It is bad enough, for someone with no great interest in the monarchy, that the engagement of Prince William and Kate Middleton has now dominated TV, print and online news outlets for the past 24 hours solid. I know I risk being verbally scolded by the twin-pronged pro-Royalty army that is the combined forces of the blue-rinsed brigade and readers of Heat magazine, but I think I can safely say that the forthcoming Royal wedding is now officially bad news. I can also say that you would be safer searching for porn than searching for news about the Royal nuptials.

Security researchers at the Websense labs have uncovered the first wave of poisoned search engine results to wash onto Google and Yahoo alike, using everything from promises of ‘Prince William Wedding Photos’ through to the much more generic, and likely all the more successful as a result, ‘Prince William Wedding’ as lures to sites which will hit the unsuspecting and unprotected visitor with the latest drive-by download attacks.

This should come as no great surprise, of course, as poisoned search results remain a popular method of driving traffic to infected sites. In fact, the recently published Websense Security Labs Threat Report suggests that a whopping 22.4% of all searches for current news actually lead to malicious results in some form or other. Can I say arse biscuits here? Too late, and I’m going to say it again, but louder: ARSE BISCUITS!

If the Websense figures are accurate, then that’s almost a quarter of all searches for a current news story end up with toxic results that could take you into dangerous online territory.

To put that figure into some perspective, it means that searching for current news stories is now more dangerous an activity than searching for porn, which could leads to malicious sites 21.8% of the time. It’s all the more worrying when you also take into account the fact that, according to the same report, some 79.9% of websites that contain malicious code are actually legitimate sites that have been compromised.

The answer is obvious (no, not search for porn instead of celebrity gossip and Royal news) and involves only visiting known and trusted sources when feeding your news habit. Although you can never say for sure that the likes of the BBC, The Guardian, The Sun or even PC Pro for that matter will never get compromised by some clever hacker, the chances of that happening are far, far less than the bad guys targeting an unpatched small business site server and pointing at that.

They’re also both companies dogged by the sins of products past. The Norton brand is still widely associated with bloated and buggy software, even though NIS has been a slick, lightweight package for several years now.

And Windows is continually ridiculed for its supposed susceptibility to viruses – even though platform security has been enhanced beyond recognition since the bad old days of Windows 98. Only a tiny minority of “in the wild” malware will even run on a fully-patched Windows 7 system.

Malware abounding

That’s not to say malware is dead: earlier this year the Conficker worm infected more than five million Windows PC worldwide. At first glance, that might suggest that Windows’ security is still sub-par. Yet the truth is that when Conficker was released, it spread via a vulnerability that Microsoft had already patched through Windows Update.

And that’s partly the point of Security Essentials. If everyone kept their Windows installation up to date, it would hardly be necessary. But they don’t, and, since Microsoft has a reputation for lax security hanging around its neck, when an epidemic does strike it’s all too easy to point the finger at Redmond – something Apple salespeople in particular do with glee.

So alongside the excellent work the company has done in tightening Windows’ security, it’s now offering a fallback line of defence – a traditional antimalware application, based on an independent database of malware signatures, to intercept any viruses that may stray onto careless users’ PCs.

Yellow scorn

Symantec is well-placed to empathise with Microsoft’s plight; but since the two companies are now rivals, the Norton team has been quick to talk down Security Essentials.

“The security industry has moved on from the product Microsoft is launching,” declared Con Mallon, Symantec’s marketing director, yesterday. “Unique malware and social engineering fly under the radar of the traditional signature based technology employed by free security tools such as Microsoft’s.”

And he does have a point. Signatures aren’t much help against a malicious website that offers each visitor their own personalised Trojan. Nor can they protect you against social engineering, such as phishing attacks that trick you into giving away your credit card details. It’s unarguable that if you rely on Security Essentials you’ll be vulnerable to certain types of attack.

“We believe the false sense of security provided by this tool is almost as dangerous as having no security at all,” cautioned Mallon.

Back to basics

But as the name clearly indicates, “Security Essentials” doesn’t try to protect you against every possible threat. It’s a basic defence against basic malware – the stuff that’s prominent enough to succumb to signature identification. And personally I think that limited ambition is a smart move on Microsoft’s part.

Because, unlike Symantec’s software, Security Essentials isn’t a money-making venture: that’s clear from the free, perpetual licence. As I hinted above, to me it looks more like an attempt to shake off Windows’ reputation as a virus-ridden platform.

And to an extent, it helps that effort simply by existing: no longer can it be said that Windows needs third-party software to protect it from malware.

But the real success would be if it could forestall future epidemics like Conficker.

Less is more

And that’s the crux of the matter. To make that sort of difference, it’s not enough for Security Essentials to compete with other suites: somehow it needs to get onto the millions of PCs out there that currently have no malware protection.

That could be achieved by pushing it out via Windows Update (and setting the malware database to update automatically thereafter). In light of the recent furore over browser bundling, though, that might be a risky approach.

So Microsoft is wooing users who don’t use full-featured security software by offering them something easier, lighter and less intrusive: a security client stripped down to the basics, with a so-simple-it-hurts interface. With no nagging and free updates for life it’s a pretty compelling proposition.

Next week, when I’m back in the office, I’ll investigate whether Security Essentials really is lighter than established suites. But in the grand scheme of things that’s not actually the important issue. It’s the perception of simplicity that could help the software reach machines that would otherwise be unprotected.

If it does, every Windows user will benefit. Microsoft will come away looking very clever indeed, while Mr Mallon may have to eat his words.

But then who can blame Symantec, or any commercial security developer, for dismissing Security Essentials? Their industry is founded on the imperative of offering ever more comprehensive protection. It will be quite an upset if the most effective security package on Windows turns out, in fact, to be the one that does the least.

Once removed, no fewer than two thirds of them (yes folks, that’s two out of three, but I’m building for dramatic effect here), arbitrarily fired up my browser and sent me to their websites to fill out a survey demanding to know why I had the temerity to remove their software from my system. Bloody cheek.

Software that automatically fires up your browser and sends you without warning to a strange website is a hair’s breadth away from malware, in my book. And how long will it be before genuine malware writers find a way to adjust that URL, and send unsuspecting uninstallers off to a site that automatically executes something far nastier than a customer retention questionnaire?

The fact I’ve chosen to uninstall a piece of software means that application should no longer exert any control over my PC, let alone fire up my web browser on its way out. If software companies can’t be trusted to act responsibly with their uninstallers, then Microsoft needs to take that power away from them.