Examination of Witnesses (Questions 280
WEDNESDAY 10 JANUARY 2007
Q280 Earl of Erroll:
Presumably there is a logical problem that if your Security Center
is sitting there making sure that malware is not appearing to
be an anti-virus programme you have to run a second level of security
all the time even though someone has bought yet another virus
checker, or otherwise your system will become insecure. Therefore,
to a large extent an extra virus checker must always logically
be redundant if you have a totally secure system.
Mr Lambert: You can have an extra virus checker
but you can switch off the Windows Security Center if you really
do not want that running on your system. It is very easy just
to switch it off.
Q281 Earl of Erroll:
But then presumably your system would be vulnerable because someone
can then use your API to write malware to access the computer?
Mr Lambert: Jerry may want to comment but I
would say that that is up to the consumer which kind of system
they use to check on what is operating and how it is operating.
If they do not want to use the Windows version they do not have
Q282 Earl of Erroll:
What I am saying is that I suppose that anti-competition law here
is actually militating against being able to write a more secure
system. There is a conflict there.
Mr Lambert: You could say that. I do not wish
to make that comment.
Q283 Lord Harris of Haringey:
Can I just make sure I have understood your earlier answers? What
you seem to be saying is that you have no problem at all in terms
of making your software compatible with other people's security
software, and in essence you would have done this if you had been
asked without the intervention of the European Commission.
Mr Lambert: We have always worked with other
companies, including competitors, to try to make our systems as
inter-operable as possible. That is a cross-industry issue because
it takes two to tango essentially. We believe and we have always
believed, and this is one of the cornerstones of our appeal in
the European case, that we have made the information available
to allow our competitors to work with our software and that we
do that with partners and competitors alike. We make these application
programme interfaces widely available. There are constantly conferences
with developers, small businesses and large businesses alike,
explaining to them what we are doing, what we are developing.
Even in the development stage of Vista we did that so that people
know what is coming and they can work with our systems.
Q284 Lord Harris of Haringey:
But changes were made in response to the European Commission?
Mr Lambert: They were indeed.
Q285 Lord Harris of Haringey:
So why, if you were so ready to co-operate, was it necessary to
have the intervention by the European Commission to make those
changes, or are you saying those changes are irrelevant?
Mr Lambert: When you are developing software
others have different opinions. That is the same with anything
in life. If others come to us and say, "We have looked at
what you have offered here. We do not find it easy to inter-operate".
This is one of the contentions of some of our competitors and
in some part of the Commission. You do your best to comply with
that. There are some points at which you say, "What you are
asking is not acceptable. We cannot go down that road". Sometimes
there have been points like that in the discussions in the case
with the European Commission, but on the whole we start from the
point of view that we try to make Windows a system that inter-operates
well with other people's software. It is in our interests to do
that. We are not, as Jerry Fishenden has said, trying to produce
software for every single possible eventuality. We are trying
to produce an operating system which meets consumers' needs and
which allows other businesses to operate on it. There are huge
numbers of businesses here in the United Kingdom, 17,000 partners
in Britain alone producing software which works on our platform.
Q286 Lord Harris of Haringey:
But the implication of what you are saying is that there were
changes that you have made to Vista software which were unacceptable
to you, and you have only made them in response to the European
Mr Lambert: There are some things that we did
that perhaps we took longer to negotiate than others, and eventually,
of course, as you know, we are appealing the ruling because we
believe that companies like our own should have the right to innovate
and build new things into Windows in response to consumer demand.
The world does not stand still and only one version of Windows
will ever hold. That is a product which is constantly developing
and responding to consumer demand and changes in the market but
there are some things which the Commission have asked of us that
were reasonable and some things that we were able to do that we
were happy to do. There are two types of issue there.
Q287 Lord Harris of Haringey:
But there were by implication some things that you were not happy
with having to do?
Mr Lambert: There are some things that we have
done which are matters of dispute. For example, we are on record
as being in dispute. One of the things that we have appealed against
is a request from the Commission, which we complied with, in which
we produced a version of Windows, in the last version of Windows,
called Windows N which does not have a media player in it. The
Commission contested that there was a market for an operating
system for Microsoft without a media player in it and if you produced
that it would help competitors produce other media players to
get their products more widely into the market here and in Europe,
and so for the European market we have produced Windows N. It
has not sold very many copies and we have sold in the meantime
many millions of versions of ordinary Windows because it works
better, it is at the same price and it has a media player. We
believe that consumers expect a media player to be in an operating
system. It is in all the other operating systems. That is just
Q288 Earl of Erroll:
Large corporations can download security patches and test them
before implementing them on their main systems. Ordinary users
do not have that ability, so how can they be certain that they
are downloading the patches from the genuine Microsoft site, they
are not being tampered with by some existing malware on their
system and that they are going to make things better and not cause
some other things to malfunction?
