Joe WilcoxFor years, security software vendors have made a fat living off Microsoft's mistakes. Security vulnerabilities—and the fear of them—have kept some software developers in the money. So, is it any wonder that Symantec is tearing into Vista security?
Today, Symantec released a research paper, "Security Implications of Windows Vista," that raises some questions about the operating system's newfangled safety features.
Even Microsoft is making concessions. The company now acknowledges that UAC (User Account Control)—Vista's most profile security feature—is vulnerable to subversion, particularly through social-engineering tactics.
Microsoft concessions are one thing, Symantec assessments are another. If Microsoft improves security, whether within the operating system or release of its own technologies, some software developers are potentially looking at leaner times. Such a circumstance would seem to conflict out anything Symantec might have to say about Vista security.
"The Symantec research on Vista is very well written and researched; these aren't FUD [fear, uncertainty and doubt] pieces," said Andrew Jaquith, Yankee Group's program manager for Security Research. "But it's also clear that Symantec is engaging in 'opposition research.'"
While Symantec may also be trying to educate customers, "the primary reason is to show that their products still have relevance in the new world of Vista," Jaquith emphasized.
My colleague Jim Rapoza aptly describes the relationship of security vendors to Microsoft as "the Lion and the mice."
"Microsoft needs all the little mice around to remove thorns and generally take care of tasks that the lion can't take care of itself. And the mice get to live off the food that the lion gets," Jim explains. But those pesky mice "constantly live in fear that the lion will eat them or, in Microsoft's case, go into the software vendor's market and take it away from them."
The mice's fear is real with respect to security, because Microsoft is doing more than improving Windows security. The company is now a full-blown competitor in the consumer and business security markets with products like Forefront and Windows Live OneCare.
Microsoft the security competitor stands in a conflicted position, too. Surely, the company wants to put the best security perspective forward.
"Symantec's research is beneficial to customers because it is a useful corrective to Microsoft's security message," Jaquith said. While Vista security is improved over Windows XP, "it's useful to have an outside view of where the gaps are."
While the Symantec paper praises Vista security, its criticisms are brutal—for their clarity and foreboding:
"Many of the technologies that Microsoft has employed to bolster the security of Windows Vista are not new. In fact, most are derived from the groundwork originally laid by open-source operating systems such as Linux and OpenBSD, the PaX and Stackguard projects, as well as numerous academic publications. The majority of these technologies first appeared in Windows XP SP2 [Service Pack 2]. Windows XP SP2, at the time of its release, was also billed as the most secure version of Windows."
The report praises these earlier security enhancements as already having a positive impact on Windows security, perhaps to a fault.
"Symantec has seen an increase in the number of attacks that focus on the applications that run on top of the operating system, such as office productivity suites and Web browsers," according to the report. "While Microsoft has invested heavily in protecting the core operating system, attackers have already moved on."
The application layer and Web layer threat is one of the hottest topics in security. A Feb. 7 report, "Know your Enemy: Web Application Threats," by the Honeypot Project, is one primer on the topic.
A surge in ActiveX and Zero Day vulnerabilities are indicative of a trend. As more attacks focus on applications, Microsoft will need to shift its security busywork into new areas.
Similarly, Symantec has identified legitimate areas of Vista security concern, such as legacy applications, new networking features and UAC. Even areas of improvement are just steps in pace with criminals.
"Vista reduced the threat of malware by over 95 percent compared to XP," Jaquith said. "Although these results are good news, the Windows malware economy won't go down without a fight. Like a football team aiming at the opposition quarterback's weak knee, professional malware writers will find and exploit Vista vulnerabilities wherever they may be."
Security software developers like Symantec should still be able to grow fat off Microsoft woes, for awhile, anyway.
For now, Microsoft's security advances—whether the operating system or its own competing software—don't conflict out the validity of Symantec's Vista assessment.
On the contrary, "Symantec's research broadly validates our view," Jaquith said.