WEDNESDAY 10 JANUARY 2007

MR JERRY FISHENDEN AND MR MATT LAMBERT

  Q280  Earl of Erroll: Presumably there is a logical problem that if your Security Center is sitting there making sure that malware is not appearing to be an anti-virus programme you have to run a second level of security all the time even though someone has bought yet another virus checker, or otherwise your system will become insecure. Therefore, to a large extent an extra virus checker must always logically be redundant if you have a totally secure system.

  Mr Lambert: You can have an extra virus checker but you can switch off the Windows Security Center if you really do not want that running on your system. It is very easy just to switch it off.

  Q281  Earl of Erroll: But then presumably your system would be vulnerable because someone can then use your API to write malware to access the computer?

  Mr Lambert: Jerry may want to comment but I would say that that is up to the consumer which kind of system they use to check on what is operating and how it is operating. If they do not want to use the Windows version they do not have to.

  Q282  Earl of Erroll: What I am saying is that I suppose that anti-competition law here is actually militating against being able to write a more secure system. There is a conflict there.

  Mr Lambert: You could say that. I do not wish to make that comment.

  Q283  Lord Harris of Haringey: Can I just make sure I have understood your earlier answers? What you seem to be saying is that you have no problem at all in terms of making your software compatible with other people's security software, and in essence you would have done this if you had been asked without the intervention of the European Commission.

  Mr Lambert: We have always worked with other companies, including competitors, to try to make our systems as inter-operable as possible. That is a cross-industry issue because it takes two to tango essentially. We believe and we have always believed, and this is one of the cornerstones of our appeal in the European case, that we have made the information available to allow our competitors to work with our software and that we do that with partners and competitors alike. We make these application programme interfaces widely available. There are constantly conferences with developers, small businesses and large businesses alike, explaining to them what we are doing, what we are developing. Even in the development stage of Vista we did that so that people know what is coming and they can work with our systems.

  Q284  Lord Harris of Haringey: But changes were made in response to the European Commission?

  Mr Lambert: They were indeed.

  Q285  Lord Harris of Haringey: So why, if you were so ready to co-operate, was it necessary to have the intervention by the European Commission to make those changes, or are you saying those changes are irrelevant?

  Mr Lambert: When you are developing software others have different opinions. That is the same with anything in life. If others come to us and say, "We have looked at what you have offered here. We do not find it easy to inter-operate". This is one of the contentions of some of our competitors and in some part of the Commission. You do your best to comply with that. There are some points at which you say, "What you are asking is not acceptable. We cannot go down that road". Sometimes there have been points like that in the discussions in the case with the European Commission, but on the whole we start from the point of view that we try to make Windows a system that inter-operates well with other people's software. It is in our interests to do that. We are not, as Jerry Fishenden has said, trying to produce software for every single possible eventuality. We are trying to produce an operating system which meets consumers' needs and which allows other businesses to operate on it. There are huge numbers of businesses here in the United Kingdom, 17,000 partners in Britain alone producing software which works on our platform.

  Q286  Lord Harris of Haringey: But the implication of what you are saying is that there were changes that you have made to Vista software which were unacceptable to you, and you have only made them in response to the European Commission.

  Mr Lambert: There are some things that we did that perhaps we took longer to negotiate than others, and eventually, of course, as you know, we are appealing the ruling because we believe that companies like our own should have the right to innovate and build new things into Windows in response to consumer demand. The world does not stand still and only one version of Windows will ever hold. That is a product which is constantly developing and responding to consumer demand and changes in the market but there are some things which the Commission have asked of us that were reasonable and some things that we were able to do that we were happy to do. There are two types of issue there.

  Q287  Lord Harris of Haringey: But there were by implication some things that you were not happy with having to do?

  Mr Lambert: There are some things that we have done which are matters of dispute. For example, we are on record as being in dispute. One of the things that we have appealed against is a request from the Commission, which we complied with, in which we produced a version of Windows, in the last version of Windows, called Windows N which does not have a media player in it. The Commission contested that there was a market for an operating system for Microsoft without a media player in it and if you produced that it would help competitors produce other media players to get their products more widely into the market here and in Europe, and so for the European market we have produced Windows N. It has not sold very many copies and we have sold in the meantime many millions of versions of ordinary Windows because it works better, it is at the same price and it has a media player. We believe that consumers expect a media player to be in an operating system. It is in all the other operating systems. That is just one example.