Mr Fishenden: There is obviously a key difference
between a business environment and a home environment. A business
environment usually has a test environment where they cream out
Q289 Earl of Erroll:
Small businesses are very often in a home-type environment, a
small business office, someone with five or 10 employees. There
are about three and a half million employees in this country employed
by micro businesses.
Mr Fishenden: Yes, sure, I accept that entirely.
If we look at the way the Microsoft update facility works for
those users and any home users, people have the option of entirely
opting in, which we recommend and which is where an update is
published on the official Microsoft update site. It not only identifies
the patch that is available; it also downloads it and installs
it for you, and that is the recommended option. Users then have
the choice of other options. They can say, "Notify me it
is there but do not do anything else", or they can say, "Download
it but do not install it because I want to see what is in it and
whether it is appropriate for me to install or not", because
they might be patching something that users have chosen to disable
on that particular PC. We believe that offers pretty good flexibility.
The other option I should mention is that they can switch it off
entirely and not patch anything should they so choose, which is
not recommended but that is up to them. The way the Microsoft
update environment works in the operating system is that it communicates
only with our professional designated distribution points, so
you know that the update is coming from an accredited source and
has not been tampered with. There have been occasions in the past
where people have taken some of our updates and attempted to distribute
them via other mechanisms, and people often ask why we stopped
that. It is because, Chairman, it is precisely the type of issue
you are raising in that how can you guarantee complete assurance
that that software, once it is downloaded, is not tampered with,
in the same way that some pirated copies of Windows are tampered
with and do come pre-installed with malware and spyware and the
like. If you do not get things from a legitimate source I think
your concern is a well justified one, that you may in fact be
running the risk of installing software that we cannot be entirely
sure is as trustworthy as you think it might be.
Q290 Earl of Erroll:
Have you had problems though with patches not behaving as they
should on home computers?
Mr Fishenden: On occasion that has happened
with a few. We do put them through a very extensive testing programme.
Typically where that has happened will be with maybe a specific
third party hardware driver or something where there is some conflict.
Despite the many thousands of permutations that we run in America,
and we have huge test labs where we run as many mainly third party
pieces of hardware or software as we possibly can, there have
occasionally been a couple of incidents, I believe, where there
were issues on a small number of machines when a patch was not
deployed. We then run a fairly rapid escalation process to try
and understand why a patch has worked on the vast majority of
machines but is having an issue on some. Sometimes it could be
that those are machines where some malware has replaced something
that our patches cannot fix and it is a problem because it does
not find the file it was expecting and, as I say, maybe produces
some sort of third party device driver conflict where we then
need to identify the particular provider of that and work with
them so that we can collectively solve the problem.
Q291 Earl of Erroll:
Of course, the trouble then is that if this does happen to someone
they then lose confidence in doing patches because if they lose
their Internet connectivity they cannot then cure the problem
or it is very difficult to do so.
Mr Fishenden: The patches are reversible, so
you can go back into the installed programmes menu, find "Patches"
and roll back. If you are not able to do it by underscoring that
patch there are quite a lot of facilities in the platforms as
well now called "Rollback", because you can roll back
to the previously known good state. If you imagine a hypothetical
situation where you download some updates and that is creating
some sort of behaviour on the PC which means it is unusable, you
can then elect to roll back to the previous state that PC was
in before the update was applied, and then you can contact us
and say, "Look: I had a problem when I applied this and I
have had to roll back", and we try and find out what the
Q292 Earl of Erroll:
You roll out your patches on the second Tuesday of each month.
This, of course, is timetabled to suit you and business but do
you find that being exploited by malware writers because there
is a window of opportunity for them then before systems get patched?
Mr Fishenden: On occasions where we believe
there has been a live risk to people of significant proportions
then we have occasionally slipstreamed updates between the regular
Q293 Earl of Erroll:
Does this happen often?
Mr Fishenden: Not often, as far as I can recall,
no. It is an occasional occurrence because a lot of the identified
vulnerabilities are theoretical ones, if you like, at the time
they are notified to us, so people prove there is a vulnerability
in the lab environment and there is a usually a time window before
someone then exploits that vulnerability in a real way.
Q294 Earl of Erroll:
Is there not then a problem that they have got time to reverse
engineer the patch to find out what those who did not know what
the vulnerability was, work the vulnerability and get something
out there to attack the system before your patch comes out?
