Can Microsoft Make a Sieve Hold Water?

After shelling out to install a security system in your home, you find it mysteriously opens the front door in the middle of the night at least once a month. When that happens, any evildoer could enter the premises.

Don’t worry, says the vendor, who sends a new lock for the door. But another door pops open. Another lock has to be sent.

You ask the vendor to fix the system once and for all. The vendor’s reply: Security is important to us. On the next iteration of the system, the doors will stay closed all month.

Would you buy a security system from this company?

You probably already have. Now, you may wind up paying for the locks that are being added, as well.

On Feb. 8, Microsoft paid an undisclosed sum for Sybari Software, which provides antivirus software for messaging and collaboration servers. Sybari, acquired for an undisclosed sum, joins GeCAD, another antivirus software maker, and Giant Company Software, which makes antispyware products, in Microsoft’s growing stable of companies acquired.

With the acquisitions, Microsoft can provide firewalls and antivirus software, and couple them with its Windows operating systems. Microsoft says it will offer some security products such as antispyware protection for free, but possibly sell antivirus software separately. Other security features will be wrapped into other Microsoft products. That’s fine, but technology executives should be wary of any security products emanating from Redmond.

After all, Microsoft is part of the problem. Microsoft itself recently made that point to this customer. Twice.

First, I received the company’s monthly security bulletin. It arrived the same day the Sybari deal was announced.

The bulletin listed 12 new software patches for Windows, Office and Internet Explorer to fix 16 vulnerabilities. The patches covered all versions of Windows including the recent Windows XP Service Pack. They are to fix “critical” vulnerabilities that would allow a hacker to launch a denial-of-service attack or hijack a computer if its user visits an infected Web page.

Second, I got pinged with a “critical update notification.” This e-mail, urging me to install the patches, came as I was typing this column.

Scary. You get the feeling Microsoft at least can watch what the everyday computer user is doing.

Meanwhile, Microsoft sees no irony in its security software acquisitions. “Customers are telling us that there needs to be a convergence of security solutions,” says director of product management Amy Roberts.

At the RSA Security conference on Feb. 15, Bill Gates pitched Microsoft’s “trustworthy computing” initiative and noted that Microsoft spends more than a third of its $6 billion R&D budget on security.

Of course, the defenses Gates and company will soon be pitching are needed precisely because Microsoft has sold software that’s vulnerable—from the start—to attacks. Luckily, all you have to do is get Microsoft’s newly acquired “server-level antivirus solution” and things will be better.

Better than what? Microsoft sells business software with lots of holes. Then it gives you or, better, sells you the software to fix them. Not a bad gig if you can get it.

Now that Microsoft is buying security software vendors, folks actually think companies like Symantec, Trend Micro and McAfee will get squashed. Shares of all three companies fell following Microsoft’s announcement about Sybari.

OK, so Microsoft creamed Netscape, WordPerfect and Lotus. This is different. Executives can’t afford to buy locks from a vendor who has a habit of leaving doors open in the first place.

“We think this acquisition is an encouraging step and long overdue,” says Brent Thill, an analyst at Prudential Equity Group, in a report on the Sybari deal. “However, we expect Microsoft will have to make more acquisitions and dedicate additional resources to gain credibility.”

After all, you will want proof, up front, that if Microsoft itself has to install a new security system in its home, it does not leave doors open as well.