Microsoft 'code scrub' ridiculed

Microsoft's efforts to secure its operating systems and software have met with widespread scepticism among industry experts.

Richard Purcell, the software giant's head of corporate privacy, revealed earlier this week that each division is to take one month off to perform a "code scrub" which will examine all the operating systems and applications software code to ensure that it is free of flaws.

But the news was greeted with disbelief. As security expert Neil Barrett explained, checking the code is fairly simple, but fixing the holes could be very time consuming.

Source code can be run through programs which ensure that it is hole free, but Microsoft will be faced with problems once it has uncovered any vulnerabilities. "If a number of vulnerabilities are uncovered, the development work required to produce fixes could take far longer," he said.

The company must also be sure that it can check all the source code. "Much of the source code for libraries was written years ago and may be lost," explained Barrett.

In addition, Microsoft can only check for known vulnerabilities. There are about half a dozen known exploits based around either the interface between two programs, or the interface between user and program, said Barrett.

"We can check these easily. But there may be many more that we currently don't know about," he pointed out.

Microsoft's UK office refused to confirm whether the "code scrub" was underway, and would not specify what would be involved in such a procedure.

"I'm unaware of [Purcell's] comments. If he had said such a thing, he would have had a good reason," insisted John Noakes, UK .Net development manager at Microsoft.

He claimed that the code for both Windows XP and Visual Studio .Net, which is released on 13 February, had undergone extensive security checking as it was being developed.

"We have done penetration testing, and had external companies testing the releases in live environments," said Noakes.

Microsoft is aware of the challenge facing it. Chief technology officer Craig Mundie presented a paper to the recent World Economic Forum, which reported that it may take as long as "10 to 15 years" to reach the company's goal of 'Trustworthy Computing'.