News Stay informed about the latest enterprise technology news and product updates.

Microsoft under fire over Vista promises, IE 7 security

Microsoft says Vista kernel access would come with SP1, and Gartner predicts years of compatibility problems. Meanwhile, claims of an IE 7 vulnerability surface.

Microsoft defended itself Friday against accusations of insincerity regarding its pledge to make Windows Vista compatible with third-party security software. The company was also forced to dispute a security firm's claim that the newly-released Internet Explorer (IE) 7 contains a flaw.

On the Vista front, Gartner Inc. analyst Neil MacDonald claimed in an analysis Thursday that while Microsoft's plan to tweak Vista is a positive move, the process will take years and cause incompatibility problems in the short term.

Microsoft didn't address Gartner's assessment directly. But Ben Fathi, corporate VP of Microsoft's Security Technology Unit, probably added more fuel to the fire by saying the company's goal is to provide an initial set of documented, supported kernel interfaces in the Windows Vista SP1 timeframe.

In recent months Microsoft has tried to refute accusations from security vendors such as Symantec Corp. and McAfee Inc. that it was developing Windows Vista in a way that would lock out third-party security products. But last week it caved to pressure from security vendors and antitrust officials in Europe and promised to create additional APIs so rival vendors can access the operating system's core and, as a result, develop products that work more effectively with the operating system.

Christopher Thomas, a legal counselor for Santa Clara, Calif.-based McAfee Inc., fired off an angry statement Thursday accusing the software giant of hollow promises.

"Despite pledges, press conferences and speeches by Microsoft, the community of independent security companies that consumers rely on for computer protection has seen little indication that Microsoft intends to live up to the promises it made last week," Thomas said.

In response, Fathi dismissed McAfee's claims as "inaccurate and inflammatory," adding that Microsoft has "already taken a number of steps to provide McAfee and our other security partners with the information they need."

On the short-term issue of allowing third-party security alerts to replace Windows Security Center alerts, he said Microsoft made the documentation and sample code available to security partners Monday.

"At McAfee's request, we also emailed a second copy of the materials to a senior McAfee engineer at 2:07 p.m. Tuesday, Oct. 17," he said. "We followed up by providing the new builds of Windows Vista with this functionality on Wednesday, Oct. 18, and we held a conference call with McAfee personnel at noon Thursday, Oct. 19, to answer any remaining questions."

As the software giant defended itself against McAfee's claims, it was also forced to refute charges from Danish vulnerability clearinghouse Secunia that the newly released IE 7 has a security flaw.

In an advisory, Secunia said the vulnerability is caused by an error in how redirections for URLs with the "mhtml:" URI handler are processed. Attackers could potentially exploit the problem to disclose sensitive information, the firm added. It did deem the flaw "less critical," however.

Christopher Budd of the Microsoft Security Response Center said in the organization's blog that there is no IE 7 flaw. The issue Secunia warned of is actually a flaw in Outlook Express.

"The issue concerned in these reports is not in IE 7 or any other version at all," he said. "Rather, it is in a different Windows component, specifically a component in Outlook Express. While we are aware that the issue has been publicly disclosed, we're not aware of it being used in any attacks against customers."

He said Microsoft would continue to investigate.

Microsoft released IE 7 this week after a long beta process. The software giant has been touting significant security enhancements in the browser, including an anti-phishing feature.

Dig Deeper on Microsoft Windows security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.