October 13, 2006 1:56 PM PDT

Security firms skeptical about Vista shift

Security rivals' reaction to word that Microsoft will make changes in Windows Vista to allay competitive concerns: We'll believe it when we see it.

On Friday, Microsoft said it will give security software makers technology to access the kernel of 64-bit versions of Vista for security-monitoring purposes. Additionally, the company said it will make it possible for security companies to disable certain parts of the Windows Security Center in Vista when a third-party security console is installed.

Microsoft made both changes in response to antitrust concerns from the European Commission. Led by Symantec, the world's largest antivirus software maker, security companies had publicly criticized Microsoft over both Vista features and also talked to European competition officials about their gripes.

Security companies are taking note of the changes Microsoft said it would make to the operating system update, but will judge the outcome when they actually see them.

"We have not seen anything yet," said Cris Paden, a Symantec spokesman. "These are technical issues. Until we actually see the APIs, all we know is what they have said in the media. So far they have not done anything yet."

APIs, or application program interfaces, are the actual parts of Vista that Microsoft on Friday said it would make available so that security companies can access the Vista kernel and disable parts of Windows Security Center.

"If it is true, then it would be a step in the right direction for giving customers the choice to use whatever solutions they would like," Paden said.

Inside Vista

The technology to suppress Windows Security Center alerts should be available next week, but APIs related to kernel protection still need to be developed and may not be ready before Microsoft ships Vista to PC makers and CD factories, said Adrien Robinson, a director in Microsoft's Security Technology Unit.

"We do not want vendors... accessing the kernel through unmodified approaches or modifying the kernel," Robinson said. "We will not allow them to go on the fly and modify the kernel, basically circumventing PatchGuard. We need to work with them on the right approaches to work with PatchGuard."

Points of contention
Kernel protection and Windows Security Center were two of the main points of contention between Microsoft and its security rivals. Symantec, McAfee and others had charged that Microsoft was hurting the competition and creating an unfair advantage for its own products through these features.

In 64-bit versions of Vista, the kernel protection, or PatchGuard, not only locked out hackers but also prevented some security software from running, security companies have said. They had asked for a way to access the kernel, which Microsoft insisted would hurt the security and stability of Windows. Microsoft now says it will provide that access, albeit in a controlled way.

"We have committed to create a new set of APIs that will enable third-party security products to access the Windows kernel in a secure manner," Microsoft said in a statement on Friday.

Windows Security Center, a key piece of Windows Vista real estate, tells people the status of security on their Vista PC, such as whether antivirus software or a firewall is installed and running. Security rivals have asked for a way to disable the Windows Security Center in favor of their own security dashboards.

Microsoft appears to be granting some, but not all, of that wish. "We are creating a new set of APIs to ensure that Windows Security Center will not send an alert to a computer user when an alternative competing security console is installed on the PC and is sending the same alert instead," Microsoft said in a statement.

Windows Security Center will continue to be running on the system so that a customer can have a cross-vendor, cross-technology view of the security on their Vista PC, Robinson said. In other words, third-party products won't be able to completely hide the Windows Security Center interface, which is what security companies had asked for.

Still skeptical
McAfee and Check Point Software Technologies, maker of ZoneAlarm security software, welcomed Microsoft's announcement, but, like Symantec, reserved judgment.

"We are encouraged by Microsoft's recognition that there is a problem. However, we do not have specific information on the nature of these changes, or their timing," said Siobhan MacDermott, a McAfee spokeswoman. "As more information becomes available, we will study it carefully before forming a view on whether Microsoft's plans provide a reasonable basis for addressing these issues."

Check Point's response also stressed that the clock is ticking on the release of Vista.

"We are encouraged to see Microsoft taking the security industry's concerns seriously," said Laura Yecies, general manager of Check Point's ZoneAlarm consumer division. "Once we have a chance to see what capabilities the new kernel-level APIs will extend to us, we'll have a better idea if they will be adequate. We hope to see those new API's soon."

Timing is of the essence. Security providers, including Symantec and McAfee, want to have products available that work with Vista the moment it is released. Vista, the long-awaited successor to Windows XP, is slated to be available to large business users next month and the general public in January.

"If the APIs exist, then Microsoft should make them available to the security industry immediately," Symantec's Paden said. "We will have Vista compatible solutions when the operating system is finally available for consumers. Last we heard, that was going to be January; therefore, we need these APIs yesterday."

