Tech Industry

Microsoft declares a "war on hostile code"

The software giant plans to unveil a strategy to turn its operating system from what many have called a sieve to a security powerhouse.

SAN FRANCISCO--Can Microsoft beat the security bugs? That's the intent of a multi-pronged strategy that the software giant unveiled Tuesday at the RSA Data Security Conference.

If successful, the strategy will allow users to have the customizability they crave, while eliminating the security holes that have been a chronic black eye, said representatives of the Redmond, Wash., company on Tuesday.

"The idea is, if you are a normal home user, to be able to turn on your PC, not do anything else, and you will be safe and secure," said Steve Lipner, manager of Microsoft's security response center.

The project is aimed at waging what Microsoft is calling a "war on hostile code." Dave Thompson, vice president of Windows development for Microsoft, outlined the initiative during a Tuesday afternoon keynote at the conference here.

The goal: Secure Windows XP. The newest version of Windows is due out in this fall and will come in several flavors: one for home users, another for business users and a later version able to run on 64-bit processors.

"It's an unending war, I'm sure," Thompson said during his speech.

Retiring the old Windows code--upon which Windows 95, 98 and Me are based--is the first step toward securing the PC. Or, as Lipner put it, "(Windows XP) is based on the Windows NT code base--it's a real operating system."

With the ability to limit access permissions to particular users--a feature common in Unix and other "real" operating systems--Windows XP will have more security right off the mark.

Yet, Microsoft doesn't intend to stop there, Lipner said.

Through a series of moves--including "spot the bug" e-mails, classes on writing secure code, and messages from higher-ups in the company supporting secure code--Microsoft hopes to focus its programmers on delivering bug-free and reliable code.

"We are imbuing security into the company's culture, we really are," he said.

On the Web site, the company has started posting update information in XML so other software companies can make update agents that can automatically check which updates the user needs. Without frequent patching, any operating system can quickly become insecure.

The software giant also intends to start rating its updates on how critical they are for the computer user to install.

Finally, Microsoft intends to add a number of applications and utilities to add security to Windows XP.

System administrators will be able configure systems' security using tools that will turn company policies--such as no personal Web surfing and no sending executables in e-mail--into specific settings.

A personal firewall, or Internet-connection firewall, will give users a higher level of security right off the bat, Lipner said. And a "credential manager" will enable user to securely store their passwords for Internet sites on their computer in a digital vault. The manager will automatically give the passwords to the originating site, effectively letting people access all their accounts with a single sign-on.

Yet will the move to security earn Microsoft praise or curses from its customers?

Microsoft's customers showed how fickle they can be when many vocally panned the giant's decision last week to block, in the next version of Outlook, several types of e-mail attachments that could be used to spread viruses.

However, Lipner said it can improve security without turning off its customers.

"When we get to some of the new things that we have done--in particular the software-restriction policies and the components of the .NET. We have the ability to tune things so you can have your cake and eat it too."