The fact that Microsoft has not issued its latest patch-to-the-patch as an automatic update but a manual one instead, is an indication that this time around, it's leaving the question of security vs. performance to the users and system admins. Vista proved that calling attention to the choice between performance and security leaves users with the impression that their systems are neither fast nor secure.
The key selling point for Windows 7, as emphasized in a concerted advertising campaign that stretches across both TV and the Web, is that it's leaner, simpler and faster. It doesn't have to complete the phrase "faster than ..." because we all know how to complete that phrase. Microsoft's (Nasdaq: MSFT) bet for Windows 7 is that users smart enough to complete that phrase, care.
So if some of the comments Betanews has been receiving about Internet Explorer's recent problems being a non-event, or a "YAWN," really did reflect reality, then Microsoft has already lost the bet.
The security problem revealed last July at the Black Hat conference could be considered old but also latent -- it has not been exploited yet, and only recently have smarter folks looking for ways to improve security architecture shed light on it. It's a problem with how software components trade off objects of data in memory when their types are indeterminate, using a structure called "variant." The receiving component learns about the variant's type through a structure that's passed along with the data, but as the Hustle Labs team demonstrated, components don't clean up after themselves in a safe way.
Microsoft has very obviously taken this revelation quite seriously, especially noting that the security team's demonstration in Las Vegas could give more malicious folks ideas they would never have conjured on their own. Last month's Patch Tuesday round reflected the degree of seriousness with which Microsoft is treating the matter.
The Big Treadmill
The company's patches in recent weeks, including the patches to the patches, have resulted in noticeable and easily measurable performance degradation in Internet Explorer, both versions 7 and 8. This means that for a great many users of XP, Windows 7, and the "V-word," who use the platform they're given to run Web applications, they will notice a slowdown of one-third or more.
What's more, as it stands now, Betanews estimates that the performance differences between Internet Explorer 8 on Windows 7 and on Vista are negligible or even negative. That's right -- IE8 on Win7 is slightly slower than IE8 on Vista, at least according to yesterday's tests.
Now, what we could have done here is beat our competition to the obvious Hyperbolic Headline waiting to be harvested. You know the one I'm talking about: Windows 7 Slower Than Vista. Wouldn't that just be the Holy Grail? We'd be on Google (Nasdaq: GOOG) News for a whole day, higher-ranking than Hamid Karzai's brother on the CIA payroll, more attention-grabbing than what Pamela Anderson paid to redecorate her bathroom, fresher than yet another "YAWN" about whether Nancy Pelosi would entertain removing the public option from health care!
Or not. Because apparently it doesn't matter, as the education I'm receiving from a few of my readers is attempting to enlighten me about. People use what they use, they like what they like, and they'll consume whatever's in front of them. Nancy Pelosi, Pamela Anderson, Lady Gaga, Internet Explorer ... it all passes in front of consumers on a treadmill, and they don't pay any real attention to details or facts or arguments or qualitative differences.
A Change of Course
Put another way, the argument goes like this: If security truly mattered to folks, then they wouldn't be using Windows in the first place. If functionality and performance truly mattered, then two-thirds of the world's HTTP GET requests wouldn't come from IE. (And if quality mattered, Lady Gaga ... etc.) A few microseconds given away here or there isn't really going to matter to folks whose only interaction with the net consists of waiting for Pamela's picture to download.
If that were true for everyone besides a few folks for whom the notion that stuff doesn't matter really, really matters, then Windows 7 really would be "Vista Service Pack 3" (it is, after all, internally numbered "Windows 6.1").
The "Windows 7 was my idea" campaign, which places an obvious bet that the consumer cares about things like speed and performance.
The reason Windows 7 exists as a brand name at all is because of a Microsoft change of course, a necessary one if the brand is to thrive rather than just subsist: When Microsoft bet the farm on the notion that users will be more comfortable with security than performance, it lost. Vista is a tarnished brand despite its enormous security improvements, partly because it was a slower performer to begin with, and partly because the fight to keep Vista secure was so public and so transparent to the regular user that every Patch Tuesday became a step down the ladder for Microsoft.
Wouldn't you rather be more secure than more vulnerable faster, a reader asked me yesterday? [Sorry, Paul, I messed up your question.] Yes, I would. But I'm an oddball. And if the pool of consumers out there were like me, there wouldn't be a Windows 7.
Your Move, Windows 7
While technically this issue impacts all of Windows, not just Windows 7, this is a Windows 7 issue now, just as the multitudes of patches released for XP since 2007 were a Vista issue. It's Windows 7's turn on the watch tower; it's the system in the hot seat. If users after today come to believe that their systems are slower and slower and slower, even if it's Vista they're using, it will be Windows 7 that's blamed. Yes, people do care, but they also blame the most convenient target available to them. (Just ask any Democratic pollster today about the meaning of last week's elections.)
The fact that Microsoft has not issued its latest patch-to-the-patch as an automatic update but a manual one instead, is an indication that this time around, it's leaving the question of security vs. performance to the users and system admins. Granted, nobody on the malicious side of development has acquired the collective neurons yet to exploit the variant problem the way it could theoretically be exploited -- a fact for which I continually thank my local deity. However, Vista proved that, for the same reason travelers feel less safe walking through airports where the security is tighter, calling attention to the "Hobson's Choice" -- to borrow a Carmi Levy phrase -- between performance and security leaves users with the impression that their systems are neither fast nor secure. If Windows were to apply this latest patch automatically, and advertise transparently that it had done so, and the result were slower systems, can't you just imagine the headlines then? Microsoft Reaches Into PCs and Makes Them Slower. Apple's marketing team would have a field day.
Transparency in computing (or government) is like honesty in dating: Everyone says it's the most important factor to them, until they get it: "I'm 44, short, and balding ... and I have a latent but exploitable security deficiency."
On a scale comparable to the healthcare debate in Congress, the variant problem is actually just as big not only for Microsoft, but for Mozilla and Apple and Adobe (Nasdaq: ADBE) and everyone else in this business. The real solution will require major changes to the way all software functions -- changes that mean we need to start talking about Internet Explorer 9 and Windows 8 and Firefox 5 and Chrome 94, now.
And people will notice the change. They'll notice because people care more than some folks think they do.
Return to internet news headlines
View Internet News Archive