Monday, 26 February 2007
The Sydney Morning Herald has an article on Vista’s EULA. The EULA (available here in PDF format) provides for Vista Home Basic and Vista Home Premium the following “additional licence term”:
USE WITH VIRTUALIZATION TECHNOLOGIES. You may not use the software installed on the licensed device within a virtual (or otherwise emulated) hardware system.
Leaving aside the issue of whether an EULA actually is a contract (as against an attempt to turn a copyright licence into a contract) a few interesting points emerge.
First, it is hard to believe that security is a valid justification. The supposed attack vector has been strongly criticised, in particular the claim that it is undetectable. In any event, to have it work, the host operating system must already be compromised. As a matter of reality, this means infecting an OS X or linux system, and then using it to hijack a virtual Vista machine running on that system. Not only would each step be very hard to do, but someone capable of cracking an OS X or linux machine would not be wasting time trying to go after Vista VMs running on that system. (Of course, if the host system is also Windows, running eg VMWare or Virtual PC, then there would already be a cracked Windows system, making it surplusage to go after the VM.)
Secondly, the supposed response to this threat does not make sense. According to the article:
But Microsoft took notice. Woodgate said Microsoft considered banning virtualizing Vista entirely, on all versions. But ultimately, he said, his team decided that the most technically savvy users, or people in companies with tech support, probably could handle Vista in virtualization programs, while home users should be steered away.
If the desire is to ensure secure machines, then the EULA does not bring it about. If the attack vector is real, then it affects Ultimate as much as Basic. Yet “non-savvy” people who buy Ultimate would be able to install it in a virtual machine and have it hijacked. Those “savvy” users who would run Home Premium in a virtual machine, perfectly able to secure it, would be prohibited from doing so by the EULA.
In other words, if the concern is security, the better option would be: banning virtualisation or emulation entirely; or allowing it with warnings and education about the risk (potentially also making tools or information available to help detect the threat). Or tweaking Vista so that it won’t run in a virtual machine unless a technically savvy step is taken to enable it. Or prohibiting it subject to proving your savviness to Microsoft (eg demonstrating the ability to locate the relevant page on microsoft.com). Or even just disclaiming liability if the OS is compromised while being run in a virtual machine.
Thirdly, the supposed concern does not seem to make sense. Succinctly put, a virtualised version of Vista is essentially just another process (or group of processes) running on the host machine. At worst, those processes can do whatever the host machine allows them to do. Either the concern is that the attack vector (when successfully executed against the host machine) allows things to be done inside the host machine (which is not Microsoft’s fault, or care) or inside the Vista virtual machine.
But a person failing to secure their virtual machine is just as much a concern as a user who installs Vista on a machine which anyone can access and press “delete” to remove a file, or insert a USB drive to install a rootkit. Securing the machine, once installed (whether physically or virtually) is up to the user. Yet there is no prohibition in the EULA prohibiting sale of Vista to morons who will install it poorly in a physical setting.
At base, if the host machine is compromised enough to install a hypervisor, it’s compromised enough to do anything else a malware author wants. Any data stored is up for grabs, whether on the host’s own file systems, on a shared drive or inside a file serving as a virtual machine. Why is it so scary to Microsoft that someone might be hopeless enough to allow their virtual machine to be hijacked, but not their physical machine? Particularly when it is far quicker and easier to reinstall a virtual machine image than a physical hard disk.
And if it’s such a problem, why have no other OS vendors or purveyors taken similar steps?
Against these confused arguments is the clear fact that a person who runs OS X or linux and either Parallels or VMWare is currently forced to buy the most expensive versions of Vista to run it in virtualised mode, when there is absolutely no technical justification for doing so.
That is just inviting trouble, particularly as lurking behind corporate activity in Australia is the spectre of section 52 of the Trade Practices Act, which prohibits conduct that is misleading or deceptive — even if engaged in without the intention to mislead or deceive.
Bookmark or share this story:
Del.icio.us | 
Digg | 
Reddit | 
ma.gnolia.com | 
Newsvine | 
furl |
Technorati | 
IceRocket | 
PubSub | 
Google | 
Yahoo
Leave a Reply
Do not post material that is defamatory or obscene, that infringes any third party's copyrights, trademarks or other proprietary rights, or that violates any other right of any other person.
We reserve the right to remove or edit any comment for any reason.
Note: Posting more than two links in a comment may cause it not to appear because it will be submitted for moderation. Also, links in comments will not be counted by Google, so spamming is pointless.
Posts
Comments
Posts