In a bid to reassure customers rattled by a series of headline-grabbing security flaws, Microsoft has said it will launch an initiative to make its products more secure.
The push includes another revamp of the company’s patch management process, which has been widely criticized as too cumbersome for enterprise users and too confusing for some home users, as well as major upgrades to Windows and Windows Server 2003 designed to make the software harder to hack even without updated patches.
Microsoft president and CEO Steve Ballmer announced the initiative, calling security “a key area of focus for us” while still emphasizing that it is “criminal actions” by hackers and others that cause security breaches.
“Our goal is to enable increased protection and resiliency of systems and networks,” Ballmer said. “Our highest priority is developing these safety technologies for our customers.”
Industry analyst Rob Enderle told the E-Commerce Times that Microsoft has been forced to redouble its security efforts in an effort to remind industry partners and customers that it continues to move forward with improvements. Company founder Bill Gates announced a sweeping security initiative called Trusted Computing last year, only to have the SQL Slammer and Blaster worms ravage the Internet, using Windows machines as vectors, months later.
“A lot of what they’ve done has been behind the scenes, so they need to remind people from time to time that they are doing what they can to make their software more secure,” Enderle said, adding that Microsoft needs to bridge the gap until next-generation software that it built on a more secure base can be released.
Patch and Go
Ballmer said one key improvement will be a simplification of the way patches are distributed. Microsoft plans to move to a monthly patch release schedule, which he said will make it easier for network administrators to plan updates, which often require system shutdowns before installation.
A recent lawsuit against Microsoft claimed the software maker’s patching process was so unwieldy that most end users ignored directives to apply fixes.
Early next year, Microsoft will release a new version of its software update service for Windows SQL Server and other enterprise software platforms. Along with other improvements, the company said, the move will reduce by 30 percent the amount of downtime required to keep current with patches and other updates.
Alex Bakman, CEO of Ecora Software, said Microsoft is far from being the only vendor that faces this patching issue. “It’s really everybody’s problem,” he told the E-Commerce Times.
In part because the company needed to be seen reacting to flaws quickly, Microsoft has at times “flooded people with individual patches,” Bakman added. Still, the company’s pledge to spend $100 million on improving security is far and away more than any other software maker has done.
A Little Education
Microsoft also said it will start offering free security seminars later this fall and will conduct monthly security online seminars beginning in November. The company also will share more details about how its own network is configured to ensure security, according to Ballmer.
The final piece of the new initiative will involve planned updates in the first half of 2004 for both Windows XP and Windows Server 2003, which was released just a few months ago.
The updates will include new Microsoft technology that makes computers stand up better to attacks, even when patches do not yet exist or have not yet been installed. The protection will guard against several of the most common types of attacks against Microsoft software, Ballmer said. Additional security improvements will be rolled out in late 2004.