Symantec is so pissed at Microsoft for competing against it with OneCare, and for reducing the need for their software through the security advances in Vista, that instead of innovating on top of the Vista platform, they've resorted to spreading FUD to keep themselves in the news. Cause in their minds, if they're in the news, they're still relevant.
The first flaw was in the networking stack. Symantec sees the advances in Vista as a problem, because "Microsoft has removed a large body of tried and tested code and replaced it with freshly written code, complete with new corner cases and defects." Hmm, I wonder why Symantec prefers the old code over the new code. It couldn't be that the old networking stack was Symantec's moneypot for the last 7 years. It couldn't be that new code means Symantec researchers have to start from scratct to build their next gen security suite. No, it's gotta be because that code was lightning fast and perfectly suited to take us into the next decade of computing. Yeah, that's it.
Now, it's curious that the article makes itself irrelevant by mentioning that the flaws were in the February CTP (5270) and that they have since been fixed. Symantec even admitted that the flwas weren't there in later builds. So tell me again... what exactly is the problem? Symantec can't use the argument that "because it's new it's insecure", when that's exactly the reasoning Firefox uses to say that it is secure. The industry can't have it both ways.... except of course, if the 'enemy' is Microsoft.
The latest "flaw" stems from a specially crafted ActiveX control that could fool UAC into elevating privileges. Forget the fact that since February, the IE team has disabled ActiveX by default, and forced the user to approve any ActiveX control that is installed. Let's also forget for the moment that the CTP in question was over 4 months and 200 builds ago. Hell, the difference between 5384 (May) and 5472 (July) is enough to make me do cartwheels. Gosh guys, this is a real problem. Quick, someone get me a copy of a Symantec security product... my Vista beta system's not secure!!!
Why is this allowed to be news? Any tech reporter with a teaspoon of brain cells still functioning (hey, the 70's affected a LOT of people) knows that fixed flaws in beta builds from four months ago are not news. That's why it's a BETA, stupid. But see, News.com doesn't just report the news, they try to influence the industry. And nothing stirs up page traffic like a bullshit story between a software company and its former housekeeper.
Look, Symantec... let me level with you. You're done. You're products do nothing but confuse users and slow their systems to a crawl. The only one that is worth anything is your overpriced Ghost package... and even THAT is threatened by Vista's CompletePC. So take a page from McAfee's playbook: shut up and innovate. But something tells me that Symantec will continue to spend more time spreading FUD than writing code. Because those who scream the loudest are usually on their way out.
Now, if you'll excuse me, I have to finish my report on the insecurities in Longhorn build 4074. You know, the one they released at PDC 2003. If flaws from four months ago make news, flaws from three years ago must be worth money.
UPDATE: The fact that News.com didn't get my comment for the Vista Views column was apparently because my cell phone was broken, not because of the editors there. So I removed one of my comments in the second and third paragraph.
UPDATE2: Michael Howard has a technical discussion on the big picture of security in Windows Vista on his blog.
UPDATE3: I think I was right...