Security Watch

What’s the Real Impact of Windows Live OneCare?

Will AV become less secure overall? Does it spell doom for other vendors? Read Russ' take.

• By Russ Cooper
• 06/07/2006

Speculation abounds at the ramifications of such an offering from Microsoft. Some believe it sounds the death knell of current anti-virus vendors, while others expect it to become the most targeted feature of Windows Vista by criminals. All major AV vendors offer suites to compete with Windows Live OneCare in ways that matter most to end-users. (For the sake of this article, the term "AV" will be used to represent anti-virus, anti-spyware, and firewall services.)

There's certainly no reason to perceive this offering as ending the careers of any of the major AV vendors. They have all faced competition in the past, and Windows Live OneCare is no different. For most corporations, there is currently significant investment, both in software and training, for their current AV solution. Switching to Windows Live OneCare could be seen as similar to switching from Windows to Linux. Microsoft certainly has its share of customers who will adopt the product due to significant support involvement between themselves and Microsoft, but beyond those early adopters, it will come down to a cost/benefit analysis, as with any other switch.

Consumers have historically had a bad track record for purchasing AV update licenses after the expiry of whatever trial period comes with the product pre-installed on their new computer. Windows Live OneCare doesn't change this fact; people will still have to opt to purchase the on-going license and will likely opt not to do so.

And AV technology has always been an attractive target for criminals. If you can by-pass the protective mechanisms, or better still exploit them, you may have decent fodder for spreading your malware. Symantec recently faced such a problem with their AV engine being exploitable remotely by an unauthorized criminal. A significant portion of current malware attempts to disable AV technology in order to operate with impunity. There's no reason to believe that Windows Live OneCare will be less susceptible to such attacks, nor that it will not receive scrutiny by criminals who hope to by-pass its security mechanisms. In other words, the playing field has not changed either way due to Windows Live OneCare.

There are some concerns that users of Windows Live OneCare will come under specific attacks at an increased rate than other AV vendor products as criminals look to achieve a "badge of honor" for being the first one to exploit it. This is less likely than it sounds. Certainly so-called security researchers will be looking at how to exploit Windows Live OneCare; however, more often than not such research leads to providing first warning to Microsoft so that research can achieve the credit Microsoft provides. In doing so they will both receive the "badge of honor" and preserve their relationship with Microsoft and their customers.

Criminals, on the other hand, don't need a breach in Windows Live OneCare in order to get victims. The vast majority of malware today still simply relies upon the victim executing it themselves, as opposed to any sorts of security exploitation. Ergo, Windows Live OneCare's exploitation will most likely come in the form of them not being as up-to-date as other AV vendors when it comes to some piece of malware. Expect media outlets to turn such a situation into a media blitz about Windows Live OneCare "failing" or some equally inaccurate term.

Cybertrust takes no position, one way or the other, regarding the quality of Windows Live OneCare. ICSA Labs, a subsidiary of Cybertrust, has certified the Microsoft product to be equally functional as all other major AV products. Windows Live OneCare should be assessed as would a switch to any other AV vendor: cost, retraining, ease of corporate-wide deployment and updating.