Two years after Microsoft chief software architect, Bill Gates, vowed the company was making security its top job, users and experts have said that while progress has been measurable, a lot more work has to be done.
“There is a long way to go to make it easier for administrators to keep their networks secure,” moderator of the NTBugtraq mailing list and surgeon general for security company TruSecure, Russ Cooper, said.
Some commentators have said Windows must be simplified or transformed with a major code overhaul, that an alternative to pushing out patches might be needed and that automated patch management will have to show it’s secure before it can help improve security.
Other experts claim Microsoft must also focus on shoring up older software such as Windows 2000, given that the next major release of the operating system, code-named Longhorn, isn’t expected to ship until 2006 or 2007.
And foremost, Microsoft, which is a collection of autonomous product groups, must learn to work as one company when solving security issues.
“They are now seeing that coordination across the entire company takes a lot of time,” analyst with Directions on Microsoft, Michael Cherry, said. “Installing one product should not undo security of another product.”
Cherry said security was driving change because it hit Microsoft on the bottom line.
“The money companies spend fixing these problems is money they can’t spend on new products,” he said.
Critics and end-users have said Microsoft will make some progress in coming months when it ships Service Pack 2 for Windows XP, which is designed to make the operating system more resilient by turning off some features by default and makes available a set of new patch management tools, including new installer and updating software.
Those improvements come in addition to those in Windows Server 2003, including additional security features to lock down key components such as Active Directory and Internet Information Server.
However, all these improvements might be feeding the problem.
“They are layering on more complexity, not simplifying the code to make it more secure,” an analyst with the Burton Group, Dan Blum, said.
It’s a philosophy Microsoft seems to have failed at when it introduced its first major security push in 1999 with its Secure Windows Initiative team. The goal was to provide education, tools, process and testing while not adding more security features.
“It’s simplicity versus complexity, flexibility versus security,” Blum said.
Others have said even more drastic measures should be taken by rewriting core code even though it would break compatibility with most existing applications.
“The blind spot is the code base because it is apparent now that Microsoft met ship dates of earlier products by using some sloppy code,” president of Enlightened Point Consulting Group, John Kretz, said. “The vulnerabilities can’t be addressed with check boxes and default configurations. I would like them to fix the code instead of changing defaults.”
It’s a drastic measure that points to the problem Microsoft has had establishing credibility for Trustworthy Computing. Every time progress seems to be made, Microsoft gets shot in the foot. Gates sent customers his original Trustworthy Computing memo in 2002, less than a week before the patch was issued for the SQL Server vulnerability that the MS-SQL Slammer worm eventually exploited. CEO Steve Ballmer touted the gains of
Trustworthy Computing to corporate partners just a week before seven new critical vulnerabilities were revealed. Just after the two-year anniversary of Trustworthy Computing, the ASN.1 vulnerability was made public and Microsoft acknowledged that it had taken more than 200 days to develop the patch for a hole some called the worst ever discovered.
And last month, more embarrassing incidents occurred, including a leak of source code and a fix issued outside of Microsoft’s new monthly patch cycle to correct a bug in Internet Explorer.
It’s a list that leaves users cautious.
“I can’t say if security has gotten any better,” said George Defenbaugh, manager of global IT infrastructure projects for petroleum company Amerada Hess Corp. “Who knows what’s out there that has not been discovered.”
Despite the pockmarks, Microsoft points to progress.
Win 2003 needed six critical or important patches in the first 300 days after release, compared with the 36 critical or important patches issued in the first 300 days after the release of Win 2000.
Win 2003 was the first major product that Microsoft developed under its Trustworthy Computing Release Process, an internal process including security design reviews. Office 2003 and Exchange 2003 are some of the 20 products that have been subjected to the same reviews.
“Our number one request from customers is to ship more secure products,” senior director of the security and technology business unit at Microsoft, Jeff Jones, said. “We think we are on track and doing well in terms of progress.”
Jones said success in the short term and long term would be based on writing more secure code, developing protective technologies such as personal firewalls to protect against the spread of malicious code and updating Microsoft’s patching technology.
“We know we have a lot of work ahead of us,” he said.
The company has formed several alliances and awareness programs to enlist the help of partners, including the Virus Information Alliance and the Global Infrastructure Alliance for Internet Safety for service providers.
Software is also on tap. Before July, the company plans to ship its Software Update Services 2.0 and Microsoft Update, both tools for downloading patches, and the Internet Security and Acceleration Sever 2004.
In the second half of the year, it will ship Service Pack 1 for Win 2003 and more patching tools. And down the road it plans a secure Simple Mail Transfer Protocol gateway, behaviour-blocking technology and the Next Generation Secure Computing Base, a combination of hardware and software to lock down the operating system.
TruSecure’s Cooper said the upcoming XP service pack, which will turn on the personal firewall within the operating system by default, showed progress not just in technology but also in attitude.
“It’s a huge step forward turning something on that will break legacy functionality,” Cooper said.
“That will create support calls, and it shows Microsoft acknowledges that the security risk is greater than the annoyance and cost of all those support calls.”