Microsoft has again signaled its intention to take a more proactive stance on security as the issue continues to plague IE (Internet Explorer) and Passport and undermine the company's software development credibility.
A recent security problem to gain attention was a vulnerability in IE's cookie-based scripting, for which Microsoft issued a patch last November.
According to Erin Cullen, a product manager for .Net Services at Microsoft, a malicious individual who wants to target the vulnerability first has to break in and take control of a system that lacks the patch.
Cullen said that even though this weakness represents a minor threat, it underscores Microsoft's resolve to enhance security around the authentication service.
"We're going to take a more proactive stance toward security," Cullen said. Illustrating the point, Cullen said in this case Microsoft for the first time sent out notices about the patch to Passport users.
She added that Microsoft also plans to issue more patches, and more information posted to Microsoft's Web site, such as best practices. "We need to better communicate [security issues] with our customers."
Cullen is certainly not the first executive to trumpet a renewed focus on security. In November 2001, Craig Mundie, Microsoft's CTO of advanced strategies and policy, told InfoWorld that the company is switching its bias to "safety and security first" (see "Microsoft attempts security culture reinvention").
But although Microsoft continues to wrestle with its approach internally, analysts and users report that in the mean time customers have little choice but to keep using Microsoft software.
"At this point, Microsoft is so entrenched it would take something more significant than these recent security issues to get people to drop Microsoft -- unless Microsoft doesn't react quickly, but it looks like they are," said Shawn Willett, a principal analyst at Sterling, Va.-based Current Analysis.
Users echoed those sentiments. Despite an alarming frequency of exploited security holes in many popular Microsoft solutions, end-users are finding little alternative but to keep investing in the software giant's products, according to Steven Allen, director of the Boston Windows Group.
"I don't think [users] have a heck of a lot of choice. It's a bad choice except when you look at the alternate [technology]," Allen said Peter Urban, an analyst at AMR Research, in Boston, said that although Microsoft has security problems, living with them is often financially less expensive than instituting new programs.
"People have the Microsoft software implemented, and they're not going to rip it out for something else, that's just too expensive," Urban said.
Analysts said that the way things are shaping up, Microsoft may be able to leverage the dominance it has with desktop operating systems and browsers to boost acceptance of its Passport authentication service, thereby giving it a leg up in the Web services race.
In fact, Microsoft boasts more than 150 million Passport users. Meanwhile, Sun Microsystems and its Liberty Alliance brethren are still doing the preliminary work on technology for a forthcoming service.
Unimpressed with the makeup and intent of Microsoft Passport, Allen said the formation of the Sun Microsystems-led Liberty Alliance is encouraging.
"In many respects it's very good from the consumers' point of view that there are at least attempts at competition [toward Passport]. It's obvious that Microsoft wants to grab as much of the consumers' life as it can," Allen said.
Allen said he was reluctant to use Passport when the authentication technology first appeared. But he said that he had no choice in order to beta test Windows XP.
"I suspect that there are a bunch of security holes [within Passport], some that have just shown up. I don't like the idea of something like that's available to Microsoft and a bunch of other people to track where you are and what you're doing," he added.
Noting a general tone of end-user frustration at the monthly Windows meetings he oversees, Allen said the actions of Microsoft are "not going unnoticed" and described .Net as being "somewhat frightening" for what it could eventually become.
"It doesn't matter what it's tagged, .Net or .Net Passport, that's immaterial. It's basically another big push [to] move standards around and put consumers on the subscription basis. I think it's only the beginning," he said.
Microsoft and the Liberty Alliance camp have both said they are gunning to make their services interoperable, so that customers using Passport will be able to take full advantage of non-Passport services, and vice versa. Analysts, however, said it won't be that simple.
Mike Gilpin, an analyst at Cambridge, Mass.-based Giga Information Group, said that even though Web services running on the .Net environment will be able to interoperate with Web services on a J2EE (Java 2 Enterprise Edition) platform, when a user is authenticated through Passport, accessing services in a non-Passport environment may be difficult.
"Where this creates a problem is, let's say you have authenticated your security credentials and you have certified your ID according to the .Net My Services. Then say you invoke a Web service that is implemented in IBM's stack -- there could be some issues there with how those credentials would be recognized in the IBM environment," Gilpin said.