Brou-ha-ha erupts (over spilt milk) between Microsoft and security vendors
According to a Reuter's report, Microsoft is saying that security solutions provider McAfee was out of line when it basically brushed off the software giant's promise to give third party security companies the information they need in order intercept certain security componentry in the 64-bit version of Windows Vista. After Microsoft announced it would be making the information available to companies like McAfee and Symantec in attempt to assuage the concerns of European antitrust officials, McAfee officials referred to the promises as "hollow assurances." According to the Reuters story:
U.S. software giant Microsoft last week promised the European Commission, with which it is embroiled in a long-running legal battle, that it would provide necessary information to security firms.
But, it's apparently Microsoft's open-ended timetable that caused the security community to bristle. Said the Reuters report:
Microsoft said on Thursday it could change Vista to deal with the concerns of security software makers only when an update came out. It gave no timetable.
The stinging criticism comes on the heels of earlier skepticism on behalf of McAfee and other security vendors that basically amounted to a "we'll believe it when we see it" attitude -- an attitude that was largely affirmed by the lack of any specific target date.
Microsoft itself was a bit frosted over the recriminations:
Microsoft said on Friday that security software firm McAfee's criticism of its provision of security information on the new Vista operating system was "inaccurate and inflammatory."...."It's unfortunate that McAfee's lawyers are making these kinds of inaccurate and inflammatory statements," said Ben Fathi, corporate vice president of Microsoft's security technology unit....He said Microsoft was being even-handed in developing the needed software, which would happen "in the months ahead."
But other security vendors appear to be equally concerned. For example, today, on his company's corporate blog, Mikhail Penkovsky, director of marketing and sales at firewall solutions provider Agnitum stated:
The game of ping-pong between Microsoft and third-party security software vendors seemed to be over last week when Microsoft announced its plan to share the source code of its Kernel Patch Protection mechanism.
Kernel Patch Protection (KPP), also known as PatchGuard, is a new security measure introduced by Microsoft for the Windows Vista x64 operating system. Its goal is to prevent malware from replacing a part of Microsoft's core code with its own, thus exploiting the operating system. An unfortunate side effect, however, is the limitations this places on third-party vendors of security software – limitations that are confirmed by security researchers from around the world........On Friday October 13th, Microsoft said it would modify KPP to let third-party security vendors bypass it with their software and give end users the ability to choose their preferred security supplier. To do this, Microsoft would create an Application Programming Interface (API) to let third-party developers access the kernel and disable the Windows Security Center in Vista...
...I guess we should also have taken note that Microsoft made this announcement on Friday 13th – not a date known for good news over the course of history. Because what did we learn today? According to TechWeb
“Microsoft won't roll out the APIs for PatchGuard in the first edition of Vista, but will unveil them with the first Service Pack. Typically, Microsoft deploys an initial Service Pack 12 to 18 months after the release of an OS.”
We’ve contacted Microsoft to try to get this sorted out. We hope. From Agnitum's point of view, Microsoft has made a positive decision – but we don’t have the API yet to analyze it. And of course the biggest losers here are going to be the users. Unless Microsoft makes good on its original announcement to make the KPP APIs available this week, the likelihood is that Vista will ship with a “choice” of security solutions from one vendor – Microsoft.
This of course cuts straight to the antitrust scenario that has European antitrust officials worried. To what extent, if any, will Microsoft's late delivery of those APIs undermine the vibrance of the cottage industry in all of the third party security parties participate? If you ask me, the answer has less to do with when Vista ships than it has to do with when Vista starts to get widespread adoption. That's at least a year away if not more as it has become customary for many users to wait until Microsoft issues an operating system's first service pack before putting that OS into production use. And keep in mind we're talking about the 64-bit version of Vista here. So, while I understand why security vendors wish they had the information sooner rather than later, my personal feeling is that this isn't the sort of issue that's going to make or break their businesses.