Security vendors face Microsoft tipping point

Posted on 10 Oct 2005 at 18:00

Microsoft's announcement last week that it is to include its antivirus engine free within its upcoming Antigen product may mark a turning point in the security industry.

Since Microsoft has been consistently in the spotlight over security issues with its products, it has thrown a lot of muscle behind wrestling the problem. So much so, that it is fast becoming the antivirus industry that is the first point of attack for virus writers.

At this year's Virus Bulletin conference in Dublin, Maik Morgenstern of AV-Test pointed out that the SANS top 20 Internet Security Vulnerabilities list contains the likes of Symantec, Trend Micro, McAfee and F-Secure among those whose products are affected.

Conversely, Microsoft's work appears to be paying off. By the end of last year Common Vulnerabilities and Exposures (CVE) advisories for Microsoft products had fallen from 2003, when there were around three times the number compared with those that affected the security vendors, and is now on a par.

This trend looks set to continue, if only because the virus signature databases that antivirus vendors have to update can only grow as time goes on. Microsoft has now moved to monthly reports during which it will only release security patches it knows won't cause any further problems with its products. An antivirus vendor has to shove out a fix within hours of discovering a new virus. And it's clear which is the most robust method.

'In addition to the usual causes of bugs and security flaws in software, there are a few specific causes in security software,' said Morgenstern. 'The massive amount of updates is the most important, causing problems for both the vendor and the user. The vendor needs to make sure every update is ok and doesn't introduce new security issues, while the user doesn't, or just can't, trust newly released updates.'

In fact there's probably no other software on your computer that you happily allow free access to the Internet to download code that has been put together in hours and delivered as a customer-ready update.

That's not to say you'd be better off without antivirus software, but the need for protecting against new viruses quickly must surely work against the ability to write secure code.

The proof is in the eating. And as an example, both Trend Micro and McAfee have suffered this year from errors in the way their products decompressed some of the packer formats used by virus writers to circumvent antivirus scanners, says Morgenstern.

Now that Microsoft is entering this game, and offering its antivirus engine free to Antigen customers, it will set something of a benchmark for the rest of the industry - and perhaps quite a high one given the resources it has to throw at overcoming the issue of timeliness versus testing.

Alexey Zernov, Corporate Communications Manager at Moscow-based Kaspersky said: 'In general, Microsoft's movement to the security solutions included as an essential part of its platforms will greatly affect the market landscape. The quality of information security from Microsoft will become some kind of a barrier for other developers of electronic threats protection products. If they are able to provide better products in terms of quality, exceeding the 'survival level' stated by Microsoft they'll stay in the market. If not, they'll either have to leave the market of Windows security applications, or shift to other technologies of information protection services. In any way, this initiative is a serious test for many vendors, and some of them may not pass it.'