[ISN] Security a work in progress for Microsoft

From: InfoSec News (isn@private)
Date: Fri Jan 16 2004 - 06:02:45 PST

  • Next message: InfoSec News: "[ISN] Tin Stars in the Sky"

    http://news.com.com/2100-7355-5141765.html
    
    By Robert Lemos 
    Staff Writer, CNET News.com
    January 15, 2004
    
    Two years after Chairman Bill Gates called on Microsoft to redouble
    its efforts to secure its software, the company is beginning to make
    progress, according to customers--but much work remains.
    
    In January 2002, Gates launched a program called "Trustworthy
    Computing," designed to focus Microsoft employees on building better
    security into products and on improving customer response. The
    software maker halted production to review code, delayed shipments and
    retooled its development process as a result.
    
    Now, though Microsoft is touting the large number of changes it has
    made in its approach to security as a measure of its success, the most
    telling pieces of evidence may be the numbers.
    
    Six months after the release of the Windows 2000 operating system,
    Microsoft had warned of system flaws in 32 security advisories; 21
    vulnerabilities were gauged to be critical. Yet six months after
    Microsoft released Windows Server 2003, the successor to Windows 2000,
    after extensive code reviews, the number of flaws had shrunk to 14,
    with only 6 critical issues.
    
    "Customers are better off today than they were a year ago, and they
    will be even better off in the future," said Kevin Kean, a group
    manager at Microsoft's Security Response Center.
    
    Some Microsoft customers CNET News.com contacted agree that the latest
    products show signs of improvement. But they note that the changes
    haven't been fully extended to products the software giant launched
    before the initiative, which make up the bulk of installations.
    
    "The problem is, there is still a wide base of products," said Joe
    Peloquin, an information systems administrator for a large retail
    chain. "The new code is a step in the right direction...but I don't
    think they are doing enough to secure the stuff that is already out
    there."
    
    Other customers agreed and said that since the initiative's launch,
    Microsoft has done a better job of providing the tools they need to
    keep their systems up and running. The initiative "has given us some
    tools that are more useful for software monitoring," said Joe Brunner,
    an MIS manager at Sleepeck Printing in Bellwood, Ill.
    
    "Security has overshadowed things at the moment," Brunner said.  
    "Microsoft continues to make that effort a priority. But this won't be
    solved in a week or with a single press announcement."
    
    Four pillars of trust
    
    Security is only one of the four pieces of the Trustworthy Computing
    initiative, but it's arguably the most visible. Microsoft's efforts in
    the three other areas--privacy, reliability and business
    integrity--haven't been as evident or controversial as its moves in
    the security world. Computer worms such as MSBlast and Microsoft SQL
    Slammer spotlight the company's failings in the high-wattage glow of
    Internet meltdowns.
    
    While Slammer affected a product that had been developed prior to the
    Trustworthy Computing push, MSBlast--also called Blaster--exploited
    errors missed by the Microsoft reviews.
    
    "Blaster is certainly an indictment, to some extent," said Stephen
    O'Grady, an analyst at research firm Red Monk. "If I was working for
    (the Trustworthy Computing group), that is something that would keep
    me up at night."
    
    Such incidents, Microsoft executives admitted, have resulted in
    businesses holding off buying new products and, instead, patching
    their existing infrastructure. Initial signs of that sort of backlash
    prompted Gates to launch the initiative.
    
    "Today, in the developed world, we do not worry about electricity and
    water services being available," Gates wrote in the memo sent to
    Microsoft employees and customers two years ago. "With telephony, we
    rely both on its availability and its security for conducting highly
    confidential business transactions without worrying that information
    about who we call or what we say will be compromised. Computing falls
    well short of this."
    
    In the past year, Microsoft has released three products--Windows
    Server 2003, Windows Office 2003 and Exchange Server 2003--that have
    benefited from renewed focus on security. Other products now in
    development, such as a planned update to Microsoft's SQL Server
    database, code-named Yukon, are being constantly reviewed as they are
    built to make sure that security is up to snuff.
    
