Microsoft security strategy under attack

Microsoft should be concentrating on securing Windows so it no longer needs an antivirus product instead of trying to squeeze established AV vendors out of the market, according to Gartner.

Microsoft has bought two antivirus companies and an anti-spyware company - the latter acquisition has already produced an anti-spyware application for Windows - since Bill Gates launched the Trustworthy Computing Initiative, which changed coding practices to make security Microsoft's first priority.

However, Gartner analyst Neil MacDonald said in an advisory on Friday that Microsoft has "missed an opportunity" to clarify its position in the security market by not stating its intentions. He said the company needs to "articulate whether it plans to be a leader in consumer and enterprise security solutions across desktop, server and server gateway".

"Microsoft's overriding goal should be to eliminate the need for AV and AS products, not simply to enter the market with lookalike products at lower prices," said MacDonald.

In the advisory, MacDonald predicts that Microsoft will launch a combined antivirus and anti-spyware product mid-2005, which will directly compete with established products such as Norton Antivirus from Symantec.

"This move will challenge antivirus vendors that depend heavily on revenue from consumers, such as Symantec, and vendors that derive substantial revenue from upselling enterprises to antivirus product suites that include desktops and servers, such as McAfee and Computer Associates," said MacDonald.

However, James Turner, security analyst at Frost & Sullivan, told silicon.com's sister site ZDNet Australia that Microsoft's security strategy is a "commercially sensitive" area and the company is not obliged to reveal its strategy.

"The fact is that Microsoft have purchased a number of security oriented companies, anti-spyware and antivirus. You don't buy a number of companies for the fun of it. This is part of a long term strategy," said Turner.

Additionally, Turner said Microsoft's attitude to security has changed since the launch of its trustworthy computing initiative. He cites the company's response to the recent attack on MSN Messenger.

"You don't just judge a company by what they say, you also judge them by what they do. Microsoft's recent clampdown on MSN Messenger to repair the vulnerabilities there is a clear sign that Microsoft can mobilise very quickly when something is completely within its control. If Microsoft was ignoring security the market would punish it and so would the legal system," said Turner.

Gartner's MacDonald also attacked Microsoft's decision to only create an updated version of Internet Explorer (7.0) for Windows XP, hinting that the only reason behind the decision is to force enterprise to upgrade from Windows 2000.

"The decision to restrict IE 7.0 to the XP platform also suggests that Microsoft wants to force users of older platforms to upgrade if they want improved security. If Microsoft wishes to be seen as a responsible industry leader in maintaining security for its products and its customers, it should provide IE 7.0 for Windows 2000 users."

"Furthermore, instead of making more evolutionary security improvements to IE, Microsoft should announce that it will fundamentally re-architect IE with security in mind," said MacDonald.

The Gartner advisory concludes with recommendations that are likely to cause some concern to traditional antivirus vendors.

According to Gartner, companies should demand that their antivirus provider offers an enterprise-class solution - including anti-spyware - at no cost by the end of this year. Gartner also advises companies to demand a "converged desktop security product with antivirus, anti-spyware, personal firewall and behaviour blocking at a total price no more than 20 percent higher than what you now pay for standalone AV."

Neither Microsoft or Symantec were available for comment.

Munir Kotadia writes for ZDNet Australia.