Microsoft faces up to security threat

Microsoft chief executive Steve Ballmer has acknowledged that security is as big an issue for Microsoft now as were its antitrust battles with the Department of Justice.

Speaking at the company's worldwide partner event in New Orleans, Ballmer unveiled the security technologies that will feature in the next upgrades of its desktop and server operating systems, and pledged to make patching easier.

"I think the criticisms that our customers and partners are highlighting about security is a defining moment," he told the audience.

"Our whole industry is threatened, in my opinion, by people's fears to do new things because of security issues."

Ballmer accepted that the number of patches released by Microsoft has proliferated, but said the time between a patch being issued and the development of an exploit to take advantage of the vulnerability was dropping.

"We want to make our customers resilient to attack even when patches aren't installed. You should be able to install patches when you want, not [when] the hackers [want]," he said.

It took hackers 331 days to come up with the Nimda exploit after the patch was released, but just 25 for them to reverse engineer the Blaster patch.

"The hacker community uses our patches as blueprints to our vulnerabilities," Ballmer acknowledged, calling on law enforcement authorities to crack down on hackers.

"These people are criminals," he said. "We are working with law enforcement to make sure they are found and brought to justice."

Microsoft's updated software will feature automated patching for business customers, and more secure default internet settings, he said.

By May next year Microsoft will introduce one patching experience across Windows and all the application products. It hopes to reduce the risk of deployment by providing rollback capabilities for all patches, and now has technology that reduces patch sizes by 30 to 80 per cent.

Early next year, Microsoft will also ship version 2 of its Software Update Server (SUS) patch deployment automation system, which automatically downloads patches according to policies set by the customer. SUS is free to Microsoft customers.

"The whole package can be seen as a recognition that security is not primarily about spending lots of money on fancy products," said Graham Titterington, principal analyst at Ovum.

"Just as in the nineteenth century when civil engineers working on providing clean drinking water and effective sewers did far more for longevity and health than the medical professionals, Microsoft is showing that the key movers in IT security are not the security vendors."

Windows XP Service Pack 2 will feature additions such as the firewall switched on by default, more secure default email settings and better protection from malicious code on websites, as well as technology to reduce buffer overruns, which are often exploited by virus writers.

Microsoft is also working on a service pack for Windows Server 2003. It will include inspection technologies to scan a machine in a remote location, such as a laptop or a home worker's PC, and stop it from connecting to the corporate network if it is carrying a virus.

Both go into beta early next year, shipping in the second half of 2004.

Additional reporting by Iain Thomson.