05:34 PM

McAfee Slams Microsoft Over Vista Security

Following rival Symantec's lead, McAfee complained that by locking access to the Vista kernel, Microsoft was also blocking security vendors' access to the operating system core.

McAfee joined rival Symantec by taking its beef with Microsoft over Windows Vista public on Monday, saying that the new operating system's approach to security will pose "unnecessary risks to the consumer."

In a full-page ad in the day's Financial Times, and in an interview Monday afternoon, McAfee said that by locking access to the kernel in Vista, Microsoft was also locking out critical access by security vendors to the core of the operating system.

"It's the first domino," said John Viega, vice president and chief security architect for McAfee, of the significance of PatchGuard, a technology to be included only with the 64-bit version of Vista. PatchGuard is meant to stop both malicious code and third-party software from making changes at the kernel level, and has been touted by Microsoft as a defense against such malware technologies as rootkits.

"They've leveraged their access [to the kernel] to give themselves an unfair advantage," said Viega. "That will leave users less secure."

In the 32-bit Windows XP, security vendors like McAfee and Symantec have been able to patch to the kernel in order to implement intrusion prevention technologies that, among other things, sniff out malware by its behavior rather than match a "fingerprint" against an already-issued signature. The 64-bit version of Windows XP also uses PatchGuard, but that OS has made virtually no headway in the market.

"We were able to offer our protection to the consumer by accessing the kernel," said Viega. "But Microsoft's locking vendors out. When the first security vulnerability [hits], what's going to happen?"

"Microsoft seems to envision a world in which one giant company not only controls the systems that drive most computers around the world but also the security that protects those computers from viruses and other online threats," the ad which ran in the Financial Times said. "Only one approach protecting us all: when it fails, it fails for 97% of the world's desktops."

Microsoft has repeatedly said that its own products -- security software included -- must also abide by the PatchGuard restrictions. Viega didn't think Microsoft would be able to resist the temptation. "I don't believe them," he said when asked about Microsoft's promises to steer clear of the kernel. "They're locking out the good guys."

Viega also cited Vista's Security Center, the security status dashboard that Symantec slammed in September. Unlike Windows XP, Vista will not allow third-party vendors to automatically disable the dashboard when their products are installed; users, however, can manually switch off the dashboard.

McAfee doesn't like the fact that users of its products may face two competing dashboards -- Vista's and its own -- and says Microsoft must bend. "Usability is absolutely critical to a good security experience," Viego said. "In many cases, [Vista's Security Center] will go from 'you are protected' before installing McAfee to 'we're not sure you're protected' after it's installed."

Like Symantec, McAfee said it was not officially taking the issues of Vista's security to the European Union's Competition Commission, which has been skirmishing with Microsoft over the operating system for months. At one point, Microsoft threatened to delay Vista's release in the EU if the commission didn't green light its security plans; Commissioner Neelie Kroes, meanwhile, said it was Microsoft's responsibility to figure out what was permissible under the 2004 antitrust ruling.

Most recently, Kroes accused the American developer of running a "coordinated campaign" to discredit her. New reports in the Financial Times today listed encryption and handwriting recognition capabilities as two new Vista features that Kroes' commission is investigating.

"Microsoft is embracing flawed logic," concluded Viega. "It's undermining freedom of choice by inventing a single user interface [for security. It needs to let the customer choose their security provider."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of July 17, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.