A week is a long time in politics. It's even longer in computer security.
In the space of a few days in October, it emerged that Symantec chatted to European Union regulators about the state of the security market; prompting suggestions that Microsoft was under scrutiny for alleged bundling and unfair competition by the EU, with whom it has crossed swords in the past.
But by the end of the week, Symantec was insistent it had not ‘whined’ to the EU or Department of Justice, and said it would compete through its products, but not in the courts.
In the intervening days, Microsoft addressed the small matter of 14 flaws in Windows with a series of fixes, and Symantec warned at a Virus Bulletin conference in Dublin, that spyware was becoming ‘increasingly pernicious and sophisticated’, and users are still failing to take basic steps to protect themselves against the threat. It is precisely this sort of threat that both Microsoft and Symantec, plus every other vendor for that matter, has to address.
It is possible to see the leak of its ‘discussion’ with the EU as a warning shot across Microsoft’s bows from Symantec, ironically one of Microsoft’s key partners in the newly set-up SecureIT Alliance, created to enable participating security partners to efficiently integrate their solutions with the Microsoft platform.
There is little doubt among Microsoft's partners and competitors that the company will bundle some key security software elements into the next iteration of the Windows operating system, dubbed
, due out next year.
Microsoft already has a series of new security initiatives underway: a consumer security-subscription service dubbed Windows OneCare; a Windows AntiSpyware product; and a new Windows Client Protection enterprise spyware product that would help protect business desktops, laptops and file servers from current and emerging malware threats. But it has yet to make clear its distribution plans.
Recently, Microsoft outlined its strategy and product road map to help secure the breadth of its customers from home PC users to businesses of all sizes.
Recognising there is no single solution to resolve all security and safety issues, Microsoft said it will continue to make significant investments in technology to help customers mitigate their security risks. These efforts will include ensuring the highest degree of quality in Microsoft software, perhaps importantly, delivering new security technology innovations in the Windows platform, and security products and services that will evolve to meet future security needs.
Microsoft’s operating systems have always had some security flaws – vulnerabilities - in them, which hackers and virus-writers have eagerly exploited. With the new operating system out next year, Microsoft is trying to ensure that it thinks ahead about security, buys up the products (and companies) it needs, such as Giant Software to provide anti-spyware, and Sybari to provide a server level anti-virus product, and embeds that security in the operating system.
It is those offerings wrapped up and bundled within Windows that has Symantec worried, even if it is coy about saying as much.
Some have sympathy for Microsoft, saying it is being hung out to dry when it is trying to address the problem. It is damned if its operating systems are insecure, and equally damned if it appears to be taking corrective action.
Les Fraser, security development consultant to the British Computer Society, believes that security threats have now become so prevalent and complex, that security has to be tackled differently.
“There are now too many viruses and too many antivirus signatures to combat them, and the time between vulnerabilities being found and exploited is now down to 24 hours. One upon a time, you bought Dr Solomon’s antivirus toolkit, and then updated it quarterly. Now, you could update antivirus definitions more than once a day.”
To prove the point, Immunity. a Miami-based security research firm, this week released a proof-of-concept exploit taking advantage of a flaw in the Microsoft Distributed Transaction Coordinator (MSDTC) service within the Windows 2000 operating system, within hours of the flaw being disclosed by Microsoft. The flaw, which some analysts described as being “highly wormable,” allows attackers to take complete administrative control of compromised Windows 2000 servers.
Fraser believes that any anticompetitive action may be misdirected, because the issue is not competition, but security. And anything that improves user security – holistically, in the building of the operating system - perhaps overrides competition queries.
“You have to ask yourself whether the security industry is a long-term industry that should be regulated. Or whether it is a short-term opportunity taking remedial action against a function of the operating system. We are not dealing with a few hackers trying to prove a point. Denial of service threats, phishing and sophisticated spyware are being delivered by people and organisations, including organised crime, with the motive of financial gain. We have to go back to the operating systems, and Windows, UNIX and Linux have to fix their security issues.”
Fraser suggests that though Microsoft has had to pay $460m to RealNetworks to settle antitrust claims after RealNetworks alleged Microsoft abused its “monopoly power to restrict how PC makers install competing media players”, security is a different issue.
“There is a difference in importance between what you need on your system to ensure it is secure, and what player you need to play music files.”
And he has some sympathy with vendors who find that once their products are out in the marketplace, they are routinely highlighted for their insecurity by people hell-bent on proving a security hole exists.
“As a security guy, you’ve never going to win. You’ll work from 9 to 5 to ensure a product is secure. But someone else is going to work 24 hours to try and undermine it. Who’s going to win that battle?”
There’ll only one be winner of course, and it won’t be the good guys. Over the next year, until
’s released, you can expect a few (hundred) more headlines over its security. Meanwhile, the code-crackers and criminals will be rubbing their hands in anticipation of more holes to find - and vulnerabilities to exploit.