  Q288  Earl of Erroll: Large corporations can download security patches and test them before implementing them on their main systems. Ordinary users do not have that ability, so how can they be certain that they are downloading the patches from the genuine Microsoft site, they are not being tampered with by some existing malware on their system and that they are going to make things better and not cause some other things to malfunction?

  Mr Fishenden: There is obviously a key difference between a business environment and a home environment. A business environment usually has a test environment where they cream out—

  Q289  Earl of Erroll: Small businesses are very often in a home-type environment, a small business office, someone with five or 10 employees. There are about three and a half million employees in this country employed by micro businesses.

  Mr Fishenden: Yes, sure, I accept that entirely. If we look at the way the Microsoft update facility works for those users and any home users, people have the option of entirely opting in, which we recommend and which is where an update is published on the official Microsoft update site. It not only identifies the patch that is available; it also downloads it and installs it for you, and that is the recommended option. Users then have the choice of other options. They can say, "Notify me it is there but do not do anything else", or they can say, "Download it but do not install it because I want to see what is in it and whether it is appropriate for me to install or not", because they might be patching something that users have chosen to disable on that particular PC. We believe that offers pretty good flexibility. The other option I should mention is that they can switch it off entirely and not patch anything should they so choose, which is not recommended but that is up to them. The way the Microsoft update environment works in the operating system is that it communicates only with our professional designated distribution points, so you know that the update is coming from an accredited source and has not been tampered with. There have been occasions in the past where people have taken some of our updates and attempted to distribute them via other mechanisms, and people often ask why we stopped that. It is because, Chairman, it is precisely the type of issue you are raising in that how can you guarantee complete assurance that that software, once it is downloaded, is not tampered with, in the same way that some pirated copies of Windows are tampered with and do come pre-installed with malware and spyware and the like. If you do not get things from a legitimate source I think your concern is a well justified one, that you may in fact be running the risk of installing software that we cannot be entirely sure is as trustworthy as you think it might be.

  Q290  Earl of Erroll: Have you had problems though with patches not behaving as they should on home computers?

  Mr Fishenden: On occasion that has happened with a few. We do put them through a very extensive testing programme. Typically where that has happened will be with maybe a specific third party hardware driver or something where there is some conflict. Despite the many thousands of permutations that we run in America, and we have huge test labs where we run as many mainly third party pieces of hardware or software as we possibly can, there have occasionally been a couple of incidents, I believe, where there were issues on a small number of machines when a patch was not deployed. We then run a fairly rapid escalation process to try and understand why a patch has worked on the vast majority of machines but is having an issue on some. Sometimes it could be that those are machines where some malware has replaced something that our patches cannot fix and it is a problem because it does not find the file it was expecting and, as I say, maybe produces some sort of third party device driver conflict where we then need to identify the particular provider of that and work with them so that we can collectively solve the problem.

  Q291  Earl of Erroll: Of course, the trouble then is that if this does happen to someone they then lose confidence in doing patches because if they lose their Internet connectivity they cannot then cure the problem or it is very difficult to do so.

  Mr Fishenden: The patches are reversible, so you can go back into the installed programmes menu, find "Patches" and roll back. If you are not able to do it by underscoring that patch there are quite a lot of facilities in the platforms as well now called "Rollback", because you can roll back to the previously known good state. If you imagine a hypothetical situation where you download some updates and that is creating some sort of behaviour on the PC which means it is unusable, you can then elect to roll back to the previous state that PC was in before the update was applied, and then you can contact us and say, "Look: I had a problem when I applied this and I have had to roll back", and we try and find out what the issue is.

  Q292  Earl of Erroll: You roll out your patches on the second Tuesday of each month. This, of course, is timetabled to suit you and business but do you find that being exploited by malware writers because there is a window of opportunity for them then before systems get patched?

  Mr Fishenden: On occasions where we believe there has been a live risk to people of significant proportions then we have occasionally slipstreamed updates between the regular monthly schedules.

  Q293  Earl of Erroll: Does this happen often?

  Mr Fishenden: Not often, as far as I can recall, no. It is an occasional occurrence because a lot of the identified vulnerabilities are theoretical ones, if you like, at the time they are notified to us, so people prove there is a vulnerability in the lab environment and there is a usually a time window before someone then exploits that vulnerability in a real way.

  Q294  Earl of Erroll: Is there not then a problem that they have got time to reverse engineer the patch to find out what those who did not know what the vulnerability was, work the vulnerability and get something out there to attack the system before your patch comes out?

