Allchin Backs Off Antivirus Remarks
Outgoing Microsoft co-president Jim Allchin posted a blog entry Friday apologizing for the confusion surrounding comments he made to reporters Wednesday about being so confident in Windows Vista's security that his seven-year-old son's PC had no antivirus software installed.
As first reported by BetaNews, the remarks came in response to a question about his relative level of confidence that Vista would be more secure than Windows XP SP2. Allchin replied by explaining that Vista includes key security features that could not be added to XP, using his son as an example.
"My son, seven years old, runs Windows Vista, and, honestly, he doesn't have an antivirus system on his machine. His machine is locked down with parental controls, he can't download things unless it's to the places that I've said that he could do, and I'm feeling totally confident about that," Allchin said. "That is quite a statement. I couldn't say that in Windows XP SP2."
The executive -- who was in charge of the operating system's development -- specifically cited two new security features in Vista that have changed his thinking: new parental controls, and Address Space Layout Randomization (ASLR), which renders the object code of the system kernel in memory differently each time to thwart the designs of malicious code.
It wasn't long until a number of bloggers and analysts questioned the remarks, citing a 2001 quote in which Allchin claimed Windows XP would be devoid of potential buffer overflows - something that was proven not to be the case. Some pundits even accused Allchin of taking a swing at antivirus makers such as Symantec and McAfee, which have been hugely critical of Vista's new PatchGuard feature.
"Ok, Vista is a vastly improved security model, but what about the fact that probably well over 90% of all viruses come through email?" asked Sunbelt Software CEO Alex Eckelberry. "You get an email that says 'Please reset your password, open the attached file', you open it and it’s a virus. It’s the user executing a virus. How will Vista protect against that? Furthermore, what about downloading a trojan?"
Allchin acknowledged Friday that he wasn't as clear as he intended to be, saying he never meant to imply that Windows Vista does not need antivirus software, despite citing the example of his son's PC. "It’s important for me that our customers are using the appropriate security solutions for the right situations, whether that’s security functionality integrated in the operating systems, or add-on products," he said.
In the Wednesday call, Allchin did note that computer security was constantly evolving, and a solution today would not necessarily be a solution tomorrow. "Please don't misunderstand me: This is an escalating situation. The hackers are getting smarter, there's more at stake, and so there's just no way for us to say that some perfection has been achieved," he told reporters.
"The point I had been trying to make (albeit unclearly) is that Windows Vista includes new security features that can dramatically help improve our customers’ security for certain situations," Allchin explained Friday, adding, "My point in bringing up this extreme example was really meant to emphasize that importance of defense-in-depth measures we put in Windows Vista -- both the number of defenses and their combined effectiveness."
While not denying that he believed his son's computer does not need antivirus software due to its setup, Allchin did admit that "most users will use some form of antivirus software, and that will be appropriate for their scenarios." He said the Windows Security Center even encourages the use of antivirus software.
"We’re continuing to make the best operating system we can, and I’m very proud of it. I think we’ve made some great changes in Windows Vista on the security front, and I know our customers will benefit," Allchin concluded.