Microsoft details new security plan

The software giant will focus on adding new security technologies to its products, educating its customers and improving its process of releasing patches, CEO Steve Ballmer says.

Robert Lemos
Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
4 min read
Microsoft will focus on adding new security technologies to its products, educating its customers and improving its process of releasing patches, CEO Steve Ballmer pledged on Thursday.

In the most significant security announcement since Chairman Bill Gates unveiled the software giant's Trustworthy Computing Initiative, Ballmer told attendees during a keynote address at the software giant's first Worldwide Partner Conference in New Orleans that Microsoft will redouble its efforts to secure its users.

"Our goal is simple: Get our customers secure and keep them secure," Ballmer said in a statement. "Our commitment is to protect our customers from the growing wave of criminal attacks."


What's new:
Microsoft details its new security plan, which focuses on three areas: streamlining its system of patching software flaws, educating customers and improving security in Windows XP and 2003.

Bottom line:
Microsoft is feeling pressure to come up with more effective ways of securing its software amid virulent hacker attacks and increased criticism that its systems are too vulnerable.

For more info:
Track the players

The pledge comes as Microsoft is trying to recover from the attacks of online vandals and critics. In August and September, the MSBlast worm likely infected more than a million computers that run Microsoft Windows.

The SoBig.F e-mail virus also spread widely during those months, compromising many more systems. Such incidents were used to support a position paper seven well-respected security researchers wrote, which the Computer and Communications Industry Association, a noted Microsoft critic, released Sept. 24.

And a lawsuit that charges Microsoft with making computer users' personal data vulnerable was filed against the company a week ago, on behalf of a victim of identity fraud.

Microsoft said it will focus on initiatives in three areas: improving its system of patching its software products; adding and improving security technologies to Windows XP and 2003; and educating customers.

A major change for system administrators bogged down by a to-do list of patches to apply to Windows computers is the software giant's move to a monthly patch release schedule. Microsoft will immediately start to release software updates once a month, unless the security flaw needs to be fixed immediately in order to help customers avoid an attack, said Amy Carroll, director of product management in Microsoft's security business unit.

"One of the things that we have heard from our customers is that deploying patches on a weekly basis is too difficult," she said. "There is some anecdotal evidence that deploying a patch is what prompts the release of exploit code."

The software giant also plans to shrink the size of patches up to 30 percent by next May and reduce the number of updates that require the user to reboot the system. Microsoft will also reduce the number of patching systems for its products lines to two. The company has also pledged to continue support for users of Windows NT4 service pack 6a and Windows 2000 service pack 2, both products for which the company had previously halted support.

Building on set base
Microsoft will focus on modifying and adding to the security measures it has already taken for its current products, Carroll said.

PC and network protection measures such as the Internet Connection Firewall will be turned on by default and will be designed to work better with other applications. Executable file filtering, a measure that protects Outlook users from attachments that could carry viruses and Trojan horse programs, will be expanded to other Microsoft products. Internet Explorer's system of security zones will be revamped to better protect users. And better defenses against memory flaws will be erected in the software development process and, potentially, in hardware.

"The areas that we are focusing on represent the four main vectors of attacks that we have seen," Carroll said.

The company also plans to further educate its customers in hopes that it can help them become more secure, she said. Monthly Webcasts will be published on the company's site to train customers in good security practices, and the company will use itself--in a series called "How Microsoft secures Microsoft"--as an example to teach system administrators ways to secure their systems.

"We have the goal of, by the end of 2004, that we have trained to some extent 500,000 customers," Carroll said.

Security company Symantec fully supports the Microsoft initiatives, the company stated in a release, despite indications that Microsoft might move into the antivirus software market. In June, the software giant bought Romania-based antivirus firm GeCad.

However, Symantec pointed to a recent report its researchers released as reason enough to support Microsoft's initiatives. The report indicated that attackers were quickly taking advantage of new software security holes.

"Now, more than ever, computer users need to take proper steps to protect themselves from online threats," Janice Chaffin, chief marketing officer at Symantec, said in a statement.

Microsoft plans to provide more details in the future and will continue to modify its security practices until it finds the right recipe, said Neil Charney, director of product management for Microsoft's Windows client group.

"What we learned from customers is that it is not an easy process to secure their systems," he said. "The impetus (behind these changes) is the recognition that there is still work to be done."