Special to CNET News.com
Microsoft should be concentrating on securing Windows instead of trying to challenge security software companies, according to research firm Gartner.
Microsoft has bought two antivirus companies and an anti-spyware company—the latter acquisition has already produced an anti-spyware application for Windows—since Chairman Bill Gates launched the Trustworthy Computing Initiative. That effort changed the company's coding practices to make security developers' first priority.
But Microsoft has missed an opportunity to make it clear what role it wants to play in the security market, by not stating its intentions, Gartner analyst Neil MacDonald said in an advisory published Friday. The company needs to "articulate whether it plans to be a leader in consumer and enterprise security solutions across desktop, server and server gateway," he said.
"Microsoft's overriding goal should be to eliminate the need for (antivirus) and (anti-spyware) products, not simply to enter the market with look-alike products at lower prices," MacDonald added.
In the advisory, MacDonald predicted that Microsoft will launch a combined antivirus and anti-spyware product by the middle of 2005. That software will directly compete with established products such as Norton Antivirus from Symantec, he said.
"This move will challenge antivirus vendors that depend heavily on revenue from consumers—such as Symantec—and vendors that derive substantial revenue from upselling enterprises to antivirus product suites that include desktops and servers, such as McAfee and Computer Associates," MacDonald said.
James Turner, security analyst at Frost & Sullivan, told ZDNet Australia that Microsoft's security strategy is a "commercially sensitive" area and that the company is not obliged to reveal its strategy.
"The fact is that Microsoft have purchased a number of security-oriented companies—anti-spyware and antivirus. You don't buy a number of companies for the fun of it. This is part of a long term strategy," Turner said.
Additionally, Turner said Microsoft's attitude to security has changed since the launch of its trustworthy computing initiative. He pointed to the company's response to the recent attack on MSN Messenger.
"You don't just judge a company by what they say, you also judge them by what they do. Microsoft's recent clampdown on MSN Messenger to repair the vulnerabilities there is a clear sign that Microsoft can mobilize very quickly when something is completely within its control. If Microsoft was ignoring security, the market would punish it and so would the legal system," Turner said.
Gartner's MacDonald also rapped Microsoft's decision to create an updated version of Internet Explorer (7.0) for Windows XP only, hinting that motive for the decision could be to push corporate customers into upgrade their systems from Windows 2000.
"The decision to restrict IE 7.0 to the XP platform also suggests that Microsoft wants to force users of older platforms to upgrade, if they want improved security," he wrote. "If Microsoft wishes to be seen as a responsible industry leader in maintaining security for its products and its customers, it should provide IE 7.0 for Windows 2000 users."
MacDonald said that Microsoft should rebuild IE with security in mind from the bottom up, rather than make "evolutionary" security improvements to the browser software.
The Gartner advisory concludes with recommendations that are likely to cause some concern to traditional antivirus vendors.
The research firm suggests that corporate customers demand that their antivirus provider offers an enterprise-class solution—including anti-spyware—at no cost by the end of this year. It also advises businesses to demand a "converged desktop security product with antivirus, anti-spyware, personal firewall and behavior blocking at a total price no more than 20 percent higher than what you now pay for standalone (antivirus)."
Neither Microsoft or Symantec were available for comment.
Munir Kotadia of ZDNet Australia reported from Sydney.