Microsoft has bought two antivirus companies and an antispyware company -- the latter acquisition has already produced an antispyware application for Windows -- since Bill Gates launched the Trustworthy Computing Initiative, which changed coding practices to make security Microsoft's first priority.
However, Gartner analyst Neil MacDonald said in an advisory on Friday that Microsoft has "missed an opportunity" to clarify its position in the security market by not stating its intentions. He said the company needs to "articulate whether it plans to be a leader in consumer and enterprise security solutions across desktop, server and server gateway".
"Microsoft's overriding goal should be to eliminate the need for AV and AS products, not simply to enter the market with lookalike products at lower prices," said MacDonald.
In the advisory, MacDonald predicts that Microsoft will launch a combined antivirus and anti-spyware product mid-2005, which will directly compete with established products such as Norton Antivirus from Symantec.
"This move will challenge antivirus vendors that depend heavily on revenue from consumers, such as Symantec, and vendors that derive substantial revenue from up-selling enterprises to antivirus product suites that include desktops and servers, such as McAfee and Computer Associates," said MacDonald.
However, James Turner, security analyst at Frost & Sullivan, told ZDNet UK sister site ZDNet Australia that Microsoft's security strategy is a "commercially sensitive" area and the company is not obliged to reveal its strategy.
"The fact is that Microsoft have purchased a number of security oriented companies, anti-spyware and antivirus. You don't buy a number of companies for the fun of it. This is part of a long term strategy," said Turner.
Additionally, Turner said Microsoft's attitude to security has changed since the launch of its trustworthy computing initiative. He cites the company's response to the recent attack on MSN Messenger.
"You don't just judge a company by what they say, you also judge them by what they do. Microsoft's recent clamp down on MSN Messenger to repair the vulnerabilities there is a clear sign that Microsoft can mobilise very quickly when something is completely within its control. If Microsoft was ignoring security the market would punish it and so would the legal system," said Turner.
Gartner's MacDonald also attacked Microsoft's decision to only create an updated version of Internet Explorer (version seven) for Windows XP, hinting that the only reason behind the decision is to force enterprises to upgrade from Windows 2000.
"The decision to restrict IE 7.0 to the XP platform also suggests that Microsoft wants to force users of older platforms to upgrade if they want improved security. If Microsoft wishes to be seen as a responsible industry leader in maintaining security for its products and its customers, it should provide IE 7.0 for Windows 2000 users.
"Furthermore, instead of making more evolutionary security improvements to IE, Microsoft should announce that it will fundamentally rebuild IE with security in mind," said MacDonald.
The Gartner advisory concludes with recommendations that are likely to cause some concern to traditional antivirus vendors.
According to Gartner, companies should demand that their antivirus provider offers an enterprise-class solution -- including anti-spyware -- at no cost by the end of this year. Gartner also advises companies to demand a "converged desktop security product with antivirus, anti-spyware, personal firewall and behaviour blocking at a total price no more than 20 percent higher than what you now pay for standalone AV."
Neither Microsoft or Symantec were available for comment.
Munir Kotadia reported from Sydney for ZDNet Australia. For more ZDNet Australia stories, click here.
Talkback
If you can't trust Microsoft to produce an operating system which is secure, are you really going to trust their security products?
They should concentrate on tightening up the operating system so that AV and AS products are a "comfort" feature, something there that tells you everything is still running fine, as opposed ot the current situation where these types of products are a necessity for Windows systems.
They need to look at where their competitors (*nix platforms such as Solaris, AIX, BSD, Mac OS X and Linux) draw their strengths and where Windows has the biggest problems. The default operating environment of having the default user as a System Owner or Administrator is fool-hardy in the extreme, and trying to restrict users to un-empowered accounts doesn't work for a lot of products, including some market leading security products which should know better, because the products expect to have administration privileges and fail to work without them (OK, it is acceptable that an application needs Administrative privileges to be installed, but an AV product that can't get updates or do a system scan unless the administrator is logged on defeats the whole point of having security on the system).
Most other operating systems are designed from the ground up to operate with users in restrictive environments, temporarily promoting themselves when they need to do some administrative task (and then only the Admins will have the passwords to do this). And if this is the way the system is supposed to work, then the applications written for the system will, mostly, also work this way.
Why would you spend money on an off-the-shelf operating system from Microsoft if you see a Microsoft product on the same shelf telling you that it was a must-buy anti-virus/spyware product for the security failings of the said Microsoft operating system? Security ought to be built-in, not a "Microsoft Plus"-style additional cost!
Perhaps today's anti-virus and anti-spyware vendors should learn from Microsoft's historic examples. Meaning:
- "motivate" their current customers into 3 years or longer license contracts with lots of legal footprints that can later on be turned into extra revenue
- "motivate" potential new competitors (like Microsoft) to look for revenue elsewhere or else anti-virus products will begin having troubles and work less then expected on, say, Windows systems
- (almost) giving away add-on functionality software that integrates so thightly with everything else it'll be nearly impossible to replace a single thing without breaking the whole system down
- get a legal grip on resellers and the like by making them sign contracts that'll demand a premium per sold item regardless of what product is actually sold with it
- sponser all sorts of ïndependant researchers that'll make look Microsoft's products worser then spam itself
- partner with other vendors to help kill a combined competitor and once that done kill the partner
- hire lobbiests to inspire the EU into signing a law that prohibits the combined use of an OS and anti-whatever from the same vendor
- give dozens of schools free software and what not so later on the kids will know nothing else then what you want them to like and understand
- etc
Ofcourse, this all would be highly illegal behaviour but then again it's likely it'll produce a lot of profit and a locked-in customer base that, after several years in court, will end in having to pay a fine of, say, less then 1% of the total profits gained.