Microsoft exec vows to fix what’s broken

Interview with Jim Allchin, Microsoft

The effects of the W32.Blaster worm have been felt throughout Microsoft Corp. during August, but they have been particularly painful for Jim Allchin, a self-described perfectionist. The vice-president of Microsoft’s platforms group spoke with Computerworld (U.S.) recently about security matters. Excerpts follow:

What sorts of plans are you formulating to deal with the effects of the Blaster worm?

I personally have spent a lot of time on this, because I think I’ve concluded that we have to take a different tack than what we’ve been taking. I have nothing to report now, but you can stay tuned because…I’ve had enough, and I’m going to do something about it. We have a team trying to propose some new approaches on this.

Are you talking about internally holding individuals or groups of engineers accountable for specific code vulnerabilities?

No. All software has problems. We have to come at it with a different approach, and just stay tuned.

When analyzing the Blaster case, what did you find, beyond the fact that some people didn’t install a patch a month ago?

If everybody had the patch on in the entire universe, fine. But the question is: Can you really expect [everybody] to do that? I think that it’s a very difficult proposition to expect people to do that perfectly. If it’s done perfectly, you’re home free, and frankly, I’ve talked to companies that did it perfectly.

Let’s suppose you didn’t. What are the downsides of having one hole?

One machine gets into your environment, and you’ve got a problem. If your perimeter protection doesn’t save you, then it’s inside, and let’s suppose there are just a few machines that haven’t been patched for whatever reason. They were laptops, they never connected up to get the antivirus signatures, or whatever.

I think we’re going to have to come at it from a different approach (than) expecting perfection by the distribution, even though we’re going to give great distribution technology.

Is it something that we can expect to see this year or next year?

I don’t know.

But there will be some form of technology that you will offer to IT professionals?

That’s right.

Do you have that technology now and just need to implement it, or do you need to develop that technology?

A combination. I think we can swing around to this pretty quickly.

Do you feel that the security perceptions and realities that Microsoft faces threaten the business?

Yes…I think it threatens business for everyone. It’s not a Microsoft statement. I think customers are afraid their business is going to be jeopardized by the IT infrastructure, because they’re so dependent on computers. That’s a huge problem for the entire industry, and it’s a huge problem for us. And I take it very, very seriously.

What do you see as the accomplishments versus the disappointments with regard to Microsoft’s Trustworthy Computing initiative in the past year and a half?

It’s sort of funny to say this, because it’s sort of asymptotic to perfection, but the first part of the curve is a huge jump, so I feel incredible progress.

We trained everyone. We have people who have written textbooks. We have threat models that happened. We have all the work that we did in terms of the analysis tools, which are really phenomenal. We have some of the best people in the research team that are doing tools that analyze the code looking for issues.

You asked about disappointments. Well, I am sort of a perfectionist, and we still have work to do. We know that. I just feel really bad personally about this worm. I wasn’t impacted. I know how people could have avoided it, but they didn’t. So I take – the company takes – responsibility. We’ve got to do better.