Security a work in progress for Microsoft

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-7355-5141765.html

By Robert Lemos 
Staff Writer, CNET News.com
January 15, 2004

Two years after Chairman Bill Gates called on Microsoft to redouble
its efforts to secure its software, the company is beginning to make
progress, according to customers--but much work remains.

In January 2002, Gates launched a program called "Trustworthy
Computing," designed to focus Microsoft employees on building better
security into products and on improving customer response. The
software maker halted production to review code, delayed shipments and
retooled its development process as a result.

Now, though Microsoft is touting the large number of changes it has
made in its approach to security as a measure of its success, the most
telling pieces of evidence may be the numbers.

Six months after the release of the Windows 2000 operating system,
Microsoft had warned of system flaws in 32 security advisories; 21
vulnerabilities were gauged to be critical. Yet six months after
Microsoft released Windows Server 2003, the successor to Windows 2000,
after extensive code reviews, the number of flaws had shrunk to 14,
with only 6 critical issues.

"Customers are better off today than they were a year ago, and they
will be even better off in the future," said Kevin Kean, a group
manager at Microsoft's Security Response Center.

Some Microsoft customers CNET News.com contacted agree that the latest
products show signs of improvement. But they note that the changes
haven't been fully extended to products the software giant launched
before the initiative, which make up the bulk of installations.

"The problem is, there is still a wide base of products," said Joe
Peloquin, an information systems administrator for a large retail
chain. "The new code is a step in the right direction...but I don't
think they are doing enough to secure the stuff that is already out
there."

Other customers agreed and said that since the initiative's launch,
Microsoft has done a better job of providing the tools they need to
keep their systems up and running. The initiative "has given us some
tools that are more useful for software monitoring," said Joe Brunner,
an MIS manager at Sleepeck Printing in Bellwood, Ill.

"Security has overshadowed things at the moment," Brunner said.  
"Microsoft continues to make that effort a priority. But this won't be
solved in a week or with a single press announcement."

Four pillars of trust

Security is only one of the four pieces of the Trustworthy Computing
initiative, but it's arguably the most visible. Microsoft's efforts in
the three other areas--privacy, reliability and business
integrity--haven't been as evident or controversial as its moves in
the security world. Computer worms such as MSBlast and Microsoft SQL
Slammer spotlight the company's failings in the high-wattage glow of
Internet meltdowns.

While Slammer affected a product that had been developed prior to the
Trustworthy Computing push, MSBlast--also called Blaster--exploited
errors missed by the Microsoft reviews.

"Blaster is certainly an indictment, to some extent," said Stephen
O'Grady, an analyst at research firm Red Monk. "If I was working for
(the Trustworthy Computing group), that is something that would keep
me up at night."

Such incidents, Microsoft executives admitted, have resulted in
businesses holding off buying new products and, instead, patching
their existing infrastructure. Initial signs of that sort of backlash
prompted Gates to launch the initiative.

"Today, in the developed world, we do not worry about electricity and
water services being available," Gates wrote in the memo sent to
Microsoft employees and customers two years ago. "With telephony, we
rely both on its availability and its security for conducting highly
confidential business transactions without worrying that information
about who we call or what we say will be compromised. Computing falls
well short of this."

In the past year, Microsoft has released three products--Windows
Server 2003, Windows Office 2003 and Exchange Server 2003--that have
benefited from renewed focus on security. Other products now in
development, such as a planned update to Microsoft's SQL Server
database, code-named Yukon, are being constantly reviewed as they are
built to make sure that security is up to snuff.

However, with many older--and less secure--versions of Windows and
other Microsoft products still on the market, the software giant has
also had to focus on helping customers reduce their risk.

The company has released tools to help information technology
professionals lock down their networks and has published extensive
white papers that detail how its employees can secure its own
computers. In addition, it has attempted to educate consumers through
its "Protect Your PC" campaign and has urged them to turn on the basic
firewall protection available with Windows XP and to regularly update
operating systems and antivirus definitions.

"There is an order of magnitude--more people using Automatic Update
and downloading patches," Microsoft's Kean said.

Microsoft does make patches available more quickly than in previous
years, said Mitchell Rubin, president of Lynx Consulting Group in
Springfield, Penn., which specializes in Windows-based systems. But
the process needs to be streamlined. "It's still difficult to figure
out which patch to download, and you have to go to multiple places to
do updates for Windows and Office," he said. Microsoft has said it is
working on a revamped patch management system, which is expected to
debut in the spring.

In addition, the company is planning extensive security modifications
to Windows XP as part of the second service pack that Microsoft plans
to release for the operating system by summer this year.

Microsoft milestone

Rubin said that overall, the Trustworthy Computing push has been a
milestone for Microsoft. "They have improved a lot, especially in the
last year. They launched the initiative two years ago but took
six-to-nine months to sort things out. In some senses, Microsoft has
too many products, so that makes it harder."

As a result of the initiative, Microsoft has also changed how it
handles security advisories, which it issues to alert customers about
security problems and the severity of these.

Rather than releasing advisories every two or three weeks, the company
now publishes the notifications once a month. It has also turned up
the pressure on the underground programmers that create worms and
viruses by offering a bounty on the people or groups who released the
Sobig.F virus and the MSBlast worm.

Moreover, some of the bug finders that have been the bane of
Microsoft's public image for years are starting to take a softer
stance toward the company, encouraged by greater cooperation from the
company's security groups.

"They are acting more responsibly," said Thor Larholm, a senior
security researcher for security firm PivX Solutions and a frequent
finder of bugs in Microsoft's products. "The have lived up to the
spirit of Trustworthy Computing, even if they still have problems."

Yet some security experts wonder if Microsoft's flurry of activity
actually indicates progress.

"There is a lot of action but not necessarily a lot of results," said
Bruce Schneier, the chief technology officer at Counterpane Internet
Security and the author of "Beyond Fear: Thinking Sensibly about
Security in an Uncertain World." Schneier is also one of seven
security experts who penned a report warning that Microsoft's
dominance in the IT market carries a risk of catastrophic failure.

The risks to the IT infrastructure have even Microsoft's competitors
hoping that the company gets it right.

"On the macro level, you want every vendor to do a better job of
security," said Mary Ann Davidson, the chief security officer at
database maker Oracle.

Davidson sees Microsoft's focus on security, paired with the fact that
the company admits to losing sales because of security issues, as
proof that customers can demand better products. "You have the moral
liability to your customers--they bet their business on your
software," she said. "They expect it not to break, and they should get
that."

For its part, Microsoft is repeating a mantra of a year ago:  
Patience--security is a journey.

"You can't turn around the infrastructure in 24 months," said Scott
Charney, a Microsoft security strategist who has repeatedly likened
the initiative to NASA's 10-year march to the moon.

"You need better education, you need better tools, better technology,"  
he said. "Are we committed to providing those things? Yes. Are we
making progress? Yes. But are we anywhere near done? No."

Analyst O'Grady said he'd give Microsoft "improved marks." "But are
they where they need to be? No, they are not. The numbers indicate
that they are at least taking it seriously."

CNET News.com's Mike Ricciuti contributed to this report.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.