Now that I’ve read both of the first two papers, I note two perspectives from Symantec on this: 1) the perspective of the researchers in their paper, and 2) the uses that the Symantec marketing team may be attempting with the content.
On the first perspective, the papers read like an analysis I would expect from a test team performed on a pre-release piece of code. Falling short of full threat modeling, the researchers looked at the February pre-release code and (surprise!) were able to find some bugs. They did say that they didn’t look to see if the discovered issues had been fixed by Beta2. The first paper was similar, you recall, except they did look at the later builds and each bug discussion ends in a statement similar to “…though these have been fixed in 5384.” I’d like to think that the researchers in question reported the bugs when they found them, but I don’t know. Either way, the most important context (to me) is that they’re looking at releases that are over 9 months from release and discussing issues that have already been found and fixed by the process with 3 to 4 months to go.
On the marketing perspective, I personally think I see more F, U and D, but there are some third party observers who say it better than I can. In Symantec continues Vista bug hunt, Gartner’s John Pescatore had this to say:
But telling the world at large about vulnerabilities in an operating system that won’t ship for a while doesn’t help anybody, noted John Pescatore, a Gartner analyst. Though it may help Symantec’s marketing machine. “They want to sell desktop security software even when Vista comes out,” Pescatore said.
Additionally, security companies benefit from getting their name associated with finding vulnerabilities. “It helps people trust them as a security company,” Pescatore said.
In Flogging the Wrong Dead Horse, Brett Thomas offers some thoughtful (of course I’d think that commentary on what’s going on with Symantec and Microsoft. I had a hard time limiting quotations from the article, but here are a couple of paragraphs to give you the flavor (please read the whole thing):
When Vista was in the planning stages and the programming first started, many people spoke publicly about the fact that the networking needed to be redesigned from the ground up. The goal here was to patch the many security flaws that grew from years and years of legacy support for software and hardware gone since shortly after the dodo.
Nevertheless, Microsoft did more than that; the company completely redesigned itself somewhere. Cocooned in its excuse of “We’re designing the next big thing,” it re-thought its entire outlook and created an entire planning process around more open standards and a tighter focus on security. The first butterfly to emerge from this cocoon? Windows Vista.
Yet, when we read security report after security report (on a beta, I would like to remind everyone), Symantec erodes our confidence in the attempts that Microsoft has made to turn things around again. All we are left to feel is that another OS is right around the corner, full of holes that one could pilot the titanic, the Mir Space Station, and a herd of elephants through. It’s almost as if it wants you to feel insecure.
Oh wait, maybe that’s because it makes every dime off people who feel a need to protect themselves, their data, and their computers from the hole that is sometimes referred to as the Internet. The best company out there to make you feel insecure is the leader of security itself.