Gartner takes Microsoft to task

Microsoft should be concentrating on securing Windows instead of trying to challenge security software companies, according to research firm Gartner.

Microsoft has bought two antivirus companies and an anti-spyware company--the latter acquisition has already produced an anti-spyware application for Windows--since Chairman Bill Gates launched the Trustworthy Computing Initiative. That effort changed the company's coding practices to make security developers' first priority.

But Microsoft has missed an opportunity to make it clear what role it wants to play in the security market, by not stating its intentions, Gartner analyst Neil MacDonald said in an advisory published Friday. The company needs to "articulate whether it plans to be a leader in consumer and enterprise security solutions across desktop, server and server gateway," he said.

"Microsoft's overriding goal should be to eliminate the need for (antivirus) and (anti-spyware) products, not simply to enter the market with look-alike products at lower prices," MacDonald added.

In the advisory, MacDonald predicted that Microsoft will launch a combined antivirus and anti-spyware product by the middle of 2005. That software will directly compete with established products such as Norton Antivirus from Symantec, he said.

"This move will challenge antivirus vendors that depend heavily on revenue from consumers--such as Symantec--and vendors that derive substantial revenue from upselling enterprises to antivirus product suites that include desktops and servers, such as McAfee and Computer Associates," MacDonald said.

James Turner, security analyst at Frost & Sullivan, told ZDNet Australia that Microsoft's security strategy is a "commercially sensitive" area and that the company is not obliged to reveal its strategy.

"The fact is that Microsoft have purchased a number of security-oriented companies--anti-spyware and antivirus. You don't buy a number of companies for the fun of it. This is part of a long term strategy," Turner said.

Additionally, Turner said Microsoft's attitude to security has changed since the launch of its trustworthy computing initiative. He pointed to the company's response to the recent attack on MSN Messenger.

"You don't just judge a company by what they say, you also judge them by what they do. Microsoft's recent clampdown on MSN Messenger to repair the vulnerabilities there is a clear sign that Microsoft can mobilize very quickly when something is completely within its control. If Microsoft was ignoring security, the market would punish it and so would the legal system," Turner said.

Gartner's MacDonald also rapped Microsoft's decision to create an updated version of Internet Explorer (7.0) for Windows XP only, hinting that motive for the decision could be to push corporate customers into upgrade their systems from Windows 2000.

"The decision to restrict IE 7.0 to the XP platform also suggests that Microsoft wants to force users of older platforms to upgrade, if they want improved security," he wrote. "If Microsoft wishes to be seen as a responsible industry leader in maintaining security for its products and its customers, it should provide IE 7.0 for Windows 2000 users."

MacDonald said that Microsoft should rebuild IE with security in mind from the bottom up, rather than make "evolutionary" security improvements to the browser software.

The Gartner advisory concludes with recommendations that are likely to cause some concern to traditional antivirus vendors.

The research firm suggests that corporate customers demand that their antivirus provider offers an enterprise-class solution--including anti-spyware--at no cost by the end of this year. It also advises businesses to demand a "converged desktop security product with antivirus, anti-spyware, personal firewall and behavior blocking at a total price no more than 20 percent higher than what you now pay for standalone (antivirus)."

Neither Microsoft or Symantec were available for comment.

Munir Kotadia of ZDNet Australia reported from Sydney.

[Bill Dautrive]

Exactly right!

Like usual, MS is paying lip service to security.

Security is an inside out thing, not a wrapper. Until they make products to be secure from the ground up, anti-virus companies will continue to see a booming business. Even most of the security 'fixes' seem to be workarounds that hide the flaw.

As for their motives for buying anti-virus firms, that one is easy. They are looking for a way to profit from their incompetance. Why fix something, or better yet do it right the first time, when they can extort money out of its many clueless customers wallets?

[Not Bugged]

Another blow from the same blowhard

Gartner's criticisms are weak, for example criticising MS for producing a new IE for XP only when a quick look at the schedule for that product shows it's going into a limited support mode just about the same time the beta for the new IE will start. A glance at a calendar should also show that Windows 2000 is now five years old, that's getting pretty long in the tooth for a piece of software.

