Microsoft Partners Fuming Over Vista
By JORDAN ROBERTSON (AP Business Writer)
From Associated Press
October 20, 2006 11:59 AM EDT
SAN JOSE, Calif. - Microsoft Corp. is no stranger to antitrust skirmishes and complaints from competitors about unfair business practices.
But the latest fight over its upcoming Vista operating system pits Microsoft against an unlikely adversary: the security software vendors who are some of its most intimate partners in protecting its notoriously vulnerable systems from attacks.
As Vista's planned release nears, the company is facing a backlash from such vendors as Symantec Corp. and McAfee Inc., which argue that even the concessions Microsoft recently made to appease European antitrust regulators won't do enough to help them best protect their customers.
"We've been talking to them for over two years on this issue," said Rowan Trollope, Symantec's vice president for consumer engineering. "And now (with) basically a very short amount of time before the operating system comes out, we're not in a good position to provide that security to our customers."
Ultimately, consumers will decide whether Microsoft's own security measures are adequate to combat increasingly sophisticated Internet threats and keep personal data safe from hackers and online criminals.
But the showdown also marks an important turning point in how computer users buy security software.
Microsoft now competes directly with Cupertino-based Symantec and Santa Clara-based McAfee with its own product, called OneCare, posing a substantial threat to vendors who have been vital to protecting generations of Microsoft operating systems.
European antitrust regulators have warned Microsoft not to shut out rivals in security software and other markets, and the European Union so far has fined the Redmond, Wash., company $970 million over the current flavor of Windows.
To quell EU concerns about Vista, Microsoft pledged to make key changes, but the vendors remain unsatisfied and have threatened antitrust lawsuits. McAfee issued a statement Thursday complaining of the company's failure to live up to "hollow assurances."
Industry analysts said Microsoft's new dual role could inadvertently make the operating system more vulnerable.
"Microsoft's priority should be simple: Fortify the operating system, make it secure, make it as impenetrable as possible, but work with the third parties," said Joe Wilcox, a senior analyst with Jupiter Research.
Vista will be Microsoft's first major upgrade to its flagship operating system since Windows XP's release in 2001. The company touts Vista's sleeker looks, improved search capabilities and simplified organization as key upgrades over previous systems.
But several key security changes prompted Symantec and McAfee officials to launch withering public attacks in recent weeks.
Executives accused Microsoft of unfairly promoting its own security software with a dashboard that couldn't be disabled by vendors. The company pledged technological information to turn off the feature, designed to help customers easily see what protections are switched on.
Vendors also howled over an icon on the welcome screen linking to Microsoft security products. Microsoft refused to remove the link but has vowed to link to other security companies.
The biggest - and currently unresolved - fight hinges on vendors' claims they have been locked out of access to the core, or kernel, of higher-end, 64-bit versions of Vista.
A new feature called PatchGuard is meant to protect the most sensitive information in the guts of the system. While blocking out hackers, PatchGuard also keeps out security vendors that have traditionally been allowed inside to retrieve necessary information.
Vendors said their products will thus lack advanced security features for 64-bit users (The 32-bit version that consumers are likely to get does not include PatchGuard and thus offers access to the disputed data).
Microsoft said the methods previously used were undocumented and unsupported and left the system less secure and less stable. Customers, the company said, demand better security.
The company has agreed to permit limited kernel access, but will not provide a "blanket exception" or turn off the feature entirely, said Stephen Toulouse, a senior program manager in Microsoft's Security Technology Unit.
"We did look at that, but we got consistent feedback that that wouldn't be a good option for the customer," he said. "We want to make clear that we will work with those vendors. It will take some time, but we're committed to making that happen."
Microsoft held online briefings with security vendors on Thursday to address their concerns, though technical difficulties booted some vendors out.
Security vendors said their engineers are going to have to scramble to update their software once the technical tools they need become available, which could be months away.
Vista begins shipping to computer manufacturers and larger businesses next month. Consumers should be able to buy the new operating system in January.
"We're turning blue holding our breath waiting for something to happen," McAfee chief scientist George Heron said in an interview. "And frankly so are the users. This is the 11th hour. Now is not the time to crack open the designs."
In the meantime, third-party vendors said their products will work but won't have maximum protection. Microsoft said its products will adhere to the same rules and won't have an unfair advantage.
Security experts said it's unclear whether Microsoft's stance on protecting the kernel will make Windows more secure, though it will likely challenge hackers to try to crack it.
"No matter how secure any operating system is, if it has been built by man, it can be broken by man," said Ken Dunham, director of the rapid response team at VeriSign Inc.'s iDefense Intelligence. "While it might be a major improvement, there is no silver bullet."
Vendors said customers are likely to agree.
"It's a little bit like the fox guarding the hen house," Symantec's Trollope said. "If Microsoft can control the ways that companies can innovate, if they can control the dialogue of security with the customer, you end up with a security monoculture. And that's unacceptable."