Microsoft expects security effort to take time

The software giant announces a detailed plan of action to combat recent security threats, but one executive says things won't change overnight.

Ina Fried Former Staff writer, CNET News

During her years at CNET News, Ina Fried changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley.

See full bio

Ina Fried

Oct. 9, 2003 9:02 a.m. PT

3 min read

Microsoft announced Thursday a detailed plan to combat a recent wave of security threats, but one executive told CNET News.com that things won't change overnight.

"I don't think it is a big-bang thing," Microsoft Senior Vice President Bob Muglia said in an interview Wednesday. "I think it's an evolutionary, multistep thing."

News.context

What's new:
Microsoft announces new efforts to combat software insecurity, including safety updates to Windows and improvements to patch management.

Bottom line:
The software giant is taking steps to improve upon earlier, inadequate approaches to security, but acknowledges that its "securing the perimeters" strategy will not change things overnight.

For more info:
Track the players

As earlier reported, Microsoft is moving toward a strategy known as "securing the perimeter," which involves a greater reliance on firewalls and other "shields" to stop hackers from reaching potentially vulnerable PCs. Thus far, Microsoft has focused its efforts on a Trustworthy Computing initiative designed to improve the way the company writes its software as well as on finding flaws and quickly patching them as they are uncovered.

However, Microsoft executives have said in recent weeks that the patch approach alone is not working, with many customers choosing not to install the latest updates to Windows, or at least not quickly enough to thwart hackers.

On Thursday, Microsoft CEO Steve Ballmer unveiled new programs and technology investments to be delivered over the coming months, including safety updates to Windows XP and Windows Server 2003, improvements to patch management processes and technologies, and worldwide education programs.

"Our goal is simple: Get our customers secure and keep them secure," Ballmer said in a statement. "Our commitment is to protect our customers from the growing wave of criminal attacks."

Ballmer first referred to a greater reliance on shield technology during a Sept. 15 speech before a crowd of Silicon Valley executives.

The software giant has come under increasing pressure to step up its security efforts, particularly in the wake of the MS-Blast worm, also known as Blaster. In addition to concern among customers large and small, Microsoft faces a proposed class-action lawsuit in California over its security flaws.

However, Muglia said Microsoft has realized that it needs to take action on more levels to try to thwart hackers.

Ballmer: Humbled
by the worm
Steve Ballmer, CEO, Microsoft

"You need to have multiple levels of defense," Muglia said, likening it to the steps one might take to secure his or her house.

"You need to have a fence outside your house, sort of like a gated community," he said. "Then you need to have your doors locked and maybe you need your alarm turned on as well."

Muglia stressed that security is Microsoft's top priority right now. "We are also looking at ways we can detect some, whether there is some aberrant behavior that is happening on the network, and find intruders," Muglia said.

At the same time, Muglia said a lot of customers stopped the Blaster attack by using tools that are already available, such as the Internet Connection Firewall that is built into Windows.

"We're looking at ways that we can get customers to...turn ICF on and to make sure ICF is as effective as it can be and tools like it," Muglia said. "The fact is that for most of these customers, there are a lot of steps they can take right now to make themselves less vulnerable."