Microsoft outlines security strategy

Microsoft has admitted past products were not secure enough and has promised to make its software harder to hack, as part of its Trusted Computing security strategy.

New applications and operating systems will be designed to give hackers the minimum to work with by leaving most features uninstalled or inactive by default.

For example VBScript is turned off automatically with the new service pack for Windows XP. In addition staff are being trained to be more security aware when coding.

"Many of the products we designed in the past have been less secure than they could have been because we were designing with features in mind rather than security," said Craig Mundie, chief technology officer for Microsoft, at RSA Security's annual European conference.

"In the past we sold new applications on the strength of new features, most of which people didn't use.

"A cultural change was needed and we've held some projects back for a considerable length of time while we go over the code again. Now we're focused on reducing the 'surface area' of applications to minimise attack."

Central to this is Microsoft's proposed controversial new operating system codenamed Palladium.

This will be written from the ground up with security in mind and will include extensive digital rights management (DRM) software that will make it impossible for customers to use unauthorised code, such as pirated DVDs or MP3s.

Intel is designing a processor with DRM built in to complement the system.

Mundie was also critical of the open source community and its record on security. Just because everyone could examine open source code doesn't mean that they actually do, he pointed out.

But this drew an immediate response. "People in glass houses shouldn't throw stones," said Simon Tindall, volume product business manager for Sun Microsystems.

"It's not the degree of security with open source that makes it so strong, it's the speed of fault fixing.

"The open source community fixes most faults within 24 hours. With Microsoft you wait until they get round to it, if they get round to it."

Microsoft also announced that it is adding two-stage authentication to its Passport identification software.

Users currently log-on using a password, but RSA Security will add a second stage using mobile phones, so that an additional authentication code is sent via SMS.

The service is being launched in Europe, initially due to the strength of the mobile communications industry in the region, but will be rolled out in the US later in the year.