Criticism of Microsoft Windows

Last updated

The various versions of Microsoft's desktop operating system, Windows, have received various criticisms since Microsoft's inception.

Contents

Data collection

Concerns were shown by advocates and other critics for Windows 10's privacy policies and its collection and use of customer data. [1] Under the default "Express" settings, Windows 10 is configured to send various information to Microsoft and other parties, including the collection of user contacts, calendar data, and "associated input data" to personalize "speech, typing, and inking input", typing and inking data to improve recognition, allow apps to use a unique "advertising ID" for analytics and advertising personalization (functionality introduced by Windows 8.1) [2] and allow apps to request the user's location data and send this data to Microsoft and "trusted partners" to improve location detection (Windows 8 had similar settings, except that location data collection did not include "trusted partners"). Users can opt out from most of this data collection, [1] [3] but telemetry data for error reporting and usage is also sent to Microsoft, and this cannot be disabled on non-Enterprise versions of Windows 10. [3] The use of Cortana intelligent personal assistant also requires the collection of data "such as your device location, data from your calendar, the apps you use, data from your emails and text messages, who you call, your contacts and how often you interact with them on your device" to personalize its functionality. [1] [4]

Rock Paper Shotgun writer Alec Meer argued that Microsoft's intent for this data collection lacked transparency, stating that "there is no world in which 45 pages of policy documents and opt-out settings split across 13 different Settings screens and an external website constitutes 'real transparency'." [1] ExtremeTech pointed out that, whilst previously campaigning against Google for similar data collection strategies, "[Microsoft] now hoovers up your data in ways that would make Google jealous." [3] However, it was also pointed out that the requirement for such vast usage of customer data had become a norm, citing the increased reliance on cloud computing and other forms of external processing, as well as similar data collection requirements for services on mobile devices such as Google Now and Siri. [1] [4] In August 2015, Russian politician Nikolai Levichev called for Windows 10 to be banned from use by the Russian government, as it sends user data to servers in the United States (a federal law requiring all online services to store the data of Russian users on servers within the country, or be blocked, has taken effect September 2016). [5] [6]

Following the release of 10, allegations also surfaced that Microsoft had backported the operating system's increased data collection to Windows 7 and Windows 8 via "recommended" patches that added additional "telemetry" features. The updates' addition of a "Diagnostics Tracking Service" is connected specifically to Microsoft's existing Customer Experience Improvement Program (which is an opt-in program that sends additional diagnostic information to Microsoft for addressing issues), and the Application Insights service for third-party software. [7]

The data collection functionality is capable of transmitting personal information, browsing history, the contents of emails, chat, video calls, voice mail, photos, documents, personal files [8] and keystrokes to Microsoft, for analysis, in accordance with the End User License Agreement. [9] The terms of services agreement from Microsoft was updated to state the following: [8]

We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services.

Digital rights management

Right after the release of Windows Vista, computer scientist Peter Gutmann criticised the digital rights management (DRM) that had been included in Microsoft Windows to allow content providers to place restrictions on certain types of multimedia playback. He collected the criticism in a write-up he released in which he stated that: [10]

The analysis drew responses from Microsoft, who stated that these problematic features would only be activated when required by the content being played. [11] Other responses came from George Ou of ZDNet [12] [13] and Ed Bott of ZDNet. [14] Bott also published a three-part rebuttal of Gutmann's claims in which he details a number of factual errors in the analysis and criticizes Gutmann's reliance on questionable sources (personal blog postings, friends' anecdotal evidence, Google searches) for his analysis paper and that Gutmann never tested his theories himself. [15] [16] [17]

For Windows 7, allegations were also made about "draconian DRM" which spurred a debate and criticism on the website Slashdot . As with the claims about the overreaching Vista DRM, independent tech writers quickly dismissed the claims as faulty analysis. The actual problem which spurred the criticism turned out to be an unrelated problem experienced by a single user who tried to circumvent Adobe Creative Suite (CS) copy protection mechanisms by changing files. When it failed to work, the user concluded that it had to be the "draconian DRM" of Windows. [18]

Integration of Internet Explorer into Windows

Windows is criticized for having the Internet Explorer web browser integrated into the Windows shell from Windows 98 onwards. Previously Internet Explorer was shipped as a separate application. [19] One problem was that since the Explorer cannot be easily replaced with a product of another vendor, this undermines consumer choice. [20] This issue precipitated concerns that Microsoft engages in monopolistic practices and resulted in the United States v. Microsoft Corp. court case, which was eventually settled out of court.

