Full Disclosure mailing list archives
Microsoft Outlines Security Plan (Balmer Blows Hard)
From: Jeremiah Cornelius <jeremiah () nur net>
Date: Fri, 10 Oct 2003 13:48:01 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Microsoft Outlines Security Plan Fri Oct 10, 1:00 AM ET washingtonpost.com By Mike Musgrove ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ "I wish those people just would be quiet," he said of computer researchers who publish vulnerabilities in Microsoft's products. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Microsoft chief executive Steven A. Ballmer said yesterday that there is "much, much, much" left to do to protect computer users from viruses, worms and other malicious software. He outlined new steps the company plans to take to address this problem -- while acknowledging that these changes can't solve it. "There is no silver bullet," Ballmer said in a speech at the company's Worldwide Partner Conference in New Orleans. "Even if all the vulnerabilities were fixed tomorrow morning in all of the products, there's still 600 million computers . . . that wouldn't have all of these vulnerabilities patched." Recent devastating software worms and viruses have earned Microsoft intense criticism, as well as a class-action lawsuit filed in Los Angeles Superior Court last week that accuses the company of not doing enough to guard the personal information of Windows users. Ballmer described several changes to Microsoft's security strategy. He said the Redmond, Wash., company will issue security updates on a monthly schedule, except in "emergency" situations, to make it easier for users to keep their personal computers up to date. It will ship Windows with security precautions activated that are now left off -- for instance, a firewall program that stops Internet worms such as Blaster. He also said the company will release security-focused updates to Microsoft Windows XP (news - web sites) and Windows Server 2003 in the first half of next year. Computer security "is without question the number one priority for the company," Mike Nash, vice president of Microsoft's security business unit, said in a phone interview after Ballmer's speech. He added that employees from across the company had been pulled to work on security efforts. Ballmer said that, since most virus and worm attacks come only after vulnerabilities have been disclosed by the company or by security researchers, Microsoft is working with computer-security firms to make sure that they do not announce vulnerabilities before Microsoft has designed a fix. "I wish those people just would be quiet," he said of computer researchers who publish vulnerabilities in Microsoft's products. "It would be best for the world. That's not going to happen, so we have to work in the right fashion with these security researchers." But no matter how fast Microsoft pushes out patches, users still have to install them -- something Microsoft is trying to address with a new educational campaign that Ballmer also announced yesterday. "I think people are taking computer security a bit more seriously; some of our clients are still cleaning up from the Blaster virus," said Josh Pennell, chief executive and founder of computer security firm IOActive Inc. "Computer security is almost like car insurance. Nobody wants it until their car gets totaled." Jeff Jones, senior director of trustworthy computing at Microsoft, said earlier this week that his company had seen an increase in the numbers of users downloading security patches after an outbreak of viruses that began in August. "I hesitate to speculate on whether there is long-term learning going on there," he added. Ken Dunham, director of malicious code at iDefense Inc., a computer security firm based in Reston, said Microsoft's plan to release only monthly updates "may give hackers extended time to exploit a vulnerability before a patch is released." Other security professionals noted the lack of specifics in Ballmer's speech. "There wasn't any detail to what kind of tools they will provide," said Richard Ku, product manager at Trend Micro Inc., a developer of anti-virus software. "Announcements never secured anything," said Bruce Schneier, founder and chief technology office of Counterpane Internet Security Inc. "The fact that some guy gets on stage and says a bunch of words does not make your computer secure." Michael Frodyma, president of BooNet Inc., an Internet service provider based in Bethesda, said he worries about the unintended consequence of Microsoft's security patches. Some have disabled the computers of his customers -- who have then blamed his firm for the problem. "One is frightened of what's around the next corner with Microsoft," he said. "You wake up the next day and suddenly something isn't working." - -- Jeremiah Cornelius, CISSP, CCNA, MCSE+I farm9 Information Security email: jc () farm9 com Phone: 510.835.3276 mobile: 415.235.7689 "Be cheerful while you are alive" - --Phathotep, 24th Century B.C. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/hxsLJi2cv3XsiSARAu2KAJ9ZIUcLgfQ+vkgLaMPF4f2fRAHbUQCff+mX LLWfeX8SgQ6y5sTh6dSNmZw= =6RRO -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Microsoft Outlines Security Plan (Balmer Blows Hard) Jeremiah Cornelius (Oct 10)
- Re: Microsoft Outlines Security Plan (Balmer Blows Hard) Bruno Wolff III (Oct 11)