Bill Gates reiterated Microsoft's commitment to improving security yesterday in an email which charts the progress of the firm's two-year old Trustworthy Computing initiative.
There are few headline-grabbing initiatives in Gates' 3,200 word missive - beyond a promise to host a series of security summits across the US later this year.
But the email does a good job of summing up Microsoft's recent security-related announcements. Reading between the lines, we can see a shift in Microsoft's thinking on security.
Beyond fire fighting
Gates writes that "security is as big and important a challenge as our industry has ever tackled", and a problem that will not be licked overnight.
"It is not a case of simply fixing a few vulnerabilities and moving on. Reducing the impact of viruses and worms to an acceptable level requires fundamentally new thinking about software quality, continuous improvement in tools and processes, and ongoing investments in resilient new security technologies designed to block malicious code before it can wreak havoc."
He singles out four recent viral epidemics: Slammer, Blaster, Sobig and Mydoom. These show how viruses and worms can spread more rapidly than ever before. Blaster in particular shows the threats posed by malicious code are evolving. In response, software vendors have to make it easier for users (particularly consumers) to keep themselves secure.
Unlike his colleague Steve Ballmer - who has a tendency to make Wild West analogies when talking about security - Gates has come to (correctly) describe the process of improving security as a process, and not a destination. Also, he has dropped the hostage to fortune he handed out when he promised to rid the world of spam within two years. That pledge was wisely discarded around the time of February's RSA Conference.
With two notable exceptions (biometric IDs and Windows vs Linux security), there's little to dispute in Microsoft's latest security manifesto. Microsoft motives for improving security are arguably entirely selfish (removing a possible barrier to sales). But if its efforts result in fewer zombie PCs, compromised Web servers and less spam, then that's good. Right?
SP2 puts up more solid defences
Chief among these efforts is Windows XP Service Pack 2. Due out in summer, XP SP2 promises far-reaching changes to improve the ability of Windows XP-based computers to withstand malicious attacks from hackers, viruses and worms.
Features include: Windows Security Centre; automatically turning on Windows Firewall; browsing enhancements to Internet Explorer (providing far more control of ActiveX, for example); and automatic pop-up blocking. Security Centre will let users check the status of their