Microsoft moves beyond patches

Conceding that its strategy of patching Windows holes as they emerge has not worked, the software giant plans a new security effort focused on "securing the perimeter."

Ina Fried
Ina Fried Former Staff writer, CNET News
During her years at CNET News, Ina Fried changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley.
5 min read
Conceding that its strategy of patching Windows holes as they emerge has not worked, Microsoft plans next week to outline a new security effort focused on what the company calls "securing the perimeter," a company executive told CNET News.com.

Although Microsoft will continue to devise ways to improve the means by which Windows users apply upgrades, or patches, to their software, the company had realized that too many customers don't upgrade quickly enough to thwart hackers.

"From our side, (it) has been a little naive to think that all of those customers are going to do patches," said Orlando Ayala, Microsoft's former sales chief, who now heads its sales push to small and midsize businesses. "It's just hard."


What's new:
Microsoft next week will unveil a long-awaited response to the flurry of Windows vulnerabilities and related attacks that have plagued the computer industry recently.

Bottom line:
Microsoft says a strategy that depends on companies and individuals to patch flaws and make changes to their systems is not enough. But critics question whether any new approach will work better.

For more info:
Track the players

Until now, Microsoft's efforts have largely centered on improving the way it writes its code and then fixing holes as they emerge. "The strategy on security has been very (much) based on patch management," Ayala said in a telephone interview on Wednesday.

However, recent worm and virus attacks have repeatedly shown that many customers remain vulnerable long after patches have been released, he said.

Ayala declined to detail Microsoft's new approach, or say whether the plans include getting further into the market of providing antivirus software. He did say that part of the effort will be a deeper relationship with firewall providers.

"We are going to start putting more emphasis on what we call securing the perimeter," he said. "That speaks of a deep partnership with the firewall world."

Ayala said that although the company has made some gains with its Trustworthy Computing effort, it is now trying to take a new approach.

"The first question is how can you secure stuff so you don't (let attacks) get in," he said. "It's kind of a shift in the strategy. It's very important; that's all I can say."

A treadmill
The Slammer worm that hit companies in January and the recent MSBlast worm highlighted the failure of companies to patch their systems quickly. It's extremely hard for any company to stay up to date, said Bruce Schneier, chief technology officer for network monitoring service Counterpane Internet Security.

"The patch treadmill is endless--you have to keep going faster and faster to keep up," he said.

Microsoft executives have recently hinted that a change of course might be needed.

Speaking to a crowd of Silicon Valley executives last month, Microsoft CEO Steve Ballmer said that the recent security issues represented a threat to innovation. At the time, he said that Microsoft was developing what he called "shield technology."

Click here to Play

Ballmer: Humbled
by the worm

Steve Ballmer, CEO, Microsoft
"The most important technology area we are focused on is shield technology," Ballmer said in the Sept. 15 speech. "We know bad guys keep writing viruses. The goal is to block them before they get on PCs."

At that time, Microsoft declined to comment further on what Ballmer meant.

Finding a way to deal with the avalanche of patches that come in, not just from Microsoft but from other software makers, has become a key focus of information-technology managers, said Ryan McGee, director of product marketing for McAfee System Protection Solutions at security and antivirus company Network Associates.

"This is a topic...in every customer conversation that we have," he said. "We talk about how to mitigate the vulnerabilities that are in the environments because they haven't been able to patch."

The recent MSBlast worm that hit companies in August and September likely infected more than a million computers. From the time

A plethora of patches
A number of vendors are out to
improve on Microsoft's Software
Update Service, and some support
other platforms besides Microsoft.

information about the vulnerability was released to the start of the attack, companies had 26 days to patch their systems. And the amount of time to prepare is decreasing, according to a recent study. For companies with tens of thousands of systems, keeping up with the race is hard, McGee said.

"We hear customers telling us there is a problem," he said, adding that several companies offer patch management automation as a solution. "I wish I were announcing a (patch management) product or acquisition because it's a market where we could make money."

Many companies are already in the market of detecting and cataloging vulnerable computer and network devices and then automating patching. A recent study by one such company, Qualys, found that a significant portion of security vulnerabilities remain on computers connected to the Internet.

Easy prospect
Those vulnerabilities are making selling patch management systems to large companies an easy prospect, said Mark Shavlik, CEO of patch automation firm Shavlik Technologies, especially when the companies are faced with a serious widespread flaw such as the vulnerability that allowed MSBlast to spread.

"Our sales went up eight times between July and September--that's a pretty big spike," he said. "None of those people were doing patch management before. MS03-026 (the advisory highlighting the MSBlast flaw) comes out, that changed the market for us."

Shavlik wasn't sure that Microsoft is headed in the right direction, especially if the focus is too heavily on the intersection of a company's network and the Internet. "If you go to a perimeter defense, and a worm slips by your perimeter, it will compromise your entire network," he said.

Coming in the middle of the second year of Microsoft's Trustworthy Computing Initiative, the move may indicate that more shifts are ahead for the software giant. Ayala did acknowledge that Microsoft needs to do better than it has done with its Trustworthy Computing effort.

Perhaps the biggest incentive for Microsoft, said Counterpane's Schneier, is the negative publicity that major attacks heap on the software giant. As long as the company continues to be attacked by online vandals and scofflaws, Microsoft will have to continue pushing security, he said.

"To Microsoft, the threat is bad publicity and they are going to produce a security system that deals with the threat," he said.