    However, with many older--and less secure--versions of Windows and
    other Microsoft products still on the market, the software giant has
    also had to focus on helping customers reduce their risk.
    
    The company has released tools to help information technology
    professionals lock down their networks and has published extensive
    white papers that detail how its employees can secure its own
    computers. In addition, it has attempted to educate consumers through
    its "Protect Your PC" campaign and has urged them to turn on the basic
    firewall protection available with Windows XP and to regularly update
    operating systems and antivirus definitions.
    
    "There is an order of magnitude--more people using Automatic Update
    and downloading patches," Microsoft's Kean said.
    
    Microsoft does make patches available more quickly than in previous
    years, said Mitchell Rubin, president of Lynx Consulting Group in
    Springfield, Penn., which specializes in Windows-based systems. But
    the process needs to be streamlined. "It's still difficult to figure
    out which patch to download, and you have to go to multiple places to
    do updates for Windows and Office," he said. Microsoft has said it is
    working on a revamped patch management system, which is expected to
    debut in the spring.
    
    In addition, the company is planning extensive security modifications
    to Windows XP as part of the second service pack that Microsoft plans
    to release for the operating system by summer this year.
    
    Microsoft milestone
    
    Rubin said that overall, the Trustworthy Computing push has been a
    milestone for Microsoft. "They have improved a lot, especially in the
    last year. They launched the initiative two years ago but took
    six-to-nine months to sort things out. In some senses, Microsoft has
    too many products, so that makes it harder."
    
    As a result of the initiative, Microsoft has also changed how it
    handles security advisories, which it issues to alert customers about
    security problems and the severity of these.
    
    Rather than releasing advisories every two or three weeks, the company
    now publishes the notifications once a month. It has also turned up
    the pressure on the underground programmers that create worms and
    viruses by offering a bounty on the people or groups who released the
    Sobig.F virus and the MSBlast worm.
    
    Moreover, some of the bug finders that have been the bane of
    Microsoft's public image for years are starting to take a softer
    stance toward the company, encouraged by greater cooperation from the
    company's security groups.
    
    "They are acting more responsibly," said Thor Larholm, a senior
    security researcher for security firm PivX Solutions and a frequent
    finder of bugs in Microsoft's products. "The have lived up to the
    spirit of Trustworthy Computing, even if they still have problems."
    
    Yet some security experts wonder if Microsoft's flurry of activity
    actually indicates progress.
    
    "There is a lot of action but not necessarily a lot of results," said
    Bruce Schneier, the chief technology officer at Counterpane Internet
    Security and the author of "Beyond Fear: Thinking Sensibly about
    Security in an Uncertain World." Schneier is also one of seven
    security experts who penned a report warning that Microsoft's
    dominance in the IT market carries a risk of catastrophic failure.
    
    The risks to the IT infrastructure have even Microsoft's competitors
    hoping that the company gets it right.
    
    "On the macro level, you want every vendor to do a better job of
    security," said Mary Ann Davidson, the chief security officer at
    database maker Oracle.
    
    Davidson sees Microsoft's focus on security, paired with the fact that
    the company admits to losing sales because of security issues, as
    proof that customers can demand better products. "You have the moral
    liability to your customers--they bet their business on your
    software," she said. "They expect it not to break, and they should get
    that."
    
    For its part, Microsoft is repeating a mantra of a year ago:  
    Patience--security is a journey.
    
    "You can't turn around the infrastructure in 24 months," said Scott
    Charney, a Microsoft security strategist who has repeatedly likened
    the initiative to NASA's 10-year march to the moon.
    
    "You need better education, you need better tools, better technology,"  
    he said. "Are we committed to providing those things? Yes. Are we
    making progress? Yes. But are we anywhere near done? No."
    
    Analyst O'Grady said he'd give Microsoft "improved marks." "But are
    they where they need to be? No, they are not. The numbers indicate
    that they are at least taking it seriously."
    
    CNET News.com's Mike Ricciuti contributed to this report.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Jan 16 2004 - 09:38:48 PST