McAfee cries foul over Vista security

Top executives from the security firm McAfee went on the offensive Monday against Microsoft, saying Vista will be even less secure for customers than previous versions of Windows.

The day after McAfee took out a full-page advertisement in the Financial Times to publicly air its grievances over the security of Vista, McAfee Chairman and Chief Executive Officer (CEO) George Samenuk, Vice President and Chief Scientist George Heron and Chief Security Architect John Viega delivered the same message in person in New York.

"We are disturbed by the fact that with Vista, end customers will be less secure," Samenuk said. "Customers trust us ... To erode that trust would hurt all Internet users, all PC users. I don't think Microsoft wants that, nor does McAfee want that."

Two security elements in Vista fare chief among McAfee's concerns, executives said.

In Vista, Microsoft is locking down the kernel of the OS through a feature called PatchGuard on 64-bit versions. Microsoft's argument is that this will keep miscreants out of the OS and prevent the incidence of attacks, and it is something for which customers have been asking.

"Fooling around with the kernel while it's running is like changing the sparkplugs on your car when the engine is running," said Stephen Toulouse, a senior product manager at Microsoft. "It's never been a good thing for users."

But McAfee said since PatchGuard also prevents third-party security companies from getting inside the OS, they can't activate crucial security measures in their software to protect the OS from intruders.

PatchGuard is not new in Vista, said Bruce McCorkendale, a distinguished engineer with McAfee competitor Symantec Corp., which shares McAfee's consternation over the feature. He said Symantec has been petitioning for Microsoft to change the feature since the company introduced it in its 64-bit version of Windows XP, but the company will not budge.

"If you ask any security vendor that offers advanced protection, you'd get the same answer [about PatchGuard]," McCorkendale said. "It's just inhibiting the way security vendors do their jobs."

However, according to Jupiter Research, only 5 percent of companies with 100 employees or more are running Windows XP in its 64-bit version, and that adoption is not supposed to ramp up significantly anytime soon, said analyst Joe Wilcox.

"If this new [feature] affects 64-bit only and nobody is using 64-bit, what's the problem?" he said.

The other big concern with Vista for McAfee lies in a new security interface called Windows Security Center (WSC). Microsoft will not allow this interface to be turned off, so McAfee and other third-party users can't install their own security-management consoles on Vista machines, executives said.

McAfee's argument is that third-party security products can better detect potential or existing security problems that Vista inherently can, and unless those can be surfaced through the interface, users will not be alerted to them, Viega said.