Microsoft, McAfee trade barbs over Vista

Microsoft Corp. on Friday defended the process for disclosing key security information about its upcoming Vista operating system after security vendors continued to complain it's too slow and not detailed enough.

On Monday, Microsoft released APIs to allow other security software to shut down the Security Center management console, the company's own monitoring panel that will be included with the Vista OS.

Symantec Corp. and McAfee Inc. had complained that the Security Center would confuse consumers who use their software, since their software has its own management console.

After pressure from European regulators, Microsoft also addressed another complaint, regarding Kernel Patch Protection (KPP), a technology that blocks access to the kernel -- the core code in Windows. The feature, on the 64-bit version of Vista, is intended to halt invasive software such as rootkits from burrowing into the OS.

But security companies complained that access to the kernel is necessary for certain security features. Microsoft relented, but said it could be a while before those APIs could be released, due to the complexity of the documentation. Microsoft said the APIs could be released in Service Pack 1 for Vista, but service packs for other versions of Windows took up to a year to come out.

The situation was further exacerbated on Thursday when a scheduled Microsoft conference call with security vendors on KPP failed due to a technical problem. Late Thursday McAfee complained again about Microsoft's response to security vendor issues, with an outside McAfee counsel issuing a statement blasting Microsoft's "hollow assurances."

On Friday, Microsoft returned fire.

"It's unfortunate that McAfee's lawyers are making these kinds of inaccurate and inflammatory statements," Ben Fathi, a Microsoft vice president who deals with security, said in a statement. "We've already taken a number of steps to provide McAfee and our other security partners with the information they need."

Fathi went on to detail Microsoft's e-mail and phone correspondence with McAfee about Security Center this week, writing that Microsoft remains open to answer questions. McAfee officials were unable to immediately comment on Friday.

But McAfee is joined by other security vendors unhappy they will have to wait for the kernel APIs.

"We've contacted Microsoft to try to get this sorted out," wrote Mikhail Penkovsky, director of sales and marketing for Agnitum Ltd., a firewall and network security vendor, on the company's blog. "Microsoft has made a positive decision -- but we don't have the (KPP) API yet to analyze it."