[Andrew J Glina]

Win 2000

On the other hand, Win2K is so similar to WinXP that it is clearly just a decision designed to force an upgrade. A bit harsh, but as a Win2K user I am biased! (I feel that WinXP offers little over Win2K.)

[Homer J. Simpson]

Wrong...

From Microsofts own website: "Microsoft will offer a minimum of 10 years of support for Business and Developer products." This includes security fixes. Since MS opted to integrate IE into Windows, they should provide an IE upgrade for Windows 2000 as a matter of responsibility to their own Product Lifecycle schedule.

[tlite722]

Good advice...

for a person without a noggin...do yourself a favor and save your money if you buy this crap.

gartner, as usual, releases useless opinions to get ink with no real impact on anyone...let alone their clients. Gee, Microsoft will enter the combined antivirus/antispyware market in mid 2005...fascinating...way to go out on a limb there...

and their overriding goal should be to eliminate the need for antivirus...pretty lofty...i think we all should aspire to that. problem is that no matter how good the software is, it doesn't fix the weakest link: the dumb end user that opens or executes these viruses...thus one of the needs for antivirus after the fact.

no one wants to get sick...but all the medical miracles will never cure the common cold...

[tbeckner]

Secure?

"Until they make products to be secure from the ground up", how do they do this? Nobody in history has been able to create a completely secure product, unless of course the product did nothing! All anyone can hope for is to plug most of the holes. It is nonsense to believe they can create a perfectly secure product! Anything created by the mind of man can be broken into or bypassed by someone else. It is fools folly to believe that any product is totally secure. Operating Systems need additional security features, like wrappers. A multi-layered approach is the only way to secure software, but all layers need to be well designed and executed. To a degree everyone is right, Microsoft, Gartner, DM, Thorst Gorn, and Joe Schmoe, but mostly Microsoft is right. They are attacking problem in the multi-layered approach. And those who are running Windows 2000 products need to step forward to Windows XP and Windows Server 2003, because by the time IE 7.0 is released, the age of Windows 2000 products will be approaching six years.

[Bill Dautrive]

Nobody said it had to be perfect

MS develops software without concern for security, therefore its software is full of holes. Most, I repeat, MOST of the problems could have been avoided with some care. Just because writing secure code is difficult, doesn't mean they shouldn't try.

Countless security patches are not the answer, and if you think so you either no nothing of programming or are incompetant/lazy.

MS is not doing anything right. Even their security fixes are full of security holes.

Analysts

Sometimes it seems that analysts can be our enemies.
Since when is anyone or any company forced to upgrade anything based on what Microsoft does. Everybody and entity (company) has free mind and will. I moved over to Firefox, because I was tired of waiting for Internet Explorer updates. Likewise other individuals and companies can also. It may not be easy or even advisable for everyone and every company to do so. But, there is choice in the market. And we certainly don't need anlysts to tell us what we need and don't need. Give us your opinion and leave it at that. And yes I know I don't speak for everyone, but, I feel much better...thank you very much.

JC

[Prndll]

Choice?

What is choice when someone chooses to use MSN messanger and is then forced to upgrade or not use it? (according to MS decisions)

You talk about a choice to "move over" to Firefox...
Even when you use Firefox, you are still using IE because you are still using Windows.

[Jonathan]

What did you expect?

