| By Woody Leonhard |
When Microsoft announced it was entering the antivirus biz, the usual nattering nabobs of negativism moaned and groaned about unfair competition and unlevel playing fields.
But several recent events seem to confirm the worst: Microsoft may well be using its desktop monopoly to trump its AV competitors. What do you think?
The PowerPoint zero-day smoking gun
Before Microsoft started selling antivirus protection, the major antivirus companies (and many of the smaller ones) enjoyed more-or-less equal access to Microsoft’s top-secret AV information. When Microsoft found out about a new threat, the AV companies all heard about it at the same time. When MS figured out how certain types of malware worked, the AV companies learned about the holes quite quickly.
Then Microsoft announced that it would start competing in the antivirus arena with the product we now know as Windows Live OneCare. AV companies received assurances that the flow of information wouldn’t stop — that Microsoft wouldn’t use its special position as the provider of the operating system to take unfair advantage with their AV product.
On September 26, antivirus researchers at McAfee discovered a new zero-day PowerPoint exploit that goes by the unlikely name of CVE-2006-4694. Like so many other zero-day exploits, this nasty critter was discovered in the wild when it dropped a targeted Trojan that McAfee calls Exploit-PPT.d.
There’s just one little problem with Exploit-PPT.d. As McAfee antivirus researcher Craig Shmugar points out in his Sept. 26 blog entry, Microsoft already knew about this particular Trojan and, presumably, the zero-day exploit that delivers it. Craig shows a listing that seems to prove that Microsoft had not only identified the exploit, but had updated one of its scanners to detect the dropped trojan three days before McAfee found it. The Microsoft scanner, dated Sept. 23, identifies the trojan as Win32/Controlppt.X.
My friends in the antivirus community tell me that, as far as they know, Microsoft didn’t bother to mention this particular zero-day exploit, or the Trojan, to any other AV companies. Microsoft simply updated its own AV product and let its competitors pound sand.
Microsoft goes public after the fact
On Sept. 27, Microsoft finally fessed up to the zero-day hole, issuing security advisory 925984. That advisory not only lists PowerPoint 2000, 2002, and 2003 as being vulnerable, as McAfee had advised. It also lists two versions of PowerPoint for the Mac. Take a look at the advisory and tell me if it looks like it was thrown together in the 24 hours after McAfee posted its warning.