Daily Archives: August 10, 2006

Security Vendors Want Less Security From Microsoft

When it comes to securing its products, Microsoft cannot win. If it fails to defend and protect its products properly, Microsoft will be rightly pilloried by its users in the consumer and enterprise markets. if it improves the security of its products, bolstering their inherent defenses and strengthening their capabilities to withstand and repel malware attacks, security vendors will run to the government complaining about anticompetitive practices.

If I were Microsoft, I’d put customers first and third-party security vendors a distant second.

A case in point is the controversy that has ensued around Microsoft’s PatchGuard, which the company designed to protect Windows kernels, including the forthcoming Vista kernel, from malicious code attacks. PatchGuard is relevant only to 64-bit versions of Windows. It debuted last year in Windows XP x64 Edition, but it will become more prevalent as Vista gets rolled out commercially throughout 2007.

According to an informative article that appears on CNET’s News.com, the problem that security vendors have with PatchGuard is that, by design, it bars their host-based intrusion-prevention products from gaining access to the Windows kernel. Host-based intrusion prevention (HIPS) products are an emerging class of security software that examine a program’s behavior to determine whether it is malicious instead of employing the traditional signature-based approach (as used in antivirus software, for example), which checks a program against a database of known threats. To work effectively, security vendors argue, HIPS offerings require access to the operating-system core.

Understandably, Microsoft isn’t about to allow unrestricted access to the kernels of its 64-bit operating systems. At least a few security vendors, including Symantec, appear to understand Microsoft’s reasoning, which should be self-evident even to those with the most rudimentary comprehension of computer security.

Remarks Bruce McCorkendale, a chief engineer at Symantec:

There is definitely a legitimate need to lock down the kernel. I don’t suggest they eliminate PatchGuard. What I am asking for is an exception. There are less restrictive means available, and we have proposed many solutions to Microsoft. But it has fallen on deaf ears.

Microsoft, however, opposes the proposal to make exceptions. Says Stephen Toulouse, a program manager in Microsoft’s Security Technology Group:

When you get into the concept of exceptions, you get on a slippery slope. What made a lot of sense to us is simply to restrict the kernel without exception, creating a level playing field that all of the vendors, including Microsoft, can then operate by.

Now that makes sense, even though security vendors allege that malicious hackers can circumvent PatchGuard to breach the kernel today. The security vendors say they will have to adopt hacker tactics, finding mechanisms to bypass PatchGuard, to ensure that their intrusion-prevention offerings can work with and on Vista.

Interestingly, Vlad Gorelik, chief technology officer at host-based intrusion-prevenion vendor Sana Security, inadvertently makes a point I have on this forum previously. Gorelik notes that, with the advent of PatchGuard, Microsoft is effectively taking control of security for the Windows core. He points out that, in the past, third parties also provide defenses for the kerne. Now, he contends, if PatchGuard is circumvented or disabled somehow, it will be Microsoft’s obligation to repair the flaw and ensure that Windows PCs are secure.

Think about what he’s saying. Essentially, Gorelik is indignant that Microsoft has the temerity to secure its own products. I have news for Mr. Gorelik and all the other third-party security vendrors: That is what Microsoft should have been doing all along. An enormous third-party security industry never should have been allowed to grow in the shadow of Microsoft’s dereliction and neglect. It most definitely is Microsoft’s responsibility to defend and protect its software products from bugs, hackers, malware, and vulnerabilities. Third-party security firms do not possess a legal entitlement to make money from Microsoft’s negligence.

This is why I believe, as long as Microsoft effectively exclusively employs PatchGuard and secure coding practices to shield the Vista kernel, host-based intrusion prevention vendors will have no legitimate recourse to go running to the Justice Department and the European Union for punitive or regulatory intervention, which is precisely what they are threatening to do.

The issue here isn’t application software, such as Web browsers or preloaded media players; we’re talking about integral system security, the provision of which should be incumbent on the vendors that develop the operating system and the programs that run on them. Security is not a market just like any other; it’s a responsibility of the vendors who build the operating systems and applications that we use. If they fail, we might have to seek protection elsewhere, but the so-called security industry should not be sheltered and sustained by misguided judicial or legislative measures that compel a software vendor to leave gaping security holes in its products. The absurdity of such a situation, if it were to arise, should cause us all to wonder whether we’ve completely taken leave of our critical and logical faculties.

If Microsoft were to enter the market for host-based intrusion prevention, though, with a product benefiting from selective exceptions that allowed it to bypass PatchGuard to access the kernel, well, that would be a different story. If that were to happen, the third-party security vendors would have an ethical and legal case, and Microsoft should be punished and then compelled to provide similar PatchGuard exceptions to other HIPS vendors. However, as long as that is not the case, I don’t see why Microsoft should heed this irrational bleating.

If Microsoft has done anything wrong here, it might have failed to communicate its intentions clearly to the security-vendor community regarding PatchGuard and its kernel security, as Gartner analyst John Pescatore suggests. Perhaps the message could have been delivered earlier and more cogently. Other than that, though, Microsoft seems to be on solid ground.

By trying to make its products more secure, Microsoft is acting in enlightened self-interest. It realizes that security was a black eye for the company, a sign that it didn’t care what happened to its customers or their computers after they had forked over their money for Microsoft’s products.

That not-so-benign neglect caused Microsoft no end of censure, embarrassment, ridicule, and vituperation. The company deserved all the condemnation and disparagement it got. Now it’s stepping up to the plate, taking on the security challenge with measures that should have been in place from the beginning.