See more CNET content tagged:
kernel, security company, API, Check Point Software Technologies Ltd., rival

15 comments

Join the conversation!
Add your comment
If they don't like it, then build their own OS
If these security firms do not like the way Vista will be dealing with security, then let them build their own operating system.

I am so sick of everyone crying monopoly. Maybe Microsoft doesn't always get it right, but if they are so bad why are the majority of people using their systems. There are others...
Posted by swvaboy (7 comments )
Reply Link Flag
I fully agree
stupid symantec and macafee should thank microsoft for giving them opportunities to provide their crappy anti-virus software until today. without microsoft they would have been dead by now and their ceo and etc were all wandering around corn fields without home.

the reason why many crybabies use windows while whinning is obviously because microsoft's competitors such as apple, sun, novell, redhat, and etc etc are all clueless and don't know how to make a os better than Windows.
Posted by hamatachi (7 comments )
Link Flag
Monopoly 101
The vast majority of people use Windows, in the order of
92-95%. Other OSes have a very small market share.

So, for good or bad, Microsoft has a monopoly.

When a monopoly exists, most governments have controls to
limit the company from using their monopoly to benefit its other
products.

A monopoly in the OS allows Microsoft to determine what
software runs on it and gives the company the possibility of
favoring its own products over those made by competing
companies.

There are several ways it could do this: (1) withholding
information about how to write software for the OS, (2) requiring
those who sell the OS to not sell the competing software, (3)
offer sellers a cheaper price if they don't sell competitor's
software, and (4) restricting access of non-Microsoft software to
parts of the OS which only Microsoft has access to.

Microsoft has already used methods 1-3 extensively in the past,
which is why governments have stepped in to prosecute them. It
has used method 4 less extensively and the concern is that that
this what it is now attempting.

Without a level playing field, other software makers cannot
effectively compete with Microsoft.

Hence the concern.
Posted by dotmike (154 comments )
Reply Link Flag
Lock it!
Lock the kernal! Lock it! Let Symantec & McAfee pander their security software in some other manner. If the kernal is open to them, it'll (eventually) be open to The Bad Guys. Lock it! As a user I demand security, not an insecure OS that I then have the choice to buy overpriced, bloated "security" suites.

Why must Microsoft make Vista less secure just to please security firms? What screwed up thinking is this?
Posted by ScottMo (71 comments )
Reply Link Flag
It's spelled kernel
<eom>
Posted by Hardrada (359 comments )
Link Flag
avast! is ready now
Who needs McAffee or Symantec. avast! antivirus is Vista compliant right now.
Posted by bob3160 (30 comments )
Reply Link Flag
And may be less secure because of it.
I don't think I trust the software that uses the Microsoft API's I strongly suspect that they will make it easer for malicious software to screen itself from the Anti Virus products. AV software should run at ring 0. It should also see all input and output BEFORE the operating system gets it.

When the operating system hands the data to the AV software and not the other way around, a compromised operating system can prevent the AV from seeing anything it wants.
Posted by ralfthedog (1589 comments )
Link Flag
Computer Users Skeptical About Security Firms
Rather than whining about Vista, McAfee and Symantec should concentrate on improving the quality of their products. Their products are currently buggy, bloated, messes.
Posted by john55440 (1020 comments )
Reply Link Flag
Norton slow
I agree fully. I installed Norton Internet Security and it ground my fast pc to a crawl. It also integrated itself that fully into my operating system I found it quite difficult to remove completely. I think all these firms are taking the **** a bit. They have got to be. Microsoft are going out of their way to accomodate them. Risking the hard work they have put in to making the operating system as secure as possible.
Posted by kellyibt817Tj (2 comments )
Link Flag
Security firms should stop whining!
Security firms are like leechers living on flaws that appeared on other organism (Windows in that case). Why don't they sue Apple Mac over antitrust? Isn't Apple worst than MS? everything is made by them, from hardware to software's software; how is that not 'antitrust'?

MS is just taking steps to improve its OS, and now Security firms are forcing MS to reveal how they did it, what if someone from the inside decides to sell or even leak those API to malicious people? (like what happened to the MS Windows 2000 source code). We could all be in trouble.