Mr Fishenden: Yes, it is a challenge for anyone
in the industry. We have all tried methods of obfuscating patches,
trying to hide some of what they are really doing by changing
other things on the system that actually have no discernible effect
upon it and so they cannot work out exactly what the patch did.
Of course, whatever you do people can take a snapshot of the machine
before you apply a patch and take a snapshot after and then people
can start using that type of information to try and work out where
the vulnerability might be, so yes, it is a very real problem.
Q295 Earl of Erroll:
This has not been a great problem in the field, this reverse engineering,
and then other viruses can gain access?
Mr Fishenden: Not to date. Where it does become
an issue is obviously where you have a situation where somebody
may not be automatically applying the patches, so although we
have issued a patch maybe someone has reverse engineered it, released
it and exploited it into the wild. It is the users that have left
their machines unpatched that then become vulnerable to that line
Q296 Lord Sutherland of Houndwood:
My apologies, my Lord Chairman, for being late but I want to ask
a question that probably fits in here as well as anywhere. It
is a na-£ve question and you will doubtless tell me if it
is too na-£ve to answer, but tell me politely. How far are
the standards of security that operate within your own organisation
and the machines you use the standards that your customers can
expect you to roll down to them, be they large business operators
or home customers? Is there a big gap and is the gap what we can
anticipate having, or are there serial reasons for having a gap
of this sort?
Mr Fishenden: Essentially we use exactly the
same tools our customers use. The one difference is that we have
a thing called dog-fooding inside Microsoft where as part of our
preparations to release a new operating system or new bits of
software we install it, if you like, before it is necessarily
ready. Probably a year ago I started running early builds of Microsoft
Vista. Part of the purpose of that is that in a large scale environment,
and we have 50,000/60,000-plus machines inside Microsoft, we are
a very useful large-scale test bed for, as we call it, dog-fooding,
which is putting ourselves through the potential pain and occasional
delight of early adoption of software while it is still in development
so that we can make sure that by the time it ships we have ironed
out as many of the possible problems that could be anticipated
with that platform as possible, so, although I say we are using
exactly the same tools that people do outside Microsoft, in reality
you would often find that a lot of us are on the next build of
software that will be coming downstream later.
Lord Sutherland of Houndwood: Thank you.
That is helpful; that is what I wanted to know.
Peter Gutmann has recently suggested that you have seriously compromised
the security and stability of Vista in order to provide content
protection for premium content. How do you react to that?
Mr Fishenden: I am familiar with Peter Gutmann's
article and it will not surprise you to hear that I take a slightly
divergent view from Peter. The issue he was getting at is related
to one of content protection and with Windows Vista, as with our
existing PC platform, a lot of people are using it to watch DVDs,
for example. The content providers, which are Hollywood and the
movie industry, have set minimum standards that any platform that
is going to run the next generation of high definition content
that is coming must adhere to or it will not be able to run on
it. That is as true of Windows Vista and our operating systems
as it is of an iPod device or a dedicated DVD player that you
might buy to use in the home. Anybody who does not adhere to the
content provider's rules, their software is not going to work.
That is the reason we have had to put those features into our
platform. On the specific point of whether it compromises security
at all, we do not accept Peter's points at all. He uses an example,
I think, of medical images and saying that it would degrade the
content and that is not true. Unless people are using and specifically
invoking these content protection mechanisms for things like Hollywood
movies the rules that apply to that content protection do not
even come into play. If people are opening medical images and
content to look at them, then it is not an issue. They open and
are completely untamperable with. There is no loss of fidelity.
There are no risks in using them. My summary is that we see these
things as completely independent of each other. One is to do content
protection, which we have supported on our platform for some time
now. In existing DVDs there are companies like Macrovision which
ensure that people cannot easily rip DVDs and we have put things
into our platform to ensure that we meet the content provider's
stipulation; otherwise people would buy a PC and then would not
be able to watch a DVD and increasingly would not be able to watch
HD-DVDs. We do not accept the point that we have compromised security
in any way. In fact, if anything there is a hope that the very
high quality device drivers being required for some of the high
definition content coming out may result in a higher level of
quality assurance around third party providers.
Have you published a response to his comments?
Mr Fishenden: I believe my colleagues in Redmond
are publishing one either as we speak, or certainly this week
there should be something up on the web as our form of response,
going through point by point the issues that he raised.
Perhaps you could make sure we get that response if we do not
find it for ourselves.
Mr Fishenden: Yes, sure.
4 http://windowsvistablog.com/blogs/windowsvista/archive/2007/01/20/windows-vista-content-protection-twenty-questions-and-answers.aspx Back