Microsoft yield to McAfee and Symantec!

After only yesterday security giants McAfee and Symantec slammed Microsoft again for failing to deliver on the promise to provide information meant to allow security vendors to build products that will interoperate with Vista, today Microsoft announced it will finally make good on its transparency promises.

The company has promised McAfee and Symantec that it will provide more API information during online briefings later today. The PowerPoint briefing is due to start at 8.30 Pacific time (16.30 GMT).

California-based McAfee and Symantec said the meeting is a first step, but they need detailed technical information to protect customers from malicious software. "We are looking forward to seeing Microsoft describe the basis for their security design in Vista," McAfee chief scientist George Heron said. McAfee spokesman Cris Paden said, "A timeline to deliver detailed technical information would ease our concerns."

On Wednesday, Microsoft Chief Executive Steve Ballmer brushed aside questions bought about by McAfee. "We have taken to put Windows [Vista] in the marketplace on schedule and we are absolutely executing on all of the plans properly," he said. More broadly, Ballmer said of complaints by security companies: "We are through that ... We're prepared to release our product."

Whatever happens, however, it appears unlikely that the two most important security software vendors will be able to bring their full suite of Vista products to market before Microsoft's scheduled release of Vista to business users in November. This means a lot of their clients will not upgrade to Vista just yet, until they are certain there will be fully functional security software available.

McAfee and Symantec released yesterday almost simultaneous statements criticizing Microsoft's apparent lack of transparency. McAfee claimed that although it received some information on the upcoming Windows Security Centre, Microsoft has failed to answer any clarification questions. In fact, the security software developer said "to date, we have not had any cooperation from MS and no response on McAfee's repeated requests to review the information."

"Contrary to what it says publicly, Microsoft has not cooperated with the leading security providers. In fact, we have not received anything at all from Microsoft concerning PatchGuard. From McAfee's perspective, it is not at all acceptable for MS to wait until a service pack and not offer us kernel access until after the launch of Vista. We urge MS to give security vendors this access as quickly as possible and not wait until the eleventh hour so that we can offer our customers the best protection."

Symantec was also quick to react to the veil of secrecy Microsoft tries to put over its upcoming Windows Vista. They said on Wednesday "Symantec has yet to actually see the final detailed information needed to address our concerns regarding Windows Security Centre or PatchGuard."

"The operative question is exactly when will the final detailed information be made available to security providers?" says Symantec, along with most of the security software developers. Microsoft was not only risked feuding with the two security providers, but also to clash again with EU legislators, because only last week it promised the European Union's executive it would alter its forthcoming new Vista operating system to enable rival firms to develop ancillary software.

The European Commission was concerned, apparently on good grounds, that Vista is designed to give its own security software an edge over the products of competitors such as McAfee and Symantec. Microsoft Vista boasts a kernel-protection mechanism named "PatchGuard", which protects the kernel from unauthorized changes. For security software to work properly, it needs to circumvent the protection and alter the operating system kernel.

Microsoft, along with comparatively smaller security software firms Sophos and Kaspersky don't believe that patching the operating system is a necessity for security, and say PatchGuard shouldn't get in the way of application developers. In fact, Sophos says it has no need to currently access the internals of the Windows kernel.

Microsoft has pledged to allow security companies to sidestep its "PatchGuard", but "contrary to what it says publicly, Microsoft has not cooperated with the leading security providers," according to McAfee.

Security software providers also claim hackers and virus makers will find ways around it. Symantec for one claims it has already figured out ways around PatchGuard, which means hackers have as well. But if Symantec were to release a product that bypasses the protection, Microsoft has promised an update to Vista that will cause the computer "to bluescreen."

"We of course cannot pursue a path when Microsoft tells us that they will bluescreen our customers machines. Hackers on the other hand have no such issues. Once they workaround PatchGuard (which they already have), they don’t really care if the system becomes unstable or bluescreens or anything else," asserts Rowan Trollope, Symantec’s VP of Consumer Products and Solutions. "So in fact PatchGuard works in favor of hackers in this case."

Sunbelt Software CEO Alex Eckelberry agrees with Symantec's conclusion. "Folks, this is a real issue. Microsoft has created a PR coup by “agreeing” to give APIs to security companies. It’s a red herring," he said. "The security industry needs full access to the kernel. Period."

Meanwhile, Microsoft Corp. announced this week it will spend about $7.5 billion in research and development in its 2007 fiscal year. Chief Executive Steve Ballmer made the claim Tuesday in Madrid, Spain: "I would estimate off the top of my head approximately half a billion of that will be spent in Europe," Ballmer said during a lunchtime speech that included a question-and-answer session.