Microsoft, Security Vendors Spar

Microsoft, Security Vendors Tread Carefully: Microsoft and security vendors circle each other as Vista prepares to launch. McAfee Chides Microsoft Over Vista Security Policies: Speaking of dysfunctional relationships, McAfee takes on Microsoft. Microsoft Picks up Desktop Standard: The move bolsters the software giant's enterprise desktop management

Microsoft, Security Vendors Tread Carefully

One of the most interesting parts of Microsoft watching is the relationship that Microsoft has with all the third-party software vendors that make products for the Windows platform. eWeek Labs Director Jim Rapoza reports the relationship is a lot like the fable of the lion and the mouse.
Microsoft needs all the little mice around to remove thorns and generally take care of tasks that the lion can't take care of itself. And the mice get to live off the food that the lion gets.
For the most part, the relationship works, except that the mice constantly live in fear that the lion will eat them or, in Microsoft's case, go into the software vendor's market and take it away from them.
But of all the Microsoft-vendor relationships, none is more interesting than the dysfunctional family that is Microsoft and security vendors. It must be a little galling to Microsoft that there is a whole category of very successful and profitable companies that basically exist to clean up after Microsoft's screw-ups. But Microsoft is also a little afraid to make these security vendors too angry, as no one is in a better position to make Microsoft software look bad than security vendors.
And these vendors live in constant fear that Microsoft will either get its security act together or, more likely, decide to release its own security products. All of this leads to a strange kind of Cold-War-like battle where the two sides fight, but in a way that's designed to not make the other side too angry.
This has recently been playing out in the fight that has been brewing over the security console in Vista. Large security vendors such as Symantec are concerned that Microsoft will lock them out of the security console, essentially making their security products much less visible to users. These vendors have been campaigning to get Microsoft to open up the security console to third-party security tools.
But this whole campaign has had a very careful approach to it. One good example has been some recent releases from Symantec.
On the one hand, you have Symantec and McAfee taking out very critical high-profile ads arguing that by locking out security vendors, Vista will be less secure.
But you also have Symantec putting out a security bulletin highlighting that Internet Explorer had fewer vulnerabilities than Mozilla browsers.
Some people might think this is just a coincidence, but to me it looks like a classic carrot-and-stick approach. The security report reminds Microsoft what good friends big security companies can be. And, as I noted in another article, it probably won't escape Microsoft's notice that the Symantec report could have easily highlighted the fact that Microsoft took an average of nine days to fix IE vulnerabilities, while Mozilla browsers were fixed in an average of one day.
All of this will be fascinating to watch as we wind down to the release of Vista. My guess is that some form of dŽtente will be reached between Microsoft and the security vendors over the Vista security console.
Because if they don't, Microsoft may get a serious case of indigestion from eating these particular mice.

McAfee Chides Microsoft Over Vista Security Policies

Officials at security specialist McAfee said that Microsoft has flatly rejected a series of proposals meant to help ease integration between third-party software applications and the company's next-generation Windows Vista operating system.

High-ranking officials with McAfee, a provider of security applications and longtime partner of Microsoft's, said that the software giant refused its suggestions for altering the manner in which aftermarket security tools are allowed to interact with the Vista OS, which is expected to arrive on the market as early as November 2006.
At the heart of the issue are two technological innovations being built into Vista by Microsoft that McAfee and other firms including anti-virus market leader Symantec contend will make their security software products less effective.
The complaints have been specifically aimed at new methods being employed by Microsoft to better lock down its upcoming OS from outside attacks, and arrive at a time when the software giant is also aggressively moving into the lucrative security applications arena.
One of the technologies, Microsoft's PatchGuard system, which is designed to block access to the software kernel in 64-bit versions of Vista, will keep applications such as behavior monitoring and intrusion prevention systems from functioning as effectively as in the past, according to McAfee.
The other tool, dubbed Windows Security Center and meant to inform users when their PCs' security applications are not functioning properly, will provide consumers with a false sense of protection and steer users away from third-party security applications, McAfee said.
Frustrated by its belief that PatchGuard and Windows Security Center will limit the efficiency and exposure of their company's products, McAfee officials said they approached Microsoft, of Redmond, Wash., with two separate proposals offering alternative methods of protecting the Vista kernel and providing desktop security information to users, respectively.
Those proposals were flatly rebuffed by Microsoft, leaving McAfee with no choice but to take its complaints public, company officials said.
"We proposed two solutions to the fundamental impediments we believe to exist in Microsoft's attempt to protect the operating system and they have rejected these proposals summarily," said George Heron, chief scientist with McAfee, based in Santa Clara, Calif. Microsoft counters that it has been working with McAfee for two years.

Microsoft Picks up Desktop Standard
Microsoft has bought DesktopStandard, a developer of group policy-based enterprise desktop management products, in a move designed to help customers leverage the value of policy-based management and their investments in Active Directory, reports eWeek's Peter Galli. But, while the acquisition includes the DesktopStandard intellectual property, facilities, contracts and customer base, it does not cover the PolicyMaker Application Security business.
Those software products will now be available from BeyondTrust, formerly a wholly owned subsidiary of DesktopStandard and which focuses on enterprise security products that eliminate the need for security administrators to place trust in computers or users.
John Moyer, DesktopStandard's CEO and co-founder, will become BeyondTrust CEO, while Eric Voskuil, DesktopStandard's CTO and co-founder, will join Microsoft's Windows Enterprise Management division as a software architect.
If you want to know more about the deal, Microsoft has posted a set of questions and answers about the acquisition on its Web site.
Send your tips into Microsoft Watch.
If you experience any difficulties with receiving your issues of Microsoft Watch, please click


Microsoft Watch Information

Copyright 2006 Ziff Davis Media Inc. All Rights Reserved. Ziff Davis Media Inc., 28 East 28th Street, New York, NY 10016. The Microsoft Watch newsletter and Code Name Tracker are intended for the individual use of the recipient only, unless licensed. Reproduction in whole or in part without permission is prohibited. Microsoft Watch is an independent publication, not affiliated with or authorized by Microsoft Corporation.