Microsoft taking heat over desktop security

By Bill Brenner, Senior News Writer 20 Oct 2006 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

This article originally appeared on SearchSecurity.com.

Microsoft defended itself Friday against accusations of insincerity regarding its pledge to make Windows Vista compatible with third-party security software. The company was also forced to dispute a security firm's claim that the newly-released Internet Explorer (IE) 7 contains a flaw.

On the Vista front, Gartner Inc. analyst Neil MacDonald claimed in an analysis Thursday that while Microsoft's plan to tweak Vista is a positive move, the process will take years and cause incompatibility problems in the short term.

Microsoft didn't address Gartner's assessment directly. But Ben Fathi, corporate VP of Microsoft's Security Technology Unit, probably added more fuel to the fire by saying the company's goal is to provide an initial set of documented, supported kernel interfaces in the Windows Vista SP1 timeframe.

In recent months Microsoft has tried to refute accusations from security vendors such as Symantec Corp. and McAfee Inc. that it was developing Windows Vista in a way that would lock out third-party security products. But last week it caved to pressure from security vendors and antitrust officials in Europe and promised to create additional APIs so rival vendors can access the operating system's core and, as a result, develop products that work more effectively with the operating system.

Christopher Thomas, a legal counselor for Santa Clara, Calif.-based McAfee Inc., fired off an angry statement Thursday accusing the software giant of hollow promises.

"Despite pledges, press conferences and speeches by Microsoft, the community of independent security companies that consumers rely on for computer protection has seen little indication that Microsoft intends to live up to the promises it made last week," Thomas said.

In response, Fathi dismissed McAfee's claims as "inaccurate and inflammatory," adding that Microsoft has "already taken a number of steps to provide McAfee and our other security partners with the information they need."

On the short-term issue of allowing third-party security alerts to replace Windows Security Center alerts, he said Microsoft made the documentation and sample code available to security partners Monday.

"At McAfee's request, we also emailed a second copy of the materials to a senior McAfee engineer at 2:07 p.m. Tuesday, Oct. 17," he said. "We followed up by providing the new builds of Windows Vista with this functionality on Wednesday, Oct. 18, and we held a conference call with McAfee personnel at noon Thursday, Oct. 19, to answer any remaining questions."

As the software giant defended itself against McAfee's claims, it was also forced to refute charges from Danish vulnerability clearinghouse Secunia that the newly released IE 7 has a security flaw.

In an advisory, Secunia said the vulnerability is caused by an error in how redirections for URLs with the "mhtml:" URI handler are processed. Attackers could potentially exploit the problem to disclose sensitive information, the firm added. It did deem the flaw "less critical," however.

Christopher Budd of the Microsoft Security Response Center said in the organization's blog that there is no IE 7 flaw. The issue Secunia warned of is actually a flaw in Outlook Express.

"The issue concerned in these reports is not in IE 7 or any other version at all," he said. "Rather, it is in a different Windows component, specifically a component in Outlook Express. While we are aware that the issue has been publicly disclosed, we're not aware of it being used in any attacks against customers."

He said Microsoft would continue to investigate.

Microsoft released IE 7 this week after a long beta process. The software giant has been touting significant security enhancements in the browser, including an anti-phishing feature.

Tags: Microsoft Internet Explorer (IE),  Microsoft Windows Vista operating system,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Internet Explorer (IE) Admins can wear many hats using Netcat Patching third-party browsers adds more work in Windows shops Four Internet Explorer 8 Group Policy security settings Safe enterprise Web browsing: Five tips in five minutes Top client security tips of 2006 General security configuration: Step 1 Protection against international domain names, URL handling: Step 3 ActiveX opt-ins, information bar and cross-domain protection: Step 4 Windows Vista and IE7: Step 5 Phishing filter: Step 2 Microsoft Windows Vista operating system Windows 7 launches, offers salvation from Vista An intro to Windows 7's Deployment Image Servicing and Management tool Guide to converting from Windows XP to Windows 7 Choosing the best way to install images Has Microsoft corrected Vista annoyances in Windows 7? Microsoft's August patches run the gamut Your questions answered: The Windows 7 upgrade quandary Windows Vista users get little pricing relief on Windows 7 Combining folder redirection with roaming profiles IPv6 protocol, Windows Vista features simplify peer ad-hoc networking

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary ActiveX  (SearchEnterpriseDesktop.com) ActiveX control  (SearchEnterpriseDesktop.com) Internet Explorer  (SearchEnterpriseDesktop.com) Internet Explorer Administration Kit  (SearchEnterpriseDesktop.com) tabbed browsing  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary