Microsoft hands Vista code to security vendors

Microsoft has taken the first step toward addressing complaints made by security vendors Symantec Corp. and McAfee Inc., which had feared that the software giant's upcoming Vista operating system would harm their customers.

On Monday, Microsoft released API (application programming interface) code that will allow security vendors to disable the Security Center management console that will ship with Vista. Symantec and McAfee had complained that without the ability to disable this software, Vista users who had purchased their products would receive duplicate and confusing security messages.

The APIs are being released via several of Microsoft's security partner programs, including the SecureIT Alliance and the Microsoft Security Response Alliance, said Adrien Robinson, a director with Microsoft's Security Technology Unit.

Symantec had brought this and other complaints to the European press recently and was clearly hoping to pressure the European Commission into forcing Microsoft into changes.

On Friday, Microsoft announced that it would make the changes that McAfee and Symantec had been seeking. Monday's API release is the first step in this direction.

However, it appears that it may be as long as a year before Microsoft addresses a second concern, relating to a technology called PatchGuard that Symantec and McAfee say will make their products less secure on some Windows systems.

PatchGuard is designed to prevent software from accessing the core of the Windows operating system, called the kernel.

Although PatchGuard is not used by Vista when it is running in 32-bit mode, it will lock many types of software, including Symantec's, out of the kernel on 64-bit versions of the operating system. The security vendors wanted Microsoft to give them some way to access the 64-bit kernel, saying that this high-level access was required in order to activate critical security features.

Most Vista users are expected to run Vista in 32-bit mode when it first ships, but the 64-bit version is expected to eventually become more widely adopted because its ability to process data in larger, 64-bit chunks will give it a performance edge.

Microsoft has now pledged to create new APIs for Vista that will allow vendors like Symantec to get around PatchGuard.

Those APIs will be complex, however, and it will take time for them to be developed, Robinson said. Microsoft expects to roll out this functionality in the first major "service pack" update to Vista. No timeline has been set for Vista SP 1, but if history is a guide, it could be a year away. Microsoft rolled out its first service pack for Vista's predecessor, Windows XP, nearly one year after the software's introduction.

Robinson left open the possibility that the kernel APIs could also be released ahead of Vista SP 1. "If we can do something sooner, then we'd like to do that as well," she said.