Another issue with the integration was that security vulnerabilities in Internet Explorer also create security vulnerabilities in Windows, which could allow an attacker to exploit Windows with remote code execution. [21]

In January 2009, the European Commission started to investigate Microsoft's bundling of Internet Explorer into Windows; the Commission stated: "Microsoft's tying of Internet Explorer to the Windows operating system harms competition between web browsers, undermines product innovation and ultimately reduces consumer choice." [22] The European Commission and Microsoft eventually agreed that Microsoft would include a web browser choice selection screen to Windows users in the European Economic Area, by means of BrowserChoice.eu. [23]

Windows 10 includes Internet Explorer, but switched to Microsoft Edge as the default browser. Windows 11 removes Internet Explorer, outside of Edge's Internet Explorer mode for legacy applications. [22]

NSA backdoor allegations

In 1999 Andrew Fernandez, chief scientist with Cryptonym of Morrisville, North Carolina found a cryptographic public key stored in the variable _KEY and a second key labeled _NSAKEY . [24] The discovery lead to a flurry of speculation and conspiracy theories; such as the second key could be owned by the United States National Security Agency (the NSA), and that it could allow the intelligence agency to subvert any Windows user's security. Also researcher Dr. Nicko van Someren discovered these cryptographic keys and a third key in the ADVAPI.DLL file [25] which, at that time, existed in Windows 2000 before its release. Concerns were raised about CPUs with encrypted instruction sets which, if they existed during that time, would have made it impossible to discover the cryptographic keys. [25]

Microsoft denied the allegations, [26] attributing the naming of the key to a technical review by the NSA pointing out a backup key was required to conform to regulations. [27]

No evidence other than the name of the key has ever been presented that the key enabled a backdoor.

Cryptographer and computer security specialist Bruce Schneier has also argued against the conspiracy theory [28] pointing out that if the NSA wanted a back door into Windows with Microsoft's consent, they would not need their own cryptographic key to do so.

The cryptographic keys have been included in all versions of Windows from Windows 95 OSR2 onwards. [25]

Patch time

In 2010, Google engineer Tavis Ormandy criticized Microsoft for taking too long to patch (fix) a reported security vulnerability in the Windows virtual DOS machine (VDM), which was patched 7 months after Mr. Ormandy reported it to Microsoft. [29] In 2004, Marc Maiffret, chief hacking officer for security research firm eEye Digital Security, had criticized Microsoft for providing a security patch for the Windows ASN.1 implementation only after 200 days. [30]

Windows rot

Google, a Microsoft competitor, has criticized Windows for becoming slower and less reliable over long term use. [31]

Adrian Kingsley-Hughes, writing for ZDNet, said that he believes that the slow-down over time [32] is due to loading too much software, loading duplicate software, installing too much free/trial/beta software, using old, outdated or incorrect drivers, installing new drivers without uninstalling the old ones and may also be due to malware and spyware. [33]

See also

Related Research Articles

<span class="mw-page-title-main">HTTPS</span> Extension of the HTTP communications protocol to support TLS encryption

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

<span class="mw-page-title-main">Internet Explorer</span> Web browser series by Microsoft

Internet Explorer is a retired series of graphical web browsers developed by Microsoft that were used in the Windows line of operating systems. While IE has been discontinued on most Windows editions, it remains supported on certain editions of Windows, such as Windows 10 LTSB/LTSC. Starting in 1995, it was first released as part of the add-on package Plus! for Windows 95 that year. Later versions were available as free downloads or in-service packs and included in the original equipment manufacturer (OEM) service releases of Windows 95 and later versions of Windows. Microsoft spent over US$100 million per year on Internet Explorer in the late 1990s, with over 1,000 people involved in the project by 1999. New feature development for the browser was discontinued in 2016 and ended support on June 15, 2022 for Windows 10 Semi-Annual Channel (SAC), in favor of its successor, Microsoft Edge.

