretty safely assume) — isn’t running a Microsoft- and/or third-party-developed AV program means Microsoft is claiming Vista is so solid that it doesn’t require AV software.
Did Allchin make a mistake in his attempt to prove that Vista is far more secure than any previous version of Windows, including XP SP2? Yes. He should not have suggested that any users, even those with Windows chiefs as their fathers, can or should forego antivirus software.
Foley is right to say that it is misleading to portray Allchin’s comments about his son’s AV-free Vista PC as suggesting that antivirus software isn’t required as an accompaniment for the new version of Windows.
However, I think she is wrong to say that Allchin was out of line in pressing the point that Vista is more secure than any previous version of Windows that Microsoft has produced. While some might say, with justification, that Vista didn’t have much of a hurdle to clear in surpassing the security capabilities of Windows XP, it isn’t necessarily wrong for Allchin to acknowledge the security advances Microsoft has made.
As for his alleged suggestion that a user can or should forego antivirus software on a Vista PC, I don’t think he’s guilty of the charge that’s been leveled at him. Let’s look at what Allchin is reported to have said, as reported by BetaNews:
"I would say that Windows XP SP2 did an amazing job, and I’m proud of what we did there. But you have to understand, we learned a lot during Windows XP SP2, and there were things that we couldn’t put in that product," explained Allchin.
"I’ll give you an example: It’s my favorite feature within Windows Vista, it’s called ASLR (Address Space [Layout] Randomization). What it does is, each Windows Vista machine is slightly different than every other Windows Vista machine. So even if there is a remote exploit on one machine, and a worm tries to jump from one machine to another, the probability of that actually succeeding is very small. And I wanted to do this in Windows XP SP2, but we couldn’t figure out how to do it. So then a smart guy here came up with a solution, so we put it in Windows Vista."
After summarizing that past statement, Allchin continued, "Please don’t misunderstand me: This is an escalating situation. The hackers are getting smarter, there’s more at stake, and so there’s just no way for us to say that some perfection has been achieved. But I can say, knowing what I know now, I feel very confident."
"I’ll give you an example: My son, seven years old, runs Windows Vista, and, honestly, he doesn’t have an antivirus system on his machine. His machine is locked down with parental controls, he can’t download things unless it’s to the places that I’ve said that he could do, and I’m feeling totally confident about that," he added. "That is quite a statement. I couldn’t say that in Windows XP SP2."
I don’t think Allchin is advising anybody to run a Windows Vista machine without antivirus software. In fact, he explicitly recognizes that hackers and other propagators of malware are constantly devising new exploits and threats. He returns to that theme later in the Beta News article:
But I need to say the following: Windows Vista is something that will have issues in security, because the bar is being raised over time," Allchin continued. "But in my opinion, it is the most secure system that’s available, and it’s certainly the most secure system that we’ve shipped. So I feel very confident that customers are far better off by using Windows Vista than they are with anything that we’ve released before."
The problem, in my opinion, was not in what Allchin said, but in the way in which his comments were misinterpreted and misrepresented by others.