• silicon.com
• Technology
• Hardware

By Joey Gardiner, 5 October 2001 12:30

NEWS Security experts have broadly welcomed Microsoft's proposals to provide improved security for its users, but say the plans don't go far enough. Bill Malik, VP at Gartner Group, said the scheme is a step forward but it fails to address the reasons Gartner cited when it advised users to ditch Microsoft's web server software. Malik said: "The fundamental issue was that the method by which Microsoft develops code is not up to the job for building enterprise level computers. "The problem is not that they don't know how to make fixes, or that they don't get the fixes out quickly enough, but it's just that there are so many damn fixes in the first place." Microsoft's new initiative, called the Strategic Technology Protection Programme, aims to make users' access to information and patches for Microsoft's software easier by grouping them in one place - http://www.microsoft.com/security/. It is backed up by free user advice and a commitment by Microsoft to improve its development processes to "deliver more secure and reliable products". However, a Microsoft spokeswoman today admitted there are no concrete changes in the development process she could point to. Karen Cross, group server marketing manager for Microsoft, admitted it had been shaken by the spate of bad publicity over Microsoft's security. This started with the Code Red and Nimda attacks, and culminated in last week's Gartner report, which advised users to steer clear of Microsoft's IIS web server because of poor security. The Code Red and Nimda worms spread by exploiting vulnerabilities in IIS. Cross said: "We have received a jolt from recent events, there is no doubt. Customers told us - you have to make it easier for us. Even our own administrators were saying it was hard for them to find all the patches - and if they couldn't get there how could we expect our customers to do it? So we put them all in one place." Other security experts were more positive than Gartner's Malik. However, others agreed the move did not address the points raised by the Gartner report. Gunter Ollmann, principal analyst for security firm Information Security Systems, said: "It's an effort to make people aware of what's already out there, and as such must be welcomed, but it does not answer the Gartner Group report." Eric Chien, chief researcher for Symantec, said: "You look at Microsoft's latest releases of software - for example XP - and you can tell they're getting more serious about security, and this is another reflection of that."