Microsoft has compromised with security vendors who've been demanding access to the kernel of the upcoming Vista operating system so that they can update their security offerings, two analysts confirmed Friday.

Following conversations with the European Union, Microsoft will make two security-related changes to Vista. First, it will create a new set of APIs, which will let third-party security vendors access information from the kernel. Microsoft will also build additional APIs to make sure Vista's security status dashboard -- Windows Security Center -- doesn't send duplicate alerts to users who have installed a rival dashboard.

Both issues had been raised by long-time Microsoft partners Symantec and McAfee, which went public with their concerns last month.

"I think these are acceptable compromises," said John Pescatore, analyst for Gartner. "Being a security vendor is new to Microsoft. It's only very recently started to sell security products, and I think they just underestimated this issue. "But it took the EU to sort of say something before Microsoft did anything, so I think that shows Microsoft still has a long way to go before it really understands how it has to operate."

The promise to alter how security companies access the Vista kernel was the most significant of the two changes Microsoft announced Friday. Previously, Microsoft said it would integrate PatchGuard, a technology meant to stop malicious code and third-party software from making kernel level changes, into the 64-bit edition of Vista. Security vendors, however, objected, and claimed that by locking down the kernel, Microsoft was locking out their ability to monitor system calls, a technique used by behavioral host-based intrusion prevention system to sniff out suspect or malicious code.

"Microsoft is still saying the kernel remains unmodifiable," said Joe Wilcox, an analyst with JupiterResearch. "But the APIs will allow access to information going to the kernel.

"Microsoft's saying 'don't mess with the kernel, no one should have access,'" said Wilcox. "Microsoft was, and is, in a difficult situation. I'm sympathetic with the vendors' position. On the other hand, Microsoft has to protect the core of the operating system. But even this API thing makes me nervous. What happens if the bad guys start using it?

"Who is going to get access to this [kernel] information? Will it be to all or just some vendors? If it's just some, someone will cry holy hell over it."

Symantec on Friday had almost as many questions as Wilcox. "While we're encouraged by the announcement," said Chris Paden, a Symantec spokesman, "we have not seen the technical information we need to address our concerns about PatchGuard and the Windows Security Center. Vista is supposed to ship to manufacturing within weeks, so we need that information yesterday.

"If they're willing to commit to a deadline, that would alleviate some of our concerns," Paden added.

Microsoft won't roll out the APIs for PatchGuard in the first edition of Vista, said Wilcox, but will unveil them with the first Service Pack. Typically, Microsoft deploys an initial Service Pack 12 to 18 months after the release of an OS.

"The implementation will take some time," said Wilcox.

Gartner's Pescatore agreed, but cautioned Microsoft not to dally. "The clock is already ticking on 64-bit uptake," he said. "Users will migrate to 64-bit sooner than most people expect, so if Microsoft slips past the 12-18 month range for SP1, that could be a problem."