"It's unfortunate that McAfee's lawyers are making these kinds of inaccurate and inflammatory statements," Fathi's statement opens, apparently referring specifically to claims made against Microsoft's forthcoming 64-bit kernel protection scheme before the European Commission, and not to open letters from McAfee executives published by the Financial Times and ZDNet.
While McAfee and Symantec have been complaining publicly that Microsoft's new architectural choices lock them out of being able to provide heuristic security features for anti-virus and anti-malware products, privately, McAfee's complaint is that Microsoft is failing to provide its partners with the information necessary to enable them to alert users to vulnerabilities using their own tools, rather than Microsoft's.
European news sources this morning cite McAfee attorneys in Brussels as saying that Microsoft has failed to live up to its "hollow assurances" of providing this information to security partners.
Fathi's statement continues with a timeline, down to the minute, of delivery times when McAfee received documentation and sample code from Microsoft last Monday and Tuesday. This code apparently gives vendors new APIs for providing users with their own security alerts, in place of Microsoft's. A new build of Vista, Fathi said, which incorporates this third-party alert system, was delivered to McAfee last Wednesday, and a tutorial briefing was given Thursday at noon.
McAfee's original complaints before the EC, however, pre-date this timeline by weeks.
Nonetheless, Microsoft is now maintaining it has lived up to its commitments, at least as of today. "We believe McAfee and all our other security partners have the information they need to replace our alerts with their alerts, and we are completely available to answer any questions," stated Fathi.
The second part of Fathi's statement this morning confirmed news that BetaNews first reported late yesterday: Microsoft is holding a series of conferences with security partners to propose a comprehensive security services API for Vista, to be developed in a relatively open process that would involve security partners and Microsoft working in tandem.
Fathi confirmed this API would be an alternative to the kind of exclusive PatchGuard bypass key that some vendors have requested, which Microsoft contends could effectively disable its Kernel Patch Protection feature. These proposed services, Microsoft says, would enable the class of security features that vendors are looking for, without having to compromise PatchGuard's lockdown of the 64-bit Vista kernel.
"These discussions are underway between our engineering teams and our third-party security partners about the functionality they are seeking, and how to prioritize this significant work in the months ahead," wrote Microsoft's Ben Fathi. "We are implementing the commitments we made to the European Commission, to develop these new interfaces in the months ahead after consultation with our security partners. Our goal is to provide an initial set of documented, supported kernel interfaces in the Windows Vista SP1 timeframe, recognizing that this will require collaboration from our industry partners."
Again, we see reference to the "Vista SP1 timeframe," without a specific time attached. Yesterday, a Microsoft spokesperson declined to specify to BetaNews how far out SP1 might be, on an actual time scale.
Fathi concludes by reaffirming that bypassing Kernel Patch Protection is not an option from Microsoft's vantage point - and, contrary to many reports, never was.
"We are committed to providing our customers with a more secure and reliable operating system," he writes, "by protecting the core of the 64-bit kernel in Windows Vista with Kernel Patch Protection, while also working with our security partners to provide the kernel functionality they need without bypassing Kernel Patch Protection."