IF someday MS decides to close down and invalidate and disable all those copies of windows out there, i'd laugh in the face of all those security firms!
Posted by Jaeboy (1 comment )
Reply Link Flag
no sense
I'm sorry, but this makes absolutely no sense. First off Apple is in no way open to anti-trust violations, they have a single digit percentage of the market, and they don't stop other software companies from making software that runs on their system! Microsoft makes Word for their system, and other software writers do likewise.
I have been using the Vista betas since they came out, I have ran every iteration of Windows since it came out and I am definitely not happy about MS locking the security firms out of the kernel. With MS in control of security we will only know what they want us to know about lack of security with no way to balance the issues. The issue of MS someday, "deciding to close down and invalidate and disable all those copies of Windows out there," I would think that would tie them up in criminial court, not civil, for a long time! People buy their software, with no time limit(yet) on the life of it, so MS would be stealing the users property if they did such a thing. They can, and do, quit supporting the software, but they can not send a secret command to make it stop working so the user is screwed! They could use this technique with pirate copies, but as they have found out recently with their Genuine Verification process, this hits a high percentage of legitimate owners for one reason or another, not very good public relations! MS pushing this type of argument as needed for security, will eventually drive users, who are seriously concerned about security issues and draconian DRM issues will switch to open source OS, such as Linux or BSD, which are more secure to start with! Laughing in the face of all those security firms would be the same as laughing in the face of all Windows users all over the world! Why would you want to do that?
Posted by dland51 (91 comments )
Link Flag
security through obscurity
What you are talking about is security through obscurity. If somethings security is dependent on the bad guys not knowing how it works, it is not secure. Any slightly brain damaged baboon can decompile code. Sometimes after quite a bit of home made vodka.

Decompiled code looks a little messy, you loose formating ,variable/function names, and other stuff like that, but with a little work you can understand what is going on.

If security through obscurity worked, Windows operating systems would never be hacked. Want your operating system to be secure? Publish the source code.
Posted by ralfthedog (1589 comments )
Link Flag
About time...
...and before anyone whines, hey - OSX and Linux have very open kernels, and yet their security is miles beyond what MSFT has to offer, even now.

IMHO, it would've been fun to watch MSFT shut tight microkernel-level access, and then watch 'em choke on their own blood the moment some bright spark managed to hose Vista with only "we'll get it fixed four tuesdays from now" as the poor Windows consumers' only response.

/P
Posted by Penguinisto (5042 comments )
Reply Link Flag
Security Concepts that Microsoft still doesn't "get".
Non-microsoft anti-malware products would not be begging for ways to "hook the kernel" in Vista if Microsoft would supply APIs that properly-signed security products could effectively use.


To implement advanced detection techniques, anti-malware products need to monitor things like File I/O, Registry access, Network I/O, keyboard input streams, Screen Scraper data paths, etc.


In some cases, Microsoft supplies an API for third-party monitoring, but they make no distinction between "Security" products and regular applications using the APIs. For example, the file I/O Filter Manager allows multiple apps to monitor file I/O, but there is no way for a Security app to guarantee it is, say, the first and/or the last app to view the file data. Microsoft can use internal OS knowledge to allow their security monitors to do so, but they don't have a way to let signed, registered third-party security apps request and negotiate the "altitude" of their filter in relationship to other apps.

Microsoft also doesn't provide the APIs, for example, to monitor code that is being loaded and run via complex unpacking and decrypting techniques used by malware, nor can such code be "whacked" if the unpacked code behaves in certain ways. Perhaps it's because OneCare doesn't yet need this capability, but more likely it's because they failed to hear the widespread requests for such things. Again, if Microsoft were to implement the APIs to do this so that security vendors didn't have to hook the kernel to gain access to this functionality, they would likely model it after their existing APIs and thus fail to grant "altitude" negotiation when multiple apps request access to the API functionality.

The best saw that I have heard to describe why Microsoft won't be able to supply usable APIs is this: "Microsoft sees into the future perfectly, but they can't hear others talking, even about the present."

With Microsoft's recent announcement that they will provide "API's" for third-party security apps to use, it will be interesting to see if they "get it" or if they just pass out a few APIs that complicate the problem rather than addressing it.

(I've spent many years writing kernel-level security monitoring and control software to work around these "missing" APIs, so I would be very happy if Microsoft does the right thing!)
Posted by atglabs (7 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.