When Symantec got news last weekend of a potentially serious security hole in its Norton Utilities product, the company swallowed its pride and set to work on a fix for the glitch.
Harder to swallow was the fact that Symantec's chief competitor in the antivirus software market, McAfee, had discovered the security hole and then passed the information to Windows Sources and the San Jose Mercury News. A call from high-tech trade magazine Windows Sources was what tipped Symantec off.
"It's interesting that a company like McAfee that promotes security would promote a problem that could harm users' computers," said Sherry Walkenhorst, a spokeswoman for Symantec.
Call it aggressive marketing or unethical finger-pointing, such is competition in the increasingly cutthroat software market. With hot-button issues like Internet security making headlines, companies are beginning to scour competitor's products for security defects and publicize the glitches.
Taking advantage of a competitor's weakness, if not outright industrial espionage, is normal business practice of course. But only in the software industry are product flaws or bugs so common as to be expected.
Some high-tech companies have routinely "leaked" information about product bugs to the press, without being mentioned as the source for the discoveries. Lately, however, high-tech companies are making their faultfinding role more active and public.
The most dramatic example of this occurred last week at the JavaOne developer conference, where Sun Microsystems used part of a keynote speech to demonstrate a malicious program that exploited a security hole in Microsoft's ActiveX technology. Sun actually paid $6000 for a programmer to complete the ActiveX control, which scanned for bank account records and tax return information and then threatened to upload the private data to a Web site.
Sun defends the ethics of its ActiveX demonstration on the grounds that the security problems with ActiveX--that is, the ability of programs to execute virtually any command, whether positive or malicious--are well known in the computer industry. Still, it commissioned the ActiveX control to drive home its message that Java is more secure than ActiveX.
"We weren't exposing anything new, we were emphasizing something that was already well-understood," said George Paolini, director of communications for Sun's JavaSoft division. "If we discovered some new flaw with ActiveX I would think that would go over the line. This was a recreation of something that had been out there for months."
That's true, but it's an approach that could backfire on Sun, which has had its own security problems. Paolini acknowledged that Java, too, could be the target of a security attack from a competitor. "On some level, everyone is susceptible to that same issue whether it is bugs in software or flaws in microprocessors," he said.
There is a feeling among some companies that public disclosure of security bugs in competitors' products is bad form and hurts the industry overall. Netscape Communications won't comment specifically on the ActiveX demonstration by Sun, one of its closest allies. But Jim Barksdale, chief executive officer of Netscape, has said before that such disclosures are comparable to an airline criticizing the safety of a competing airline when a plane crashes.
McAfee representatives don't agree. The company said it was doing a public service by revealing the security problems in Norton Utilities to the press. McAfee's research labs found that a Web site could make Norton Utilities perform harmful actions on a user's computer, such as reformatting a hard disk, using a VBScript.
"Symantec is trying to divert attention from their own problem here," said Mark Coker, a spokesman for McAfee. "You shouldn't shoot the messenger. The fact of the matter is it shouldn't matter who discovered it. McAfee has done a service to hundreds of thousands of Norton Utilities customers."
This week, McAfee got into a similar skirmish with another vendor, Dr. Solomon's Software. McAfee issued a press release accusing Dr. Solomon of rigging its anti-virus software to inflate performance results during software review tests.
In real world situations, McAfee argued, Dr. Solomon's Anti-Virus Toolkit would provide less protection against viruses than it might appear to under labratory conditions. Dr. Solomon later rebutted the accusations in its own press release.
Some security experts don't agree with McAfee's argument that such exchanges perform a public service for users, saying it's better for companies to handle these kind of things privately.
"That's horse droppings," said Dave Kennedy, director of research at the National Computer Security Association, a security consulting group. "That's the same argument hackers make when they publicize a big vulnerability in an operating system like Sun or Windows NT. I don't buy it."