Microsoft Tries Again With Security PushMicrosoft Tries Again With Security Push

Nearly two years after announcing its Trustworthy Computing initiative, Microsoft is vowing to make its software yet more secure. CEO Steve Ballmer said last week his company will embed more security features into its software.

"We're going go have to put in place a multistreamed set of activities to help our customers be secure. And we're going to have to recognize that some of this is about responding and helping customers and some of this is about doing innovative things, which help you and the customers to help themselves," Ballmer said in a keynote speech at Microsoft's Worldwide Partner Conference in New Orleans.

Microsoft plans to change the way it discloses software vulnerabilities. The company soon will switch to monthly security bulletins and software updates instead of the sporadic Wednesday-evening announcements, says Amy Carroll, director of product management in Microsoft's security business unit. Carroll says that should help customers better allocate their resources for security upgrades. However, if exploits or other risks concerning a security hole become apparent, the company will, on a case-by-case basis, decide whether to publish an emergency patch.

The move comes after a summer of virus and worm attacks, such as Blaster and Sobig, which targeted vulnerabilities in Microsoft software. Customers are increasingly concerned about the security-update treadmill (see "Fix-It Fatigue," Sept. 15, p. 20).

Microsoft also is working on improved patch management. By the first half of 2004, the company says, it will enhance the entire process, including improvements to Microsoft Software Update Services. "The idea is to make patch management as transparent to the user as possible," Carroll says.

While declining to provide specifics, Microsoft execs say they're going to improve the firewall in Windows XP and 2000 and ship operating systems with the firewall turned on by default, a move that could block many attacks. Microsoft also plans an aggressive outreach campaign to help home, small, and large businesses better secure their systems. "This will reach 500,000 customers and build awareness of simple steps they can take to improve their security today," Carroll says.

Gartner analyst John Pescatore says the enhancements are welcome, but he expects many companies to be leery of relying on Microsoft for security. "Enterprises certainly won't jump on trusting Microsoft for enterprise security right off of the bat," he says.

A monthly patch program could help companies that are being run "ragged" by the near-weekly security bulletins and patches, Pescatore says. "Some may say this is Microsoft trying to hide vulnerabilities, but corporations are tired of being forced to patch every week. A month sounds like a good period of time, but I'd question the wisdom of patches being announced every quarter or six months."