Reading the new Duo Labs report on Windows OEM bloatware vulnerabilities, “Out-Of-Box Exploitation”, I was struck by a thought: the reason Apple hardware does not have the vulnerable bloatware problem is that Apple does not have a bloatware problem at all. And the reason for that is that Apple prioritizes the customer’s happiness above all, and the out-of-box experience in particular. So much so, in fact, that people fetishize taking the product out of its packaging. This video, one of who-knows-how-many, has 737,414 views on YouTube:
So although Microsoft employs very good engineers, including very good security engineers, the end result is awful. What went wrong?
Microsoft famously (historically, and apparently still) catered first to application developers (independent software vendors, or ISVs) and to OEMs. Microsoft saw, or sees, OEMs and large enterprises as their true customers; Apple sees individuals as their true customers. Apple wants to make money by making you love their machines, while Microsoft wants to make money by helping OEMs make money.
Obviously, both approaches work great, even though the results are wildly different and have huge implications for software security internet-wide. Interesting to note is that when you can be Microsoft’s direct customer, such as when you are buying thousands of MSDN seats or large IIS and SQL Server deployments, you do in fact get Apple-level care and quality.
One way of understanding that is to observe that, of course, paying customers get the quality they want. But I don’t think that fully explains what’s going on; after all, Dell’s and Acer’s customers paid money. Is it simply a matter of margins?
I’m not sure it is, because Duo Labs found the same problems even with the premium Microsoft Signature Edition machines, even the premium-/business-grade Lenovos. I think Microsoft baked the security and user-experience quality problems into the platform when they decided to prioritize the needs and preferences of OEMs and large enterprises over those of individual people using the systems.
Especially now that we increasingly live in a mixed enterprise/personal computing environment — BYOD started because executives wanted to use their fancy iDevices at work, because the devices were so good! — prioritizing the needs and preferences of the people actually using the systems to actually do work seems increasingly like a fundamentally good decision for security, user experience, and quality generally.