Microsoft focuses on security

Product priority reflects 'a defining moment' after recent virus attacks

By TODD BISHOP
SEATTLE POST-INTELLIGENCER REPORTER

LOS ANGELES -- Microsoft Corp. spent the past week touting the new graphics, storage and communications features to come in the next Windows. But the product's fate in the marketplace may ultimately depend on something much less glamorous.

The company, plagued in recent years by viruses that infiltrate flaws in Windows, is promising fewer bugs and new levels of security in Longhorn, the next generation of the operating system, unveiled publicly at a Microsoft conference here this week.

Watching closely will be a beleaguered public -- businesses and individual computer users, many of them overwhelmed by viruses and the steady stream of software patches needed to thwart them.

"It's really a defining moment for us, and we need to get it right," acknowledged Amy Carroll, director of the company's security buiness unit.

Longhorn, due on the market in 2005 or 2006, will be the first version of Windows developed entirely under the company's Trustworthy Computing initiative. That initiative began last year, when company Chairman Bill Gates publicly declared security and related issues the company's top priority.

As part of Trustworthy Computing, the company is using new methods to analyze software code for flaws and to assess whether a given program is truly secure.

Examples include a practice called threat modeling, which examines different ways hackers might be able to exploit a program; and automated tools that check code for common errors, such as buffer overruns.

Microsoft executives say the results are already starting to become apparent in the company's products.

For example, Windows Server 2003, released this year and developed in part after the company launched the Trustworthy Computing initiative, had six reported critical or important vulnerabilities in the first 180 days after its release, compared with 21 vulnerabilities in the first 180 days after the debut of its predecessor, Windows Server 2000.



But problems persist, nevertheless. Windows Server 2003 was one of several Windows versions for which Microsoft reported a critical flaw and issued a patch in July.

A few weeks later, the Blaster virus exploited that flaw to penetrate unpatched computers worldwide, causing erratic behavior and planting files designed to launch an online attack on a Microsoft Web site.

The effects of Blaster and other viruses that hit around the same time were apparent in Microsoft's first-quarter earnings, reported last week. The company experienced a $750 million decline in unearned revenue -- billings from volume licensing deals that are recognized as revenue over time -- in part because the viruses distracted customers and kept salespeople from closing deals.

Around the world, particularly outside the United States, municipal and national governments have cited security concerns as one reason for considering alternate computing platforms, such as the open-source Linux operating system.

"Security has opened a crack in Microsoft's dominance on the desktop," said John Pescatore, vice president for Internet security at the Gartner Inc. research group.

At the same time, Microsoft has an inherent advantage because its platform is so entrenched. Even if a widespread shift to Mac or Linux were to happen, it would take place incrementally, over time, said Ted Schadler, principal analyst at Forrester Research.

Yesterday, Microsoft held a special symposium on software security during its Professional Developers Conference at the Los Angeles Convention Center. The aim was to share with attendees -- primarily software developers from outside the company -- some of the techniques that Microsoft has learned for creating secure software, to let them use the same practices in developing their own.

Mike Nash, corporate vice president in the company's security business unit, told the audience that part of the problem in the broader industry is that many developers weren't taught sound security practices as part of their computer-science education.

During the symposium, Microsoft representatives went through the intricacies of common programming mistakes, such as buffer overruns, and described how to prevent them. One example they showed was the very section of flawed code exploited by the Blaster virus this past summer.

They also repeated a common theme, pointing out the lengths to which hackers will go to find and exploit vulnerabilities.

"You may live in the nicest part of town, but the moment you plug that network cable into the wall, you are in the seediest neighborhood on the planet. There are some really rotten people out there," said Michael Howard, a Microsoft senior security program manager and an author of the book, "Writing Secure Code."

Seeing Microsoft security experts demonstrate what they have learned about preventing flaws and protecting computers left some attendees with the impression that the company is on the right track.

"It's a tough job, but they've just gotta keep going at it," said Sheldon Riesen, a software developer with Tantia Technologies in Calgary, Alberta.

At the same time, Riesen acknowledged the magnitude of the challenge that Microsoft faces. "They have millions of lines of code. With so much, there's bound to be some problems in there," he said.

Microsoft executives say they believe the Longhorn operating system will translate into significantly fewer vulnerabilities for viruses to exploit. But even with the new methods that the company is using to create secure programs, they say, the advent of Longhorn won't mean the complete end of software flaws.

That means there will still be a need to distribute software patches -- fixes for identified flaws -- to businesses and individual users. Microsoft is trying to make that process more manageable by, among other things, improving the quality of patches, making patch file sizes smaller, and simplifying the process of notifying consumers and businesses about flaws and available patches.

Although Longhorn isn't coming out for as many as three years, a number of the planned security improvements will be available to Windows XP users next year as part of an update known as a service pack. Expected improvements include the activation of a computer's firewall by default and the handling of e-mail attachments in such a way that a user can't open a file that might infect a computer.

Further down the road, Longhorn's debut should give Microsoft a unique opportunity to make it easier for users to track and apply patches, said Forrester Research's Schadler.

"They can build into Windows the ability to do patch management in a much more native way," Schadler said. "That's a big deal, because you're never going to build a bulletproof operating system, so patch management has to become a more natural part of the landscape."

At its Los Angeles conference this week, Microsoft spent much of its time talking about the other features to come in Longhorn, including an updated graphical interface and a data-storage system that makes it easier to search for files and create relationships across otherwise disparate computer programs.

The security symposium was held on the last day of the conference, as many attendees were heading out of town. Some people left the symposium early to catch flights home.

But Neil Charney, director of product management in Microsoft's desktop Windows group, said the company considers security a higher priority than any of the new Longhorn features unveiled this week. "We get to go there," Charney said of those features, "when we focus on the security elements in the right way."

http://seattlepi.nwsource.com/busine...ecurity31.html