Microsoft Security Exec Sees Improvements

[InfoSec News <isn () C4I ORG>]

http://www.pcworld.com/pcwtoday/article/0,1510,17825,00.html

The company has taken several steps, including faster distribution of
software patches, he says.

by Gary H. Anthes,
Computerworld July 25, 2000, 2:14 p.m. PT

The man who receives more complaints about the security of Microsoft
software than anyone on the planet vowed Monday that the company's
products are improving in quality and will continue to become more
secure.

In particular, Whistler, the planned next version of Windows 2000 for
business users as well as consumers, is expected to show the results
of several security improvement initiatives that are now in the works
at Microsoft when it becomes available next year, says Steve Lipner,
manager of the company's Security Response Center. (See "Microsoft
Beefs up Security Center.")

Lipner's comments at a security summit for officials from industry,
government, and academia come in the wake of a series of disclosures
about security holes in Microsoft's products. For example, Microsoft
last week said it was working to fix potentially dangerous holes in
both its Outlook e-mail software and its Internet Explorer browser.
(See "Closing Another IE Security Hole.")

Lipner told attendees at the Cyber Security Summit in Pittsburgh,
sponsored by Carnegie Mellon University's Institute for Survivable
Systems, that the Microsoft response center typically receives 10 to
100 messages per day from users who are reporting security problems.
"But recently, it's been closer to 100," he says.

He adds, though, that the complaints often are about hacks that could
have been prevented had users downloaded software patches published
months--and sometimes years--earlier. Asked about the future of
Microsoft products, Lipner says, "Believe it or not, I see fewer
vulnerabilities and problems ahead," attributing the work of external
security researchers and Microsoft's own product developers.

A Failure Thus Far

Nonetheless, other speakers at the conference sounded a consistently
pessimistic note about the escalating threats to computer security
from viruses, denial-of-service attacks, and the like--and about the
technology industry's failure to get on top of the problem thus far.

And without singling out any vendor, Mike Jacobs, deputy director of
the National Security Agency, says users "need more secure and stable
operating systems" in order to better protect themselves from
malicious attackers.

"It's in the realm of operating systems that the most troublesome
problems exist," Jacobs says, noting that safeguards such as firewalls
and encryption can fail if operating systems are flawed. But fully
securing operating systems remains "an elusive goal," he added.

Tiger Team Attacks

In an interview Monday, Lipner outlined several steps taken by
Microsoft that he said are already helping to improve the security of
its products. Design and code reviews have been beefed up, as have the
internal "tiger team" attacks that the company uses to mimic security
attacks before it releases products, he said.

In addition, the .Net framework announced by Microsoft last month will
introduce a layer of software on top of Windows that sets up a
"sandbox" within which downloaded code must run. Lipner says it can
block access to machine resources by malicious code, except as
permitted by the user.

Lipner also promises faster distribution of software patches via a
more automated process. But he discounted the popular notion that
there will be, anytime soon, "benign viruses" that can roam through a
system or network to sniff out and then fix security flaws.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".