By Jo Best, 11 November 2003 17:45
NEWS Microsoft finally appears to be taking note of the public perception of its products' insecurity - but just how much is it doing to soothe virus-ridden consumers?
Speaking at the Microsoft IT Forum in Copenhagen today, Klaus Holse Andersen, Microsoft VP Northern Europe, admitted that the software company's security performance had been less than stellar: "It's been a fairly painful year... from a security standpoint, there have been more patches than we would have liked but we're starting to clear that."
There's no doubt that Microsoft is keen to be seen to be making some effort on the virus front, particularly in terms of patch management. Its patch management security push - including company-wide patch management features turning up in Microsoft's newly launched Systems Management Server, patch management guidance being distributed on its website and the streamlining of the number, outlets and size of patches for users - serves to demonstrate the software giant's commitment to pulling itself out of the security mire.
However, it could be that Microsoft's landmark move towards monthly, rather than asand-when, patching is a further weakness giving virus writers a 'heads up' on when is the optimum time to target systems.
Not so, according to Steven Adler, senior security specialist at Microsoft.
The Microsoft argument is that previously, when patches were announced amid a general noise of confused security warnings, it was far more likely the message would be missed by all but the hackers and virus writers. Now IT managers know which one day of the month they need to tune in to get all their updates.
Where next for Microsoft security? A mix of software, hardware and education, it seems. One of the next areas to get the Redmond treatment is behaviour blocking meaning mechanisms to detect and stop computers behaving in a suspicious way, such as sending a message to every email address on a network, a technique often characteristic of a spreading virus.
As well as making hardware and software more secure, another idea being bandied around in the run up to Christmas is security education launching a campaign to give the less technologically aware a better idea of how to detect and protect themselves from security threats.
Despite a potential focus on consumers, it seems Microsoft isn't blaming tech-ignorant users for its security woes. Adler said: "If it's a customer's fault, they're our customer, so therefore its our fault. We have to get them up to speed and make sure they know the risks."
However, when it comes to consumers' requests for the software company to just write better software, Adler says that Microsoft has no competition saying that the software behemoths products have no more vulnerabilities than other platforms and less than some, citing SuSE Linuxs greater number of patches since April this year compared to the Microsoft equivalent.
So will Microsoft products ever be patch-free? Adler thinks not, saying that as long as the motivation is out there, new types of attacks will be developed.
"I dont think we will ever reach that Utopia," he told silicon.com.
Comments
There are 3 comments. Join the discussion
1. Phil Laszkowicz
Firstly the fact that Microsoft believes they have no competition, does not mean they should not make better software.
Secondly SuSE Linux is much more secure as an operating system, however, the patches relating to SuSE stem from the software that is packaged up with it.
MS Windows XP comes with very few peices of sofware - all of which is Microsoft developed and published - compared to the 2,000+ peices of SuSE Linux software that is organisation independant.
SuSE produce very few items of software themselves, and the patches that are distributed are usually feature upgrades to third-party software rather than security features. Something Microsoft does not do.
Microsoft fixes holes, rather than upgrading features - you have to buy the next version of software for that!
2. Dom
>>Adler says that Microsoft has no >>competition ? saying that the >>software behemoth?s products have no >>more vulnerabilities than other >>platforms...
Which platforms is he guys refering to?
Windows 95, Windows 98, Windows NT, Windows 2000 and other flavours of Windows?
Take a look at a OpenBSD for example
(http://www.openbsd.org/) Only one remote hole in the default install, in more than 7 years.
>>... and less than some, citing SuSE >>Linux?s greater number of patches >>since April this year compared to >>the Microsoft equivalent.
Here is a great demonstration of how to compare apples to oranges by Microsoft.
Compare operating system A, EXCLUDING any applications you can run on operating system A with operating system B INCLUDING all the application s you can run operation system B and then count the number of patches for each of the 2 sets.
There you go, chances are that you will have a lower count of patches for operating system A and can claim that OS A is therefore better.
3. anonymous
Ok, now, say I'm in IT and I am sitting at a client computer and it would be very easy for me to run a patch at the same time. Is there a way to get the "pending for the next month" patches that MS has finished ? Come on MS, that sounds great if you only need to patch a computer 12 times a year, but there should be a way to do it earlier.