<span class="mw-page-title-main">Next-Generation Secure Computing Base</span> Software architecture by Microsoft

The Next-Generation Secure Computing Base is a software architecture designed by Microsoft which claimed to provide users of the Windows operating system with better privacy, security, and system integrity. NGSCB was the result of years of research and development within Microsoft to create a secure computing solution that equaled the security of closed platforms such as set-top boxes while simultaneously preserving the backward compatibility, flexibility, and openness of the Windows operating system. Microsoft's primary stated objective with NGSCB was to "protect software from software."

In computing, Download.ject is a malware program for Microsoft Windows servers. When installed on an insecure website running on Microsoft Internet Information Services (IIS), it appends malicious JavaScript to all pages served by the site.

<span class="mw-page-title-main">Microsoft Defender Antivirus</span> Anti-malware software

Microsoft Defender Antivirus is an antivirus software component of Microsoft Windows. It was first released as a downloadable free anti-spyware program for Windows XP and was shipped with Windows Vista and Windows 7. It has evolved into a full antivirus program, replacing Microsoft Security Essentials in Windows 8 or later versions.

<span class="mw-page-title-main">History of Internet Explorer</span>

Microsoft developed 11 versions of Internet Explorer for Windows from 1995 to 2013. Microsoft also developed Internet Explorer for Mac, Internet Explorer for UNIX, and Internet Explorer Mobile respectively for Apple Macintosh, Unix, and mobile devices; the first two are discontinued but the latter runs on Windows CE, Windows Mobile, and Windows Phone.

<span class="mw-page-title-main">Windows Vista</span> Seventh major release of Windows NT

Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, released five years earlier, which was then the longest time span between successive releases of Microsoft Windows. It was released to manufacturing on November 8, 2006, and over the following two months, it was released in stages to business customers, original equipment manufacturers (OEMs), and retail channels. On January 30, 2007, it was released internationally and was made available for purchase and download from the Windows Marketplace; it is the first release of Windows to be made available through a digital distribution platform.

Criticism of Windows XP deals with issues with security, performance and the presence of product activation errors that are specific to the Microsoft operating system Windows XP.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

Windows Vista, an operating system released by Microsoft for consumers on January 30, 2007, has been widely criticized by reviewers and users. Due to issues with new security features, performance, driver support and product activation, Windows Vista has been the subject of a number of negative assessments by various groups.

The Protected Media Path is a set of technologies creating a "Protected Environment," first included in Microsoft's Windows Vista operating system, that is used to enforce digital rights management protections on content. Its subsets are Protected Video Path (PVP) and Protected User Mode Audio (PUMA). Any application that uses Protected Media Path in Windows uses Media Foundation.

<span class="mw-page-title-main">Internet Explorer 8</span> Web browser for Windows released in 2009

Windows Internet Explorer 8 (IE8) is a web browser for Windows. It was released by Microsoft on March 19, 2009.

<span class="mw-page-title-main">Peter Gutmann (computer scientist)</span> New Zealand computer scientist

Peter Claus Gutmann is a computer scientist in the Department of Computer Science at the University of Auckland, Auckland, New Zealand. He has a Ph.D. in computer science from the University of Auckland. His Ph.D. thesis and a book based on the thesis were about a cryptographic security architecture. He is interested in computer security issues, including security architecture, security usability, and hardware security; he has discovered several flaws in publicly released cryptosystems and protocols. He is the developer of the cryptlib open source software security library and contributed to PGP version 2. In 1994 he developed the Secure FileSystem (SFS). He is also known for his analysis of data deletion on electronic memory media, magnetic and otherwise, and devised the Gutmann method for erasing data from a hard drive more or less securely. Having lived in New Zealand for some time, he has written on such subjects as weta, and the Auckland power crisis of 1998, during which the electrical power system failed completely in the central city for five weeks, which he has blogged about. He has also written on his career as an "arms courier" for New Zealand, detailing the difficulties faced in complying with customs control regulations with respect to cryptographic products, which were once classed as "munitions" by various jurisdictions including the United States.