Microsoft finally understands, at least when it comes to software security, that customer satisfaction matters. If only some of the vendors in the security industry could espouse the same philosophy.

Symantec’s Vista Trilogy Complete, Fears Sown

I don’t think anybody expects Microsoft’s forthcoming Vista release of the Windows operating system to be without its blemishes and flaws. No operating system is perfect, as the coders and executives at Microsoft have come to realize all too clearly. For Microsoft, security has been an especially acute problem, as evidenced by the endless stream of fixes that emanate from Redmond on Patch Tuesdays.

Still, Microsoft has made a determined, sustained effort to improve the security of its software products. You can see the commitment is genuine, and I don’t think anybody questions that security has become a paramount consideration in the design, development, delivery, and support of nearly every product in the company’s portfolio.

At long last, Microsoft is realizing that the security of its products isn’t something that ought to be subcontracted or left for others to provide. As a general principle, the software products developed and sold by a vendor should be as secure as possible, and that means the vendor itself should be held to account for providing a large measure of that security.

With security now a top-level priority at Microsoft, and with the company practicing secure coding of its products and looking to acquire companies and technologies that provide additional layers of defense and protection, what does that mean for companies who made their livings by filling the gaping security holes Microsoft previously left behind?

Well, it has meant they have had to diversify, for one thing. Symantec, McAfee, Trend, and others have had to redefine what it will mean for them to be security companies in a brave new world where Microsoft actually provides products and solutions that will be relatively well secured.

This is major challenge for these companies, and as they scramble to find defense markets for future growth, they are encroaching on existing or emerging markets inhabited by other vendors, which in turn must devise strategies for their own survival and prosperity. I call that phenomenon “the Microsoft domino effect in the security market,” but the companies affected just call it trouble.

Meanwhile, security vendors must wage a defensive battle to slow Microsoft’s incursion into their territory. Since the best defense is a strong offense, and since Microsoft’s relationship to them has metamorphosed from partner to competitor, they must attack Microsoft’s security credibility at every opportunity. The idea is to make customers think twice about dropping their products in favor of the security offerings Microsoft is bringing to market.

It’s the equivalent of negative campaigning in politics, and sometimes it’s effective — for a while, and only under certain circumstances. These vendors know they’ll lose market share, but want to lose as little of it as possible while deferring the day of reckoning for as long as possible. Who can blame them?

Occasionally, though, in their fervor to defend the realm, they’ll seize on an obviously frivolous pretext, exposing their fear and loathing for all to see. Such is the case with an unprecedented series of reports Symantec has issued regarding the security of the Vista kernel. In a trilogy that won’t be adapted into a major motion picture, Symantec first examined Vista’s networking stack, then its user account-control features, and — with a final installment that arrived this week — its operating-system core. Not surprisingly, Symantec found bugs and weaknesses that could be exploited in all three areas. They didn’t find a lot of them, mind you, but they found enough to fill out their reports and attract some notice from press and analysts. That, of course, was the whole point of the exercise.

Every time Symantec issues one of these bug-hunting reports on an as-yet-unreleased operating system, Microsoft responds. Each time, the responses are similar. Microsoft points out that the Vista hasn’t been released commercially yet, that Symantec was working from a relatively earlier beta version, and that problems Symantec cites have been addressed or will be addressed before the operating system goes to market. Microsoft probably is right about its ability to address perceived breaches and squash bugs before Vista reaches market, but it’s definitely right about Symantec working from an early beta of an operating system that remains months away from being deployed anywhere of commercial significance.

It’s all a high-stakes game, folks. Symantec is just trying to create a climate of fear and confusion, one that will help keep the entirety of its ample security franchise intact and commercially productive for as long as possible.

IBM Pays $1.6 Billion in Cash to Acquire FileNet; ECM Market Consolidates Further

Despite the recently announced acquisition of Hummingbird by Open Text, the enterprise content management (ECM) market increasingly is being dominated by some of the biggest names in enterprise computing — IBM, Microsoft, EMC, and Oracle.

Smaller players are having to look for buyers among the big four. If that option isn’t available to them, they look for combinations with similarly endangered companies in the space. That’s the grim dynamic that drove Hummingbird into the hands of erstwhile competitor Open Text.

It isn’t going to get easier for the smaller fish in the ECM pond.

News came today that IBM has announced the acquisition of FileNet in an all-cash transaction for $1.6 billion. In buying FileNet’s shares for $35 each, IBM will pay a premium of just one percent on the closing price of $34.65 per share Wednesday night. FileNet shares have experienced an appreciation in value of more than 25 percent during the past month, including a sharp gain after the company reported its latest quarterly results in late July, so perhaps a premium already was built into the share price.

Nonetheless, despite quarterly financial results that stunned market analysts by eclipsing earnings expectations, FileNet’s executives could read the writing on the wall. Good results in one quarter don’t necessarily portend an indefinite run of similarly positive news, especially when the industry’s bigger guns are trained on your space. It was time for a move, and IBM was there, cash in hand.

Who’s next? Well, Stellent, Interwoven, and Vignette are still out there, as are an array of even smaller companies. Of the three, Stellent has the best shot of enduring as an independent player, but it’s relative strength also might make it attractive to a player such as Microsoft. Joining Microsoft as a potential acquirer of a remaining ECM company is Oracle.