McAfee cries foul over Vista security features

The day after McAfee took out a full-page advertisement in the Financial Times to publicly air its grievances over the security of Vista, McAfee Chairman and Chief Executive Officer (CEO) George Samenuk, Vice President and Chief Scientist George Heron and Chief Security Architect John Viega delivered the same message in person in New York.

"We are disturbed by the fact that with Vista, end customers will be less secure," Samenuk said. "Customers trust us ... To erode that trust would hurt all Internet users, all PC users. I don't think Microsoft wants that, nor does McAfee want that."

Two security elements in Vista fare chief among McAfee's concerns, executives said.

In Vista, Microsoft is locking down the kernel of the OS through a feature called PatchGuard on 64-bit versions. Microsoft's argument is that this will keep miscreants out of the OS and prevent the incidence of attacks, and it is something for which customers have been asking.

"Fooling around with the kernel while it's running is like changing the sparkplugs on your car when the engine is running," said Stephen Toulouse, a senior product manager at Microsoft. "It's never been a good thing for users."

But McAfee said since PatchGuard also prevents third-party security companies from getting inside the OS, they can't activate crucial security measures in their software to protect the OS from intruders.

PatchGuard is not new in Vista, said Bruce McCorkendale, a distinguished engineer with McAfee competitor Symantec Corp., which shares McAfee's consternation over the feature. He said Symantec has been petitioning for Microsoft to change the feature since the company introduced it in its 64-bit version of Windows XP, but the company will not budge.

"If you ask any security vendor that offers advanced protection, you'd get the same answer [about PatchGuard]," McCorkendale said. "It's just inhibiting the way security vendors do their jobs."

However, according to Jupiter Research, only 5 percent of companies with 100 employees or more are running Windows XP in its 64-bit version, and that adoption is not supposed to ramp up significantly anytime soon, said analyst Joe Wilcox.

"If this new [feature] affects 64-bit only and nobody is using 64-bit, what's the problem?" he said.

The other big concern with Vista for McAfee lies in a new security interface called Windows Security Center (WSC). Microsoft will not allow this interface to be turned off, so McAfee and other third-party users can't install their own security-management consoles on Vista machines, executives said.

McAfee's argument is that third-party security products can better detect potential or existing security problems that Vista inherently can, and unless those can be surfaced through the interface, users will not be alerted to them, Viega said.

Some believe security vendors are crying foul over Vista because Microsoft's ability to control security features of the OS is a threat to their livelihood. Companies such as McAfee and Symantec have all but built their businesses on the fact that Windows is inherently insecure, and add-on security software is needed to protect it from intrusion.

"Historically, when Microsoft has gotten into a market, the number of competitors goes down," Wilcox said.

However, he said there is a legitimate concern, supported by precedence, that not only will vendors be pushed out of the market, but there will be less innovation in Windows security products and more problems will arise.

Wilcox cited Internet Explorer as an example of an area in which Microsoft beat competitors, but then did not innovate on the product until it faced competition once again.

"Microsoft won the browser war and for years abandoned the territory," Wilcox said.

If Microsoft successfully reduces the number of competitors by building security into Windows, it might also become lackadaisical about security improvements, thus opening the OS up to more attacks.