Microsoft gets serious about security

Carel Alberts
By Carel Alberts, ITWeb contributor
Johannesburg, 25 Nov 2003

A security-embattled Microsoft has come out fighting in recent weeks. It has appointed security leads in every region, hatching action plans for every subsidiary to tackle frequent vulnerability discoveries and exploits, and restore faith in a susceptible software environment.

Colin Erasmus, security lead at Microsoft SA, says several initiatives round out the vendor`s proactive approach to security.

"We are making patch enhancements - improving the frequency and the size of patches, shoring up global programmes education and knowledge initiatives and protecting unpatched customers," says Erasmus, who has been at Microsoft for three years.

A patchy Web service

As regards updates and version support with such updates, Erasmus says Microsoft has announced extended support.

Windows 2000 Service Pack 2 (SP2) is supported until June next year, as is NT Workstation SP 6a. Weekly patch updates have changed to monthly ones (in SA, effectively the second Wednesday of every month), making updates more predictable and causing less downtime. This regularity is only interrupted if a critical update is necessary.

Erasmus says Microsoft`s Connect Days showed that few people know the difference between a critical, important, moderate, or low-level vulnerability.

"Exploits like Blaster are deemed critical, and patches must be applied ASAP. Important ones mean data can also be compromised, and patching must be done at the customer`s earliest convenient time," he adds. "`Moderate` means a few application settings must be in place before an exploit is likely, and with low importance, chances of compromise are minimal.

"In future, the eight patching technologies will be slimmed down to two, and specific update sites, eg for Office and Windows, will be one Microsoft update site. Delta patching technology will decrease the size of patches."

Erasmus adds that these cumulative patches should only have very small portions installing on machines that have installed previous updates. "If we can get everyone up to a baseline, size will decrease."

<B>Exchange flaw</B>

Microsoft is investigating what may be a serious flaw in Exchange Server 2003, only a month after the software`s launch, reports CNet. The bug appears to affect an Exchange component called Outlook Web Access, which allows users to access their in-boxes and folders via a Web browser. Consumers logging into their Web-based mailbox sometimes find themselves accessing another user`s account, with full privileges, according to the NTBugtraq security mailing list.

Some patches have not worked recently. Erasmus says patches will in future be built in accordance with the Trustworthy Computing initiative, with a rigorous testing cycle and threat models built into development.

But given the shortening cycle between discovery of vulnerabilities and exploits, patches must be developed faster. Erasmus says Microsoft does not expect longer patch cycles. "We are throwing a lot of resources at this (11 000 researchers), and our Shields Up and collaborative efforts address this too."

Microsoft works with researchers, vulnerability exploiters and virus builders to spread the word about sensible approaches to virus outbreaks and discoveries of software holes. Whether pro or anti-Microsoft, researchers should know the effects of publicising vulnerabilities willy-nilly, he says. He declines to comment on the advent of a "hacker union" which aims to be free of corporate and government intervention in the publishing of vulnerabilities.

Next year, patches can be uninstalled, as it sometimes happens that they "break" other software. A new version of Software Update Server will debut free next year, allowing local downloads rather than Web site polling.

Get with the programme

Microsoft is packaging best security practices for customer access, and improving its own coding, in some of the programmes under way.

XP SP2 will come out next year with Shields Up technology, firewall and increased attention on e-mail attachments, ActiveX, spyware as well as memory protection. "Prescriptive guidance" will include a secure zone for IT professionals as well as MS literature, and security seminars fill out these programmes.

With Shields Up, the goal is to protect 70% of unpatched computers, with much of the technology already out there and some of the best practices that improve the likelihood of warding off attacks. "With Blaster, a firewall would have been enough without the patch," says Erasmus.