Encrypted Media Extensions (EME) is a W3C specification for providing a communication channel between web browsers and the Content Decryption Module (CDM) software which implements digital rights management (DRM). This allows the use of HTML video to play back DRM-wrapped content such as streaming video services without the use of heavy third-party media plugins like Adobe Flash or Microsoft Silverlight. The use of a third-party key management system may be required, depending on whether the publisher chooses to scramble the keys.

FREAK is a security exploit of a cryptographic weakness in the SSL/TLS protocols introduced decades earlier for compliance with U.S. cryptography export regulations. These involved limiting exportable software to use only public key pairs with RSA moduli of 512 bits or fewer, with the intention of allowing them to be broken easily by the National Security Agency (NSA), but not by other organizations with lesser computing resources. However, by the early 2010s, increases in computing power meant that they could be broken by anyone with access to relatively modest computing resources using the well-known Number Field Sieve algorithm, using as little as $100 of cloud computing services. Combined with the ability of a man-in-the-middle attack to manipulate the initial cipher suite negotiation between the endpoints in the connection and the fact that the finished hash only depended on the master secret, this meant that a man-in-the-middle attack with only a modest amount of computation could break the security of any website that allowed the use of 512-bit export-grade keys. While the exploit was only discovered in 2015, its underlying vulnerabilities had been present for many years, dating back to the 1990s.

Logjam is a security vulnerability in systems that use Diffie–Hellman key exchange with the same prime number. It was discovered by a team of computer scientists and publicly reported on May 20, 2015. The discoverers were able to demonstrate their attack on 512-bit DH systems. They estimated that a state-level attacker could do so for 1024-bit systems, then widely used, thereby allowing decryption of a significant fraction of Internet traffic. They recommended upgrading to at least 2048 bits for shared prime systems.

Widevine is a proprietary digital rights management (DRM) system developed by Google. It provides content protection for media. Widevine is divided into three security levels with differing levels of protection depending on the hardware present on the device. Widevine is included in most major web browsers and in Android and iOS.

Windows 10, a proprietary operating system released by Microsoft in July 2015, has been criticized by reviewers and users. Due to issues mostly about privacy, it has been the subject of a number of negative assessments by various groups.

<span class="mw-page-title-main">BlueKeep</span> Windows security hole

BlueKeep is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.

