NEWS Microsoft has pledged to improve security testing on its products by next year.
Speaking at the Information Systems Security Association conference in London on Thursday, Ed Gibson, chief security advisor for Microsoft UK, said the company's products are undergoing tougher testing than ever before but customers would not see the results until next year.
Gibson said: "The whole concept of trustworthy computing is taking a different approach. The lifecycle from origin to the product hitting the shelf is going through security testing like no other product that's gone out. But that's not where we're at yet.
"Microsoft is dealing with it. We're going through the lifecycle but we won't see the products through this until 2006."
Gibson, a former FBI agent recently appointed by the software giant, said there would always be a need for 'critical updates' - formally referred to as patches by Microsoft. "When a critical update is released, there are people out there intent on compromising every product. As soon as the update goes out there is something else to follow it. I ask you, will there ever be a time when we don't have to do updates?"
Microsoft currently issues patches on a monthly basis. From April to August this year, vulnerability monitoring firm Secunia has warned of 21 flaws in Windows XP Professional, 24 per cent of which are, according to Secunia, still unpatched by Microsoft.
Gibson said the 'exploit and update' cycle is not unique to Microsoft.
"It's for every product and an industry issue," he said. "[Exploits] are written by organised crime for extorting money. I don't know how you deal with that in an open source world. Worms and viruses don't start by themselves and we know there have to be more viruses for spammers to operate."
Comments
There are 2 comments. Join the discussion
1. John Hall
Did they say that last year? And why would go to sea in a sieve and start patching the holes why not just take a boat... the point I'm getting at is why rely on a Microsoft to secure you network when you got Cisco, 3Com, Netgear, McAfee and Nokia that can do the job.
2. Simon
John Hall wrote : "And why would go to sea in a sieve and start patching the holes why not just take a boat"
Great analogy !
"... the point I'm getting at is why rely on a Microsoft to secure you network when you got Cisco, 3Com, Netgear, McAfee and Nokia that can do the job."
But then you spoil it ! Why buy a sieve and then buy a cover (from a third party) to block the holes when you could go out and buy a real boat that starts out by being approximately water-tight ? OK, a bit of chewing gum might be required to plug the odd leak, but it's better than starting with something built using construction techniques that the rest of the world avoids because everyone else has known for decades that the end result is a leaky boat !
Ignore the crap that MS keep coming up with, the fundamental way in which their products are designed and built is almost guaranteed to produce the sort of vulnerabilities we keep seeing. Nothing short of a complete about face on their methodologies will change that - and the result won't be Windows compatible !