Microsoft unveils security initiatives

Microsoft Corp. Chief Executive Officer Steve Ballmer announced a gaggle of new security initiatives Thursday that he said would shore up the security of its customers’ systems against what he said in a statement was a “wave of criminal attacks.”

New security features on Windows XP and Windows Server 2003, a simplified software patch distribution process and new security education programs were all part of Microsoft’s latest effort to stem the tide of worms and viruses that target computers running its popular operating systems and software, according to Microsoft and industry experts familiar with the plans.

Ballmer made the announcement at Microsoft’s Worldwide Partner Conference in New Orleans and said that the new technology and programs would be available “over the coming months,” according to a statement released by Microsoft.

Perhaps the most technologically significant changes will come from what Microsoft called new “safety technologies” that will be rolled into upcoming service packs for Windows XP and Windows Server 2003. Those technologies will allow customers to better protect their computers from attack, even in the absence of required software patches, the company said. Better defenses for buffer overruns and heap overruns will be part of the enhancements, according to Amy Carroll, director of product management in Microsoft’s Security Business Unit.

Buffer overruns are flaws in software code that are often used by malicious hackers to place attack code on victims’ computers.

Microsoft will introduce protections such as improved compiler checks to stop buffer and heap overruns and software changes that mitigate the effects of such events when they do occur, Carroll said.

Protections against attacks on communications ports, such as the recent W32.Blaster worm, as well as malicious code in e-mail messages and Web pages will also be included, she said.

Microsoft could not yet comment on what those changes will be or whether they would affect the Windows operating system or Exchange and Outlook products, Carroll said.

Software updates for Windows XP and Windows Server 2003 scheduled for 2004 will include a more robust version of the current Internet Connection Firewall that ships with Windows XP.

Future changes will put the firewall on by default, make it more compatible with other products and allow organizations to centrally manage the desktop firewalls on its Windows machines, Carroll said.

Microsoft may also be integrating behavior-based blocking technology that it acquired with Pelican Security Inc., with its default firewall, according to John Pescatore of Gartner Inc. By rolling the Pelican technology in with its firewall, Microsoft would be able to protect even unpatched desktops from new attacks such as the recent Slammer and Blaster worms, a stated goal for the company, Pescatore said.

Carroll did not rule out the use of Pelican’s behavior based detection technology, but said it’s too early to comment.

The company was also mum on the issue of antivirus technology. Despite the recent purchase of an antivirus engine and development talent from GeCAD Software SRL of Bucharest, Romania, it was “too soon to tell” how that company’s antivirus technology might be used to protect Windows customers, Carroll said.

For now, the company was sticking with a strategy of partnering with established antivirus vendors, according to Neil Charney, director of product management for Microsoft’s Windows division.

In a related announcement, Network Associates Inc. (NAI) said that it was teaming with Microsoft to use the McAfee products to help Microsoft enterprise customers streamline security management and operations.

On the patch management front, Microsoft will switch to a monthly software patch releases, Microsoft said.

Microsoft customers complained that the current system of weekly patches was burdensome and needlessly complex, Carroll said.

Accordingly, the company will release fewer patches and try to consolidate multiple vulnerabilities affecting a single platform into one patch. For vulnerabilities that pose an imminent risk to customers, however, Microsoft will release patches as soon as they are available, she said.

The decision to release emergency patches will be handled on a case-by-case basis and correspond to the level of danger rather than the criticality of the patch, Carroll said.

The company will also be working to reduce the number of patch installers used by its products. Currently, companies must contend with as many as eight different installers for Windows, SQL Server, Exchange and other products, using custom scripts to coordinate patching, Carroll said.

By the first half of 2004, Microsoft hopes to have that number down to two installers, one for the Windows kernel and one for application level patches, she said.

In the area of user education, Microsoft will introduce new seminars and courses to teach customers how to secure their Microsoft products and networks, the company said.

Security technology company Symantec Corp. said Thursday that it was launching a joint program with Microsoft to develop educational and promotional programs that educate home and business users about proper secure computing practices.

Changes that improve the default security of Microsoft’s operating system are long overdue, Pescatore said. “This is what Microsoft should be doing (and) what they should have been doing all along,” he said. However, Pescatore was surprised by the long wait that Microsoft customers will have to endure before receiving the software updates and security improvements, as much as nine months for the first round of changes in Windows XP.

“They’ve been working on this all year, I thought they’d be further along,” he said.

The company may also run into criticism for not extending the safety technology and other software updates to the popular Windows 2000 platform, Pescatore said.

“There are a whole lot of enterprises out there that are only using Windows 2000 on the desktop,” he said.

A company spokesman said that Microsoft is basing its changes on the Windows XP architecture and technology, including the Internet Connection Firewall and Automatic Update features, which Windows 2000 does not use.

Microsoft is working with third party vendors to secure Windows 2000 and earlier platforms, the spokesman said.

For more information, visit