  Mr Fishenden: Yes, it is a challenge for anyone in the industry. We have all tried methods of obfuscating patches, trying to hide some of what they are really doing by changing other things on the system that actually have no discernible effect upon it and so they cannot work out exactly what the patch did. Of course, whatever you do people can take a snapshot of the machine before you apply a patch and take a snapshot after and then people can start using that type of information to try and work out where the vulnerability might be, so yes, it is a very real problem.

  Q295  Earl of Erroll: This has not been a great problem in the field, this reverse engineering, and then other viruses can gain access?

  Mr Fishenden: Not to date. Where it does become an issue is obviously where you have a situation where somebody may not be automatically applying the patches, so although we have issued a patch maybe someone has reverse engineered it, released it and exploited it into the wild. It is the users that have left their machines unpatched that then become vulnerable to that line of attack.

  Q296  Lord Sutherland of Houndwood: My apologies, my Lord Chairman, for being late but I want to ask a question that probably fits in here as well as anywhere. It is a na-£ve question and you will doubtless tell me if it is too na-£ve to answer, but tell me politely. How far are the standards of security that operate within your own organisation and the machines you use the standards that your customers can expect you to roll down to them, be they large business operators or home customers? Is there a big gap and is the gap what we can anticipate having, or are there serial reasons for having a gap of this sort?

  Mr Fishenden: Essentially we use exactly the same tools our customers use. The one difference is that we have a thing called dog-fooding inside Microsoft where as part of our preparations to release a new operating system or new bits of software we install it, if you like, before it is necessarily ready. Probably a year ago I started running early builds of Microsoft Vista. Part of the purpose of that is that in a large scale environment, and we have 50,000/60,000-plus machines inside Microsoft, we are a very useful large-scale test bed for, as we call it, dog-fooding, which is putting ourselves through the potential pain and occasional delight of early adoption of software while it is still in development so that we can make sure that by the time it ships we have ironed out as many of the possible problems that could be anticipated with that platform as possible, so, although I say we are using exactly the same tools that people do outside Microsoft, in reality you would often find that a lot of us are on the next build of software that will be coming downstream later.

  Lord Sutherland of Houndwood: Thank you. That is helpful; that is what I wanted to know.

  Q297  Chairman: Peter Gutmann has recently suggested that you have seriously compromised the security and stability of Vista in order to provide content protection for premium content. How do you react to that?

  Mr Fishenden: I am familiar with Peter Gutmann's article and it will not surprise you to hear that I take a slightly divergent view from Peter. The issue he was getting at is related to one of content protection and with Windows Vista, as with our existing PC platform, a lot of people are using it to watch DVDs, for example. The content providers, which are Hollywood and the movie industry, have set minimum standards that any platform that is going to run the next generation of high definition content that is coming must adhere to or it will not be able to run on it. That is as true of Windows Vista and our operating systems as it is of an iPod device or a dedicated DVD player that you might buy to use in the home. Anybody who does not adhere to the content provider's rules, their software is not going to work. That is the reason we have had to put those features into our platform. On the specific point of whether it compromises security at all, we do not accept Peter's points at all. He uses an example, I think, of medical images and saying that it would degrade the content and that is not true. Unless people are using and specifically invoking these content protection mechanisms for things like Hollywood movies the rules that apply to that content protection do not even come into play. If people are opening medical images and content to look at them, then it is not an issue. They open and are completely untamperable with. There is no loss of fidelity. There are no risks in using them. My summary is that we see these things as completely independent of each other. One is to do content protection, which we have supported on our platform for some time now. In existing DVDs there are companies like Macrovision which ensure that people cannot easily rip DVDs and we have put things into our platform to ensure that we meet the content provider's stipulation; otherwise people would buy a PC and then would not be able to watch a DVD and increasingly would not be able to watch HD-DVDs. We do not accept the point that we have compromised security in any way. In fact, if anything there is a hope that the very high quality device drivers being required for some of the high definition content coming out may result in a higher level of quality assurance around third party providers.

  Q298  Chairman: Have you published a response to his comments?

  Mr Fishenden: I believe my colleagues in Redmond are publishing one either as we speak, or certainly this week there should be something up on the web as our form of response, going through point by point the issues that he raised.

  Q299  Chairman: Perhaps you could make sure we get that response if we do not find it for ourselves.

  Mr Fishenden: Yes, sure.[4]