Is Microsoft's AntiVirus Strategy Secure?
The Redmond software giant is going where only crackers and virus writers have gone before. With two new spam and virus fighting applications, Microsoft hopes to make right what has gone wrong with its code.
Microsoft’s business strategy has been intensely scrutinized for decades.
So when the company last month bought a small maker of anti-spyware technology, the move was widely interpreted as a foreshadowing of its entry into the security software market. That prediction was borne out with the Jan. 6 debut of a Microsoft-branded spyware-fighting tool and the subsequent release last week of anti-virus software.
While Microsoft has downplayed the significance of the new products, observers say it’s a classic strategic move for the company, and is part of a looming overhaul of the two markets. How the giant company chooses to distribute the software will determine whether it again arouses the interest of the Department of Justice.
Behind Microsoft’s entrance into the thriving market for antivirus software is the rush of viruses that regularly rain down on PCs. In the month of December alone, 390 computer viruses were on the loose among the computing community, according to a tally by WildList Organization International, which collects reports from anti-virus experts throughout the world.
Perhaps no company name is as closely associated with the spread of viruses as that of Microsoft, whose programming vulnerabilities in Windows and Internet Explorer are the entry points for many viruses and worms. While the company’s entry into the market has been ruminated over for years, the pressure of external forces has stepped up the squeeze on the company to act.
Last fall, Firefox, the open-source browser by the Mozilla Foundation, had a surprisingly successful debut. In just one month after its release, Firefox saw its share of U.S. browser usage grow from 3.03 to 4.06 percent, according to WebSiteStory, a San Diego consulting firm. Microsoft’s inveterate Internet Explorer slid 1.09 percent, to 91.8; since last June, IE has dropped 3.68 percent.
Equally important, evidence continues to mount about the toll that viruses are taking on corporations, a key market in which Redmond has long sought to boost its credibility and appeal. In the Computer Security Institute’s 2004 CSI/FBI Computer Crime and Security Survey, virus outbreaks emerged for the first time as the incident type generating the largest culprit for corporate losses, edging out theft of proprietary information, which had been the most expensive category of loss for five years.
Microsoft’s appearance in the antivirus software market was inevitable as the company seeks to stem defections to rival operating systems and lure new corporate accounts.
“The more problems people have with the security of Windows, the more likely they are to switch to Linux or the Mac, and certainly large corporate users who are worried about security could stay with Unix,” says Michael Cusumano, professor at MIT’s Sloan School of Management and author of The Business of Software.
As a result, says Cusumano, branching into security software “is something Microsoft has to do. I’m not sure they have a lot of choice.”
Yet the move also makes strategic sense. Antivirus protection is precisely the type of mass-market application that Microsoft likes to go after, says Cusumano.
“It makes perfect sense for their strategy,” says Cusuman, noting that it’s a logical companion to the infrastructure and productivity software on which Microsoft has built its business.
The big question, though, still looms: What will happen to the booming anti-virus and spyware industries if Microsoft decides to toss its full weight behind both?
The lucrative sector has experienced huge growth over the last few years, and the two top players, Symantec and McAfee, have built billion-dollar businesses and become Wall Street darlings with their high-flying stocks.
But the prospect of change has loomed over the desktop security market since well before Microsoft turned heads with its 2003 acquisition of antivirus vendor GeCAD Software, says Peter Lindstrom of Spire Security, a security consulting firm in Malvern, Penn.
So-called trusted computing initiatives by makers of software and chips, for example, use encryption to secure desktops from hackers. Mail servers are applying antivirus tools in a strategy that’s “much more useful” than end-user software for “locking down that avenue of approach,” according to Lindstrom. In addition, McAfee and Symantec are integrating host-based capabilities into their products that give businesses broader coverage for desktop security.
Perhaps the hottest debate surrounds Microsoft’s plans to distribute the anti-spyware and antivirus tools, which are now available as free downloads.
Microsoft says it has no plans to change its distribution method and bundle the products into its operating systems. However, there is little standing in the way for such a change, at least domestically. While the European Union Competition Commission’s antitrust ruling against Microsoft required the company to let consumers choose the components they purchase with an operating system such as Windows, the U.S. antitrust lawsuit produced no such ruling.
“There’s no reason to think they won’t try,” says antitrust expert Andrew Gavil, a Howard University law school professor. “It is their business strategy. The big issue that remains unresolved in this country is, is that a legitimate business strategy for a monopoly?”
Also unresolved is whether the company whose programming created the spyware and virus epidemic will be trusted as a supplier of software that combats both. When it comes to the corporate environment, vendor integrity is paramount, says Gregg Mastoras, senior security analyst for Sophos Inc., a UK-based maker of antivirus and antispam software.
“It’s a big piece of any company – what kind of reputation they have and what their track record is,” says Mastoras.
But others are skeptical that any users will turn up their noses at anti-spyware and antivirus products from Microsoft.
“Folks may be concerned about a conflict of interest with OS providers, particularly Microsoft, offering a service, but I think that is ridiculous,” writes Lindstrom in an email. “They have the biggest reason to want to protect their solutions.”
Indeed, the move will likely boost Microsoft’s standing in consumer’s eyes, not hurt it, says Daryl Travis, chief executive of Brandtrust, a Chicago consulting company.
“The message consumers are likely to take away is ‘Microsoft understands the problem, and they’re doing something about it.’ “
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today