Microsoft unveils security initiatives

IDG News Service - Microsoft Corp. CEO Steve Ballmer announced a number of new security initiatives today that he said would shore up the security of customers' systems against what he called in a statement a "wave of criminal attacks."
New security features on Windows XP and Windows Server 2003, a simplified software patch-distribution process and new security education programs are all part of Microsoft's latest effort to stem the tide of worms and viruses that target computers running its popular operating systems and software, according to Microsoft and industry experts familiar with the plans.
Ballmer made the announcement at Microsoft's Worldwide Partner Conference in New Orleans and said the new technology and programs would be available "over the coming months," according to a statement released by Microsoft.
Perhaps the most technologically significant changes will come from what Microsoft called new "safety technologies" that will be rolled into upcoming service packs for Windows XP and Windows Server 2003. Those technologies will allow customers to better protect their computers from attack, even in the absence of required software patches, the company said. Better defenses for buffer overruns and heap overruns will be part of the enhancements, according to Amy Carroll, director of product management in Microsoft's Security Business Unit.
Buffer overruns are flaws in software code that are often used by malicious hackers to place attack code on victims' computers.
Microsoft will introduce protections such as improved compiler checks to stop buffer and heap overruns and software changes that mitigate the effects of such events when they do occur, Carroll said. Protections against attacks on communications ports, such as the recent W32.Blaster worm, as well as malicious code in e-mail messages and Web pages, will also be included.
Microsoft couldn't yet comment on what those changes will be or whether they would affect the Windows operating system or Exchange and Outlook products, Carroll said.
Software updates for Windows XP and Windows Server 2003 scheduled for next year will include a more robust version of the current Internet Connection Firewall that ships with Windows XP. Future changes will put the firewall on by default, make it more compatible with other products and allow organizations to centrally manage the desktop firewalls on its Windows machines, Carroll said.
Microsoft may also be integrating its default firewall with behavior-based blocking technology that it acquired with Pelican Security Inc., according to John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc. By rolling the Pelican technology in with its firewall, Microsoft would be able to protect even unpatched desktops from new attacks such as the recent Slammer and Blaster worms -- a stated goal for the company, Pescatore said.
Carroll didn't rule out the use of Pelican's behavior-based detection technology, but said it's too early to comment.
The company was also mum on the issue of antivirus technology. Despite the recent purchase of an antivirus engine and development talent from GeCAD Software SRL in Bucharest, Romania, it's "too soon to tell" how that company's antivirus technology might be used to protect Windows customers, Carroll said.
For now, Microsoft is sticking with a strategy of partnering with established antivirus vendors, according to Neil Charney, director of product management at the company's Windows division.
In a related announcement, Network Associates Inc. in Santa Clara, Calif., said it's teaming with Microsoft to use its McAfee Security for Consumers products to help Microsoft enterprise customers streamline security management and operations.
On the patch management front, Microsoft said it plans to switch to monthly software patch releases.
Customers have complained that the current system of weekly patches is burdensome and needlessly complex, Carroll said. Accordingly, the company will release fewer patches and try to consolidate multiple vulnerabilities affecting a single system into one patch. For vulnerabilities that pose an imminent risk to customers, however, Microsoft will release patches as soon as they are available.
The decision to release emergency patches will be handled on a case-by-case basis and correspond to the level of danger rather than the criticality of the patch, Carroll said.
Microsoft said it will also work to reduce the number of patch installers used by its products. Currently, companies must contend with as many as eight different installers for Windows, SQL Server, Exchange and other products, using custom scripts to coordinate patching, Carroll said. By the first half of 2004, Microsoft hopes to have that number down to two, one for the Windows kernel and one for application-level patches, she said.
In the area of user education, the company intends to introduce new seminars and courses to teach customers how to secure their Microsoft products and networks.
Security technology company Symantec Corp. in Cupertino, Calif., said today that it's launching a joint program with Microsoft to develop programs that educate home and business users about proper secure-computing practices.
Changes that improve the default security of Microsoft's operating system are long overdue, Pescatore said. "This is what Microsoft should be doing -- what they should have been doing all along," he said. However, he said he was surprised by the long wait Microsoft customers will have to endure before receiving the software updates and security improvements -- as much as nine months for the first round of changes in Windows XP.
"They've been working on this all year; I thought they'd be further along," he said.
The company may also run into criticism for not extending the safety technology and other software updates to the popular Windows 2000 operating system, Pescatore said. "There are a whole lot of enterprises out there that are only using Windows 2000 on the desktop," he said.
A company spokesman said that Microsoft is basing its changes on the Windows XP architecture and technology, including the Internet Connection Firewall and Automatic Update features, which Windows 2000 doesn't use.
Microsoft is working with third-party vendors to secure Windows 2000 and earlier operating systems, the spokesman said.