A few weeks ago Microsoft appeared to be tacitly conceding that, in the face of repeated and damaging attacks, the 'patch and patch again' approach to security was a busted flush, and that 'securing the perimeter' was the way to go. But how do you get there from here? It's hard, so it's not exactly surprising that the most immediate meat of the company's "new security inititatives" put forward today is, er, patch management.
The manifesto was nailed to the door by Microsoft president Steve Ballmer today at the company's Worldwide Partner Conference in New Orleans, and comes in three broad categories (we quote):
- Improved patch management processes, policies and technologies to help customers stay up to date and secure
- Global education programs to provide better guidance and tools for securing systems
- Updates to Microsoft Windows XP and Windows Server 2003 with new safety technologies that will make Windows more resistant to attack even if patches do not yet exist or have not been installed
Feel free to be as unimpressed by the middle one as we are - if they don't know already, they ain't going to learn, so this is largely a 'be seen to be doing something' play. But you can read more here, and the full transcript of Steve's speech will no doubt be up shortly.
Also on that page you'll see the subhead "Improving the Patch Experience", which sounds something of a kamikaze mission. This however is intended to make patch management easier, to introduce "new processes for patch distribution" and to include a move over to monthly patch releases. So, the need to patch still exists (well, obviously, given that the holes will keep appearing for the foreseeable future), but Microsoft will get its act together better on management.
It entirely escapes us how you do that. Granted, Microsoft's update systems are not exactly stellar, and have plenty scope for improvement. However, worms do not keep to regular monthly schedules, people will get very angry if you do not deal with them now, which means you have to rush out patches, some of which turn out not to work or to break things worse, which means... status quo ante? In the business market Microsoft will be releasing Software Update Services 2.0 in H1 2004, providing a "seamless patch, scanning and installation experience for Windows, SQL Server, Office, Exchange Server and Visio," but that doesn't help the rest of us.
We suspect that the deep structure meat of the new approach to patch management, what maybe makes it not the same as the old approach, is that we'll see the switch over to auto updating by default that Microsoft trailed earlier this year, so all of the crap still happens, but with a bit of luck you don't notice because it's going on in the background. But yes, in summary, what we appear to have here is first, patching doesn't work, we've got to do something else; second, but we can't do something else immediately, so; third, we've got to keep patching while we sort out the something else but; fourth, we'll try to make patching hurt less, OK?
Onwards to something else, part one. Ballmer speaks of security updates for Windows XP and Server 2003 due in the first half of 2004 in SP2 for XP, and "subsequently" in SP1 for Server 2003. Ballmer says approximately what these are intended to do, but not how they do it. They are "designed to enable customers to more effectively protect their computers and systems from malicious attacks even if patches do not yet exist or have not yet been installed" and will "focus on protections against the four types of attacks that constitute the largest percentage of threats: port-based attacks, e-mail attacks, malicious Web content and buffer overruns."
You will note that how they do these things, how effectively, resiliently, and with what effect on the system, are topics that will bear investigation in the coming months.
Alongside Ballmer's announcements, which seem to us to fall largely in the firefighting department, Microsoft also trotted out one of these sad cases of the company interviewing itself, in this case allowing Security Business Unit VP Mike Nash to answer all the questions he'd prefer journalists to ask. The gist of this is that he stresses the "key role" Microsoft's partners play in the new security inititatives, but note that the examples he gives are heavily slewed towards security in medium to large business, and there's no word here about "securing the perimeter" either.
Paula Rooney of CRN does however seem to have induced senior VP Bob Muglia to talk about it during an interview. Asked if the securing the perimeter inititative was "just marketecture," Muglia responded, "You need to have multiple levels of security... It's like a gated community. You need additional levels of security, doors locked and alarms turned on, and additional defenses--countermeasures, such as putting up a fence--to be protected. A year from now you'll see additional countermeasures in place, as well as better firewalls."
Sounds depressingly like a 'yes' to us. ®