Seriously. Did you expect MS to really secure Windows. Everything MS has done to 2K, XP and probably Longhorn is intended to Band-Aid the core problem. And that problem is the default security in Windows sucks. Even MS knows that Windows code is such a cluster**** that they arent focusing on securing Windows but securing the perimeter. Anti-Adware, anti-virus, firewalls, are there because MS is incapable of locking down the OS itself. And lets say for the sake of argument that they could lock down and secure the system. Even if they could they cant. MS, actually Bill Gates under oath during the anti-trust trials stated that there are some security flaws that are in Windows because it allows the OS to function a certain way or it allows software to function a certain way. He was understandably vague since security by obscurity is a very dangerous way of securing your OS. At any rate the point is if MS did indeed lock down the OS they would break backwards compatibility and that isnt something MS can risk without potentially endangering their beloved desktop monopoly. Maybe things will change in Longshot but Im betting money not. Ive got a running bet with a friend on when the first worm will be out for Longshot. Im guessing 4 months. Hes saying a year. Well see. Well see.

[css2]

4 months = eons

I'll one-up ya and say in the first quarter.

[css2]

Shovel + Land = Poor Miners

Obviously M$ believes the negative hype about its own products. It is clearly stating that it cannot write safe code.

We may never have safe computing, but why lie about it and make money from it?

Bye Bye Bill.

This guy doesn't get it

Microsoft is spending billions of dollars improving the security of their software. Just because they are also planning to offer antivirus products does not mean that they are not going after root cause. They are just adding one more line of defense. No company in the world is investing as much money, time and effort as Microsoft is into solving the root causes of their security issues.

This is good strategy and a smart business move.

[Bill Dautrive]

re

<No company in the world is investing as much money, time and effort as Microsoft is into solving the root causes of their security issues.>

Yet, their products are still the most unsecure in the world.

[System Tyrant]

How about this.

According to the guy who created wild tangent and helped develope DirectX stated in an article the only way windows was ever going to become secure is if Microsoft rewrites it. Take that for what it's worth.

Marketing Does Not Mean Secure

Microsoft has sat in its marketing advantage for years, and Bill Gates believes his own marketing hype and legend (no reality to any of it), Steve Balmer is so out of touch. Fact is for years Microsoft has created the very problems it now wishes to solve has removed its self from its customers because well fact is they were all we could get even if we did not want their product but wanted a computer.

So as with the birth of Microsoft its self they buy and they have billions not some well known security product company but a privately held corporations that used spam to promote their security products from third world countries. This is not to say they do not have first rate programmers. Only that Microsoft could not buy any of the top security software vendors and their products, knowledge, or expertise. Yet now we are supposed to trust Microsoft? If they write the code and do not know how to make it secure how innovative and inventive are they truly? Or are they just putting those billions into patients are well known concepts and prior art like an adding machine, a type writer, a ledger sheet? Or a standard software patient for a standard its self.

Longhorn is just that a lost cause I feel as the cattle of the old West Angis came along and replaced them. Windows XP is like a console stereo if 1960 so much stuff inside it one part breaks the rest is useless. Work with their stud I do trust them well lost any trust in them around 1997, when Bill Gates not unlike Al Gore thought he invented the web.

Microsoft now want to take secure their own OS serious only they do not know how to do it so buy someone that hey a million is a lot of money in their country company and its free trust us. Me the dot com idea that you make money by offering it free is gone because you cannot make it free you will charge me now or later. The web is a dial tone that buzz you hear in the phone the faster the dial tone is clear and not for profit the better. Microsoft cannot be everything and I do not know what customer they listen to because I have not been able to actually confirm other then their actions that they simply did not listen are two days late and may have billions but you cannot but me into your product for a buck!

Ha! LOL all the web short hand expressions Microsoft+secure= DAH

first priority is money

Now if there was perfect software the software writers would soon become unemployed. It is in Microsoft's best interest NOT to make secure/good/bugfree/featureful software. If you can make people to upgrade you can charge them money.

Now if there comes a guy who thinks that this isn't good and writes some good/secure software and commits the atrocity of releasing it OpenSource what do you do? Because this heralds the end of the (imperfect product+ patches = imperfect product + money) strategy... But the guy with the money can do anything.

I say if Microsoft could profit on some obscurity like the Earth being flat in a short time you'd find TONS of "Get The Facts" studies made by famous research institutes financed by M$ proving
that the Earth was flat. That's FUD for you.

But hey for many people it's about money.