Is Mandatory Windows Validation a Security Risk?

Analysts discuss the security implications of Microsoft's plans to clamp down on the way illegal Windows copies receive updates, including security fixes.

Microsofts plans to clamp down on the way illegal copies of its flagship Windows operating system receive updates—including security patches—could have a major impact on the SOHO (small office, home office) market and increase the risk of malicious hacker attacks, experts warned Wednesday.

The warning follows an announcement out of Redmond, Wash., that the "Windows Genuine Advantage" anti-piracy initiative, hitherto voluntary, will be mandatory by midyear.

The program calls for Windows users to validate product keys, PC manufacturers and OS versions to allow Microsoft to crack down on cracked versions of the operating system.

"This shouldnt surprise anyone. We all know this was coming once Microsoft went to an activation model for Windows XP," said Rick Fleming, chief technical officer at Texas-based security outfit Digital Defense Inc. "From a pure business standpoint, I understand it. Software vendors are losing the war against piracy, and they have to make some tough decisions."

However, Fleming said any move to limit the application of critical security fixes will "create bigger headaches" for everyone.

"The security implications concern me," he said. "Even now, with patches available to everyone, we know there are folks who ignore software security. There are others who will simply refuse to validate, and their unpatched machines will be a bigger threat."

For its part, Microsoft said it will continue to push out critical security updates to customers through Windows Automatic Updates, with or without product key validation.

/zimages/2/28571.gifIs the Windows anti-piracy program nothing but a triviality? Click here for a column.

Mike Cherry, an analyst at Directions on Microsoft, agreed that unpatched machines could be used as zombies for spam runs and denial-of-service attacks, but he argued that its unfair to expect Microsoft to provide fixes for stolen software.

"At some point, I dont think Microsoft has the responsibility to fix something that wasnt obtained legally. Why should Microsoft bear the burden for fixing something that was stolen? Im not even sure that the patches would even work properly on pirated, non-genuine versions of Windows," Cherry told

Cherry said he thinks the onus on locking down zombie machines used for spam and worm attacks should be on ISPs. "The reality is that if someone isnt aware that they have a genuine copy of Windows, what are the chances theyre using anti-virus software and applying patches in a timely manner?"

Yankee Group analyst Laura DiDio said she thinks more software companies will follow Microsofts lead and take a hard-line approach to fighting piracy. "Too much money is being lost. In the past four years, the percentage of revenues from new software licenses was down across the board. The vendors really have no choice but to get tough," DiDio said.

Once the program becomes mandatory, Digital Defenses Fleming said he thinks businesses in the SOHO market will be the most affected. A large number of small businesses typically purchase a single copy of a software product and install it on multiple machines, avoiding volume licensing fees.

"I think Microsoft is going to see some backlash from the home users and small systems users. What are their choices? Either they pay up or find another solution," Fleming said.

"I think you will see that segment looking elsewhere because they just cant afford Microsofts premium prices."

He suggested that the company implement an amnesty program to cushion the impact for a potentially lucrative market segment.

Yankee Groups DiDio agreed that an amnesty offering discounts could be used to persuade small businesses to buy into legitimizing their software installations.

However, Cherry argued that amnesty programs tend to penalize people who paid to do the right thing in the first place. "When I spend all my money to do things the right way and you give amnesty to my competitor, that only encourages people to break the rules. What next? An amnesty extension?"

The Directions on Microsoft analyst said Microsofts gradual implementation of the Genuine Windows Advantage program gave people "lots of time to determine whether theyre running legitimate software" and enough incentives to get their houses in order.

/zimages/2/28571.gifCheck out eWEEK.coms for Microsoft and Windows news, views and analysis.