Thursday, May 22, 2008

More Vista Complaints

I've been complaining a lot about Microsoft lately, and I thought I'd add one more piece of fuel to the fire: that the extra layers of security MS added to Vista have hurt developers while not particularly helping users. The former has been clear for quite a while to anyone who's had to write real-world software for Vista. When we first upgraded Zango's toolbar to support Vista, it took us several months just to work around the problems that Vista introduced. Note that I say "work around". None of the things that Vista made it so troublesome to do were actually impossible to do: it was just much more difficult. In other words, from my perspective, Vista wasn't precisely more secure: it was just much more unpleasant. We had to add layer after layer of complexity to get Vista to do the sort of thing that you could do quite easily in XP.

Here's a great example that we ran into in our most impending client release. (More details about the release itself in a few days.) During our setup (which is a complicated, half-web, half-client-side sort of thing), we wanted to write a cookie that could be read by our website, which would tell our website that yes, our toolbar was installed, and yes, the user was now free to go access whatever content was available through our website. In any version of Windows prior to Vista, you did this through the WinInet InternetSetCookieEx() API. And you still can do it in Vista – except for the minor problem that the website won't be able to read it. You see, our installer is (necessarily) running in a privileged process, and in Vista, MS has declared that nothing in a privileged process shall in any way be allowed to talk to the browser sandbox, and cookies come in under that exclusion.

So what's the problem? Don't these new restrictions actually make the OS more secure? Well, no, not really. There are still obvious ways to get data in and out of the sandbox: you just have to make your code jump through a lot more hoops. One method to get cookie data out of the sandbox is described here; since our problem was getting cookie data into the sandbox, we took a different approach, namely, to have our BHO (which was by now loaded into Internet Explorer's protected mode process) write the cookie (using the same InternetSetCookieEx API).

The key here is that you can still do exactly the same thing in Vista that you used to be able to do in XP: it's just about 100 times harder. Instead of one or two lines of code to write and support, you now have hundreds.

Hence the syllogism:

Major Premise: Complexity is the arch-enemy of software.
Minor Premise: Vista is a major contributor to the complexity of recent software.
Conclusion: Therefore, Vista is . . .

I'll let you work out the conclusion yourself, but our developers have already drawn their own. There isn't a single developer on our client team who is a fan of Vista, and more than one has vowed that his next computer will be running OS/X.

Other folks have reached similar conclusions. I don't have any particular love for PC Tools; it should be duly noted that the more insecure people think Vista is, the more software PC Tools can sell; and I certainly don't accept PC Tools' definition of malware without significant qualification. But it's still interesting to note that in a recent study published on the PC Tools website, potentially unwanted software was actually more common on Vista than on older versions of the OS. Not surprisingly, MS has blamed users for ignoring the multitude of dialog boxes that Vista subjects them to. Somewhat more surprisingly, nobody at Microsoft gets that Microsoft's ongoing inability to differentiate between real threats and reasonable software is itself a large part of the problem.

I've said it before (here, here and here, for instance), but I'll say it again: MS needs to figure out how to fix their broken value curve, and fix it quickly.

No comments: