Microsoft Security Executive Promises Improvements

Computerworld - Pittsburgh
The man who receives more complaints about the security of Microsoft Corp.'s software than anyone on the planet declared here last week that the company's products are improving in quality and will continue to become more secure.
In particular, Whistler, the planned next version of Windows 2000 for business users and consumers, is due to show the results of several security-improvement initiatives that are now in the works at Microsoft when it becomes available next year, said Steve Lipner, manager of the company's Security Response Center.
Lipner's comments at a security summit for officials in industry, government and academia come in the wake of a series of disclosures about security holes in Microsoft's products. For example, Microsoft said it is working to fix potentially dangerous holes in both its Outlook e-mail software and its Internet Explorer browser [News, July 24].
Lipner told attendees at the Cyber Security Summit, sponsored by Carnegie Mellon University's Institute for Survivable Systems, that the Microsoft response center typically receives 10 to 100 messages a day from users reporting security problems. "But recently, it's been closer to 100," he said.
He added, though, that the complaints often are about hacks that could have been prevented had users downloaded software patches published months - and sometimes years - earlier. Asked about the future of Microsoft products, Lipner said, "Believe it or not, I see fewer vulnerabilities and problems ahead" because of the work of external security researchers and Microsoft's product developers.
Nonetheless, other speakers at the conference sounded a consistently pessimistic note about the escalating threats to computer security from viruses, denial-of-service attacks and the like - and about the technology industry's failure to get on top of the problem thus far.
Dave McCurdy, president of the Electronic Industries Alliance in Arlington, Va., sat on a panel with Lipner and said he's not convinced the situation is improving. "Steve, I don't necessarily agree with you that security is going to get better," McCurdy said. "Maybe at Microsoft it will get better."
And without singling out any vendor, Mike Jacobs, deputy director of the National Security Agency, said users "need more secure and stable operating systems" in order to better protect themselves from malicious attackers.
"It's in the realm of operating systems that the most troublesome problems exist," Jacobs said, noting that safeguards such as firewalls and encryption can fail if operating systems are flawed. But fully securing operating systems remains "an elusive goal," he added.
Some attendees called for Microsoft and others to open all sourcecode for inspection, saying that's the only way users can have total confidence in the security of a software product. But Lipner said Microsoft is "not going to give up our intellectual property."
However, Lipner added, the number of universities that have been given Windows source code for security reviews has almost doubled in the past year to about 140 - and that's a trend that will continue, he said.

Read more about security in Computerworld's Security Knowledge Center.