Microsoft under fire over Vista promises, IE 7 security

By Bill Brenner, Senior News Writer 20 Oct 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft defended itself Friday against accusations of insincerity regarding its pledge to make Windows Vista compatible with third-party security software. The company was also forced to dispute a security firm's claim that the newly-released Internet Explorer (IE) 7 contains a flaw.

On the Vista front, Gartner Inc. analyst Neil MacDonald claimed in an analysis Thursday that while Microsoft's plan to tweak Vista is a positive move, the process will take years and cause incompatibility problems in the short term.

Microsoft didn't address Gartner's assessment directly. But Ben Fathi, corporate VP of Microsoft's Security Technology Unit, probably added more fuel to the fire by saying the company's goal is to provide an initial set of documented, supported kernel interfaces in the Windows Vista SP1 timeframe.

In recent months Microsoft has tried to refute accusations from security vendors such as Symantec Corp. and McAfee Inc. that it was developing Windows Vista in a way that would lock out third-party security products. But last week it caved to pressure from security vendors and antitrust officials in Europe and promised to create additional APIs so rival vendors can access the operating system's core and, as a result, develop products that work more effectively with the operating system.

Christopher Thomas, a legal counselor for Santa Clara, Calif.-based McAfee Inc., fired off an angry statement Thursday accusing the software giant of hollow promises.

"Despite pledges, press conferences and speeches by Microsoft, the community of independent security companies that consumers rely on for computer protection has seen little indication that Microsoft intends to live up to the promises it made last week," Thomas said.

In response, Fathi dismissed McAfee's claims as "inaccurate and inflammatory," adding that Microsoft has "already taken a number of steps to provide McAfee and our other security partners with the information they need."

On the short-term issue of allowing third-party security alerts to replace Windows Security Center alerts, he said Microsoft made the documentation and sample code available to security partners Monday.

"At McAfee's request, we also emailed a second copy of the materials to a senior McAfee engineer at 2:07 p.m. Tuesday, Oct. 17," he said. "We followed up by providing the new builds of Windows Vista with this functionality on Wednesday, Oct. 18, and we held a conference call with McAfee personnel at noon Thursday, Oct. 19, to answer any remaining questions."

As the software giant defended itself against McAfee's claims, it was also forced to refute charges from Danish vulnerability clearinghouse Secunia that the newly released IE 7 has a security flaw.

In an advisory, Secunia said the vulnerability is caused by an error in how redirections for URLs with the "mhtml:" URI handler are processed. Attackers could potentially exploit the problem to disclose sensitive information, the firm added. It did deem the flaw "less critical," however.

Christopher Budd of the Microsoft Security Response Center said in the organization's blog that there is no IE 7 flaw. The issue Secunia warned of is actually a flaw in Outlook Express.

"The issue concerned in these reports is not in IE 7 or any other version at all," he said. "Rather, it is in a different Windows component, specifically a component in Outlook Express. While we are aware that the issue has been publicly disclosed, we're not aware of it being used in any attacks against customers."

He said Microsoft would continue to investigate.

Microsoft released IE 7 this week after a long beta process. The software giant has been touting significant security enhancements in the browser, including an anti-phishing feature.

Tags: Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Security: Alerts, Updates and Best Practices When BIOS updates become malware attacks Microsoft patches WebDAV security vulnerability in bevy of updates Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Hackers targeting unpatched Microsoft DirectShow flaw Microsoft warns of IIS zero-day vulnerability Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw How to perform Microsoft Baseline Security Analyzer (MBSA) scans Microsoft patches serious Excel zero-day, Windows flaws Microsoft Stirling Beta 2 release includes Exchange SaaS offering

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) principle of least privilege (POLP)  (SearchSecurity.com) security identifier  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary