Microsoft, Security and the Road Ahead

Microsoft officials are promising computer users more help in solving security threats that have plagued users of the company’s best-known products. But Microsoft will rely on third-party vendors to provide at least some of the solutions. Microsoft announced its new strategies for securing its products in a series of low-key media advisories and keynote addresses earlier this month.

Users won’t get improved security without rolling up their sleeves and taking a more active role in learning about security issues. But Microsoft said it will make this process easier and more efficient. Corporate users will have to attend security seminars and take in-depth training courses to learn how to work the new security tweaks. Home users will still have to keep up with software patches on a monthly basis. All users will have to redouble their own efforts to apply firewall and antivirus software.

By seeking help from other software companies it calls its partners, Microsoft could be symbolically whispering “uncle” as it struggles to put a new spin on its inability to plug security holes in its products. Michael Nash, corporate vice president of Microsoft’s security business unit, said in a written statement that Microsoft’s partners will play a big role in hardening its products against security holes and intrusions.

“The security expertise our partners bring to the table is absolutely critical in helping people secure their systems,” Nash wrote. “We are committed to helping all PC users … get secure and stay secure. To be successful, such a large undertaking requires a close partnership with many other companies.”

Promises To Keep

Microsoft CEO Steve Ballmer announced at Microsoft’s Worldwide Partner Conference earlier this month that the company’s new strategy will focus on increasing the security of millions of users and critical business systems worldwide. The plan calls for improved patch-management processes, policies and technologies to help customers stay secure. Microsoft officials have expressed hope that this new process will reduce the burden on IT administrators by adding a level of increased predictability and manageability.

Microsoft will consolidate the number of patch installers it uses to two for Windows 2000-generation products by the first half of 2004. The company also will introduce rollback capability for all new patches and plans to reduce downtime by developing patches that require 30 percent fewer reboots than earlier patches. Microsoft hopes to improve the overall patching process with new tools. One such solution, Microsoft’s free Software Update Services 2.0, will be released in the first half of 2004. The goal of this service is to provide a seamless patch, scanning and installation experience for Windows, SQL Server, Office, Exchange Server and Visio. Microsoft is extending security patch support for Windows NT Workstation 4 Service Pack 6a and Windows 2000 Service Pack 2 through June 2004 as well.

Microsoft officials claim new safety technologies will make Windows more resistant to attack when patches do not exist or have not been installed. “Our goal is simple,” Ballmer said. “Get our customers secure and keep them secure. Our commitment is to protect our customers from the growing wave of criminal attacks.” The first wave of these new safety technologies will ship in Service Pack 2 for Windows XP. The release is planned for the first half of 2004.

Microsoft also will release Service Pack 1 for Windows Server 2003 next year. It will contain safety technologies to enable remote-access client inspection and intranet client inspection to help protect corporate networks from potential infections introduced by mobile systems. According to Microsoft, these security advancements for Windows XP will focus on protections against the four main types of attacks that constitute the largest percentage of threats: port-based attacks, e-mail attacks, malicious Web content and buffer overruns.

Microsoft’s Nemesis

Some analysts think the recurrence of problems associated with buffer overruns is the sign of fatally flawed Windows software. A buffer, much like a cache, is a midpoint storage place within a computer circuit. It is a data area shared by hardware devices or program processes that operate at different speeds. The buffer allows each device or process to operate without being held up by the other.

Microsoft describes a buffer overrun problem as an attack by malicious users who exploit an unchecked buffer in a program by overwriting data in the buffer with their own data. The program code allows the attacker to change the program’s operation and compromise control of the computer. If the buffer is overwritten with nonexecutable code, the overrun can cause the program to crash.

James Turley, a microprocessor analyzer and former programmer, told TechNewsWorld that the buffer overflow problem is a basic flaw in Microsoft’s products. “I’m frustrated by how many Microsoft problems are caused by the simple, basic flaw of buffer overflows,” said Turley. “Time after time, Microsoft patches a simple buffer overflow in some part of its product. Buffer overflows are easy problems to avoid, and no decent programmer would have allowed them in the first place. Yet still they persist. It’s like forgetting to tighten the bolts when you change a car tire. You might make that mistake once, but never again.”

Microsoft officials declined to discuss buffer overrun issues in the company’s products. “I’m not surprised Microsoft won’t talk,” said Turley. “Talking too much about security kind of defeats the purpose, and Microsoft doesn’t have a good track record to talk about.” However, he told TechNewsWorld that some industry watchers question whether Microsoft operating systems are really all that bad.

“They certainly seem to have poor security and reliability, but some folks have argued that any operating system used by so many people and subjected to so many attacks would probably have just as many security holes,” Turley said. “They argue that Linux or Mac OS might have just as many problems, but nobody tries as hard to find them.”

Jerry Brady, CTO of Guardent, sees the security crisis as a result of the ongoing popularity of Microsoft’s products. “The Mac OS is more mature and has evolved over a longer period of time. Plus, it doesn’t have as many versions, so it is more stable. There are less people looking for Mac OS vulnerability,” he said.

Economics a Factor in Security

Microsoft has said security is an industry-wide issue on which the company has spent lots of money. The reality, according to Microsoft, is that there is no such thing as perfect security when it comes to software.

“Through the Trustworthy Computing Initiative, we are taking our efforts to the next level to ensure that both future and existing software and services from Microsoft are as secure and trustworthy as possible,” the company said in a statement.

Microsoft claims it has spent US$200 million to train all of its developers in writing and reviewing secure code. In the last 18 months, the company has retrained 18,000 developers, instituted a wide array of secure development practices, provided its developers with enhanced tools and delivered a broad set of tools to both consumers and business customers. “We know that the number of security vulnerabilities will never be zero, so there will always be a need for a security response process to fulfill our commitment to our customers,” said a spokesperson for the company.

One of the reasons why Microsoft is such a popular target for security flaws is the money factor, Guardent’s Brady told TechNewsWorld. “There is the constant struggle between cheap versus secure software,” he said. “Expense and time both play a role in software security. And product life is also a factor.”

Brady said some people are spending their time and money to discover security vulnerabilities. Then Microsoft has to spend money to cover the vulnerabilities. The security compromises in Microsoft’s products are starting to sour consumers, some analysts warn.

“Windows is more consumer-oriented. The security situation has gone beyond the point of keeping up with the patching for many companies,” said Brady. “The cost of patching is down-time.” This cost is forcing some users to make a decision on which way to go. Consumers have more options now than ever, with Linux and other open-source operating systems primed for the desktop. “This is a very pivotal time for computing,” he added.