Microsoft renews security vows
The software company reiterates its secure computing commitment by outlining a plan for a better patch system and a partnership with ID authenticator VeriSign at its TechEd conference.
The company pledged on Tuesday to improve its system for sending out security fixes, or patches, to existing products. Ninety-five percent of attacks happen after a patch for a known software vulnerability has been issued, said Scott Charney, chief trustworthy computing strategist at Microsoft, during a keynote speech at the software maker's TechEd conference here.
By the end of the year, the company intends to consolidate from eight to two the number of ways that patches are distributed to customers. One of the two new systems will address changes to the Windows operating system, while the other will apply to Microsoft's business applications. Eventually, Microsoft will consolidate its patch management into a single tool that can work across all the company's products, Charney said.
In addition, Microsoft plans to ensure that Windows fixes add themselves automatically to the operating system's internal registry, rather than to different parts of the system. By introducing consistency and by making sure that all patches register as present within the software, there's a better chance that fixes will be implemented correctly, the company expects.
Improved patch installation is one facet of Microsoft's "Trustworthy Computing" initiative, which debuted last year. As part of that initiative, the company delayed the shipment of several high-profile products, including its Windows Server 2003 operating system and Visual Studio.Net development tools, in order to perform audits and code reviews, according to the company.
Charney said that the secure computing effort is ongoing. "We are now doing security audits on all our products as part of development. We have to do that, because the bad guys will innovate just like we do."
As expected, Microsoft also detailed on Tuesday a partnership with VeriSign, which will allow customers to use the Mountain View, Calif.-based security company's digital certificate service to authenticate a person's identity over a network of servers running Windows Server 2003. The service, which should also work over Wi-Fi wireless networks, is set to become available by the end of 2003, according to the allies.
Also at TechEd, Microsoft launched two training and certificate programs specially tailored to security concerns in an effort to reduce vulnerabilities that arise from poor application configuration.
Both programs are extensions to the Redmond, Wash.-based software maker's certified credentials for systems administrators and engineers that address the design of secure networks. One of the exams is administered by the Computing Technology Industry Association (CompTIA), a computer industry trade organization.