Microsoft scrutinised for IE 7 flaw and broken Vista promises

Microsoft says Vista kernel access would come with SP1, and Gartner predicts years of compatibility problems. Meanwhile, claims of an IE 7 vulnerability surface.

This article originally appeared on

Microsoft defended itself Friday against accusations of insincerity regarding its pledge to make Windows Vista compatible with third-party security software. The company was also forced to dispute a security firm's claim that the newly-released Internet Explorer (IE) 7 contains a flaw.

On the Vista front, Gartner analyst Neil MacDonald claimed in an analysis Thursday that while Microsoft's plan to tweak Vista is a positive move, the process will take years and cause incompatibility problems in the short term.

Microsoft didn't address Gartner's assessment directly, but Ben Fathi, corporate vice-president of Microsoft's Security Technology Unit, probably added more fuel to the fire by saying the company's goal is to provide an initial set of documented, supported kernel interfaces in the Windows Vista SP1 timeframe.

In recent months Microsoft has tried to refute accusations from security suppliers such as Symantec and McAfee that it was developing Windows Vista in a way that would lock out third-party security products. But last week it caved to pressure from security suppliers and anti-trust officials in Europe and promised to create additional APIs so rival suppliers can access the operating system's core and, as a result, develop products that work more effectively with the operating system.

Christopher Thomas, a legal counselor for McAfee, fired off an angry statement Thursday accusing the software firm of hollow promises.

"Despite pledges, press conferences and speeches by Microsoft, the community of independent security companies that consumers rely on for computer protection has seen little indication that Microsoft intends to live up to the promises it made last week," Thomas said.

In response, Fathi dismissed McAfee's claims as "inaccurate and inflammatory," adding that Microsoft has "already taken a number of steps to provide McAfee and our other security partners with the information they need."

On the short-term issue of allowing third-party security alerts to replace Windows Security Center alerts, he said Microsoft made the documentation and sample code available to security partners Monday.

"At McAfee's request, we also emailed a second copy of the materials to a senior McAfee engineer at 2:07pm, Tuesday, 17 October," he said. "We followed up by providing the new builds of Windows Vista with this functionality on Wednesday, 18 October, and we held a conference call with McAfee personnel at noon Thursday, 19 October to answer any remaining questions."

As the Microsoft defended itself against McAfee's claims, it was also forced to refute charges from Danish vulnerability clearinghouse Secunia that the newly released IE 7 has a security flaw.

In an advisory, Secunia said the vulnerability is caused by an error in how redirections for URLs with the "mhtml:" URI handler are processed. Attackers could potentially exploit the problem to disclose sensitive information, the firm added. It did deem the flaw "less critical," however.

Christopher Budd of the Microsoft Security Response Center said in the organisation's blog that there is no IE 7 flaw. The issue Secunia warned of is actually a flaw in Outlook Express.

"The issue concerned in these reports is not in IE 7 or any other version at all," he said. "Rather, it is in a different Windows component, specifically a component in Outlook Express. While we are aware that the issue has been publicly disclosed, we're not aware of it being used in any attacks against customers."

He said Microsoft would continue to investigate.

Microsoft released IE 7 this week after a long beta process. The software firm has been touting significant security enhancements in the browser, including an anti-phishing feature.

Read more on Antivirus, firewall and IDS products