References

  1. 1 2 3 4 5 Hern, Alex (August 1, 2015). "Windows 10: Microsoft under attack over privacy". The Guardian. London. Retrieved April 20, 2019.
  2. "Microsoft makes new ad platform SDKs available for Windows 8.1 to help Store developers monetize their apps". The Next Web. October 23, 2013. Retrieved August 1, 2015.
  3. 1 2 3 "Windows 10s default privacy settings and controls leave much to be desired". ExtremeTech. Retrieved July 31, 2015.
  4. 1 2 Bright, Peter (August 9, 2015). "Windows 10s privacy policy is the new normal". Ars Technica . Retrieved April 20, 2019.
  5. "Facebook, Gmail, Skype face Russia ban under 'anti-terror' plan". CNET. July 23, 2014. Retrieved July 24, 2014.
  6. "Russian MPs back law on internet data storage". BBC News. Retrieved July 24, 2014.
  7. Bright, Peter (September 1, 2015). "Microsoft accused of adding spy features to Windows 7, 8". Ars Technica . Retrieved April 20, 2019.
  8. 1 2 Williams, Rhiannon (August 5, 2015). "Windows 10: how much of my personal information can Microsoft access?". The Daily Telegraph. Retrieved April 20, 2019.
  9. "Microsoft Admits Windows 10 Automatic Spying Cannot Be Stopped", Forbes, November 2, 2015, archived from the original on June 24, 2016, retrieved May 19, 2016
  10. Gutmann, Peter (June 12, 2007). "A Cost Analysis of Windows Vista Content Protection". www.cs.auckland.ac.nz. Retrieved April 20, 2019.
  11. White, Nick (January 20, 2007). "Windows Vista Content Protection - Twenty Questions (and Answers)". The Windows Blog. Microsoft. Archived from the original on July 13, 2010. Retrieved November 20, 2011.
  12. Ou, George (February 22, 2007). "Does DRM really limit Vista?". ZDNet . Retrieved April 20, 2019.
  13. Ou, George (August 13, 2007). "Claim that Vista DRM causes full CPU load and global warming debunked!". ZDNet . Retrieved April 20, 2019.
  14. Bott, Ed. "Busting the FUD about Vista's DRM". ZDNet. Retrieved November 20, 2011.
  15. Bott, Ed. "Everything you've read about Vista DRM is wrong (Part 1)". Everything you've read about Vista DRM is wrong. ZDNet. Retrieved November 20, 2011.
  16. Bott, Ed. "Everything you've read about Vista DRM is wrong (Part 2)". Everything you've read about Vista DRM is wrong. ZDNet. Retrieved November 20, 2011.
  17. Bott, Ed. "Everything you've read about Vista DRM is wrong (Part 3)". Everything you've read about Vista DRM is wrong. ZDNet. Retrieved November 20, 2011.
  18. Bright, Peter (February 18, 2009). "Oh, the humanity: Windows 7's draconian DRM?". Ars Technica . Retrieved April 29, 2023.
  19. Karp, David A. (October 30, 1998). Windows 98 Annoyances . O'Reilly Media, Inc. p.  326. ISBN   978-1-56592-417-8.
  20. Chandrasekaran, Rajiv; Corcoran, Elizabeth (October 21, 1997). "U.S. Says Microsoft Violates Antitrust Pact". The Washington Post . Retrieved January 27, 2012.
  21. Manion, Art (June 9, 2004). "Vulnerability Note VU#713878". US-CERT . Retrieved April 7, 2006. There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. … IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.
  22. 1 2 "Microsoft is accused by EU again". BBC News. January 17, 2009. Retrieved July 14, 2011.
  23. "Microsoft Statement on European Commission Decision". Microsoft News Center. Microsoft. December 16, 2009. Archived from the original on January 16, 2010. Retrieved April 20, 2019.
  24. "Microsoft, the NSA, and You". Cryptonym. August 31, 1999. Archived from the original on June 17, 2000. Retrieved January 7, 2007. (Internet Archive / Wayback Machine)
  25. 1 2 3 "How NSA access was built into Windows". September 4, 1999. Retrieved March 16, 2012.
  26. "Microsoft Says Speculation About Security and NSA is "Inaccurate and Unfounded"" (Press release). Microsoft Corp. September 3, 1999. Retrieved November 9, 2006.
  27. "There is no "Back Door" in Windows". Microsoft . September 3, 1999. Archived from the original on May 20, 2000.
  28. Schneier, Bruce (September 15, 1999). "NSA Key in Microsoft Crypto API?". Scheiner on Security. Retrieved April 20, 2019.
  29. Keizer, Gregg (January 21, 2010). "Microsoft confirms 17-year-old Windows bug". Computerworld . Retrieved April 20, 2019.
  30. Lemos, Robert (February 13, 2004). "200 days to fix a broken Windows". CNET . Retrieved April 20, 2019.
  31. Keyzer, Greg (2011). "Google's Top Five Jabs at Microsoft". Computer World . PC World. Archived from the original on August 12, 2020. Retrieved January 27, 2022.
  32. "Optimize Windows 7 for better performance" . Retrieved March 16, 2012.
  33. Kingsley-Hughes, Adrian (January 12, 2009). "Windows bit-rot - fact or fiction?". ZDNet . Retrieved April 20, 2019.