News

Vista Virtualized on Mac? Microsoft Says No to Some

The Redmond giant says security issues are of concern with Vista Basic and Home Premium users, but Business and Ultimate licensees can run virtualized safely.

After years of delays and billions in development and marketing efforts, it would seem that Microsoft Corp. would want anyone who possibly can to buy its new Windows Vista operating system. Yet Microsoft is making it hard for Mac owners and other potentially influential customers to adopt the software.

Microsoft says the blockade is necessary for security reasons. But that is disputed. The circumstances might simply reflect a business decision Microsoft doesn't want to explain.

The situation involves a technology known as virtualization. Essentially, it lets one computer mimic multiple machines, even ones with different operating systems. It does this by running multiple applications at the same time, but in separate realms of the computer.

Virtualization has long been used in corporate data centers as a way to increase server efficiency or to test programs in a walled-off portion of a machine. The technology also has been available for home users, but often at the expense of the computer's performance.

But now that Macintosh computers from Apple Inc. use Intel Corp. chips, just like Windows-based PCs, virtualization programs let Mac users easily switch back and forth between Apple's Mac OS X operating system and Windows. That could appeal to Mac enthusiasts who want access to programs that only work on Windows, including some games.

Consequently, the launch of Vista seemed to be a good opportunity for Parallels Inc., a subsidiary of SWsoft Inc. that sells virtualization products.

Unlike Apple's free Boot Camp program that lets Windows run on a Mac, Parallels' $80 virtualization product for Macs does not require users to have just one operating system running at a time. Parallels runs Windows in a, well, window on the Mac desktop.

Parallels also sells a $50 version for Windows PCs -- which would let people run both Vista and its predecessor, Windows XP, so they can keep programs that aren't yet Vista-compatible.

The price of the virtualization software does not include a copy of Windows. And to get that copy, buyers have to agree to Vista's license agreement -- a legally binding document. Lurking in that 14-page agreement is a ban on using the least expensive versions of Vista -- the $199 Home Basic edition and the $239 Home Premium edition -- in virtualization engines.

Instead, people wanting to put Vista in a virtualized program have to buy the $299 Business version or the $399 Ultimate package.

Macs account for less than 5 percent of personal computers in the U.S., but Ben Rudolph, Parallels' marketing manager, says they nonetheless represent a market he's surprised to see Microsoft present with roadblocks.

"Vista is undeniably cool and undeniably important," Rudolph said. "This is really an opportunity to reach people who normally wouldn't be using Windows, whether it would be Mac users or Linux users."

The least-expensive versions of Vista actually would work in virtualization programs. But Microsoft wants to restrict it because of new security holes spawned by the technology, according to Scott Woodgate, a director in Microsoft's Vista team.

Lately Intel and rival chip-maker Advanced Micro Devices Inc. have built virtualization-friendly hooks directly into microprocessors. The goal was to make virtualization work better, but Woodgate argues that the move created a security flaw -- essentially that malicious programs can run undetected alongside an operating system.

Indeed, last year a security analyst showed how AMD chips with virtualization support made computers vulnerable to such an attack. (That researcher, Joanna Rutkowska, said she presumed it would work on Intel-based systems as well, but she didn't have time to try).

AMD challenged the feasibility of such an attack and said virtualization did not decrease computer security. Intel concurred; spokesman Bill Calder called Rutkowska's claims "overstated."

But Microsoft took notice. Woodgate said Microsoft considered banning virtualizing Vista entirely, on all versions. But ultimately, he said, his team decided that the most technically savvy users, or people in companies with tech support, probably could handle Vista in virtualization programs, while home users should be steered away.

The prohibition applies not only to third-party virtualization products like Parallels, but also to Microsoft's own Virtual PC software, which is available as a free download. (It does not apply to Apple's Boot Camp product, which is not virtualization software.)

"We're balancing security and customer choice," Woodgate said.

However, there doesn't seem to be much evidence that technically savvy people wouldn't want the less expensive versions of Vista. Rudolph at Parallels said virtualization customers often just need the most basic version of Windows possible to let some favored application run.

Plus, even though Microsoft will let virtualization products run the higher-priced versions of Vista, some powerful features in those editions are also forbidden in virtualization. The license agreement prohibits virtualization programs from using Vista's BitLocker data-encryption service or from playing music, video or other content wrapped in Microsoft's copyright-protection technology. Microsoft says virtualization's security holes make those features dangerous as well.

Rudolph believes many users will be so confused that they avoid Vista altogether.

Of course, that's Microsoft's decision to make, and it seems logical if you buy the security argument.

But not everyone agrees a virtualization lockdown is justified. In fact, virtualization has been considered a security enhancement. If applications run within their own walls, malicious code can be confined to that zone and not infect the rest of the computer.

"Nobody's complained to us that there's security issues with our products," said Srinivas Krishnamurti, director of product management at EMC Corp. unit VMWare, which plans to release a product for Macs this summer.

In a statement e-mailed after the interview, Krishnamurti added: "The Vista licensing limitation is akin to the industry saying, 'Hey, consumer, when you connect your PC to the Internet, there is a chance you can download adware, spyware or malware so we don't think you should connect to the Internet using a browser.' The world would be a very different place if the industry made that decision in the '90s."

Rudolph acknowledged that "there's always going to be a security risk in any piece of software." But he added that if Parallels "was really not that secure, we would have heard about it substantially."

And even Rutkowska, who argued that her virtualization attack last year -- which she called "Blue Pill" -- proved a glaring weakness in the technology, said Microsoft's decision regarding Vista would make no difference. "I really don't see how Microsoft could use this mechanism to prevent Blue Pill from loading," she said.

Apple would not take a position: Spokeswoman Lynn Fox said Mac users who want to run Windows in virtualized programs should ask the virtualization vendors about security.

Michael Cherry, an analyst with Directions on Microsoft, said virtualization may indeed introduce new complexities and security challenges. "But they're not greater than the technical issues surrounding some of the other features (Microsoft) decided to include," he said. "I don't buy that virtualization is dangerous."

Cherry believes what's really going on is that Microsoft wanted to create more differences between the multiple editions of Vista, presumably giving people more reason to buy the most expensive versions.

But Microsoft's Woodgate insisted that this was not a marketing decision.

"We are absolutely working with our partners to resolve this security issue," he said.

comments powered by Disqus

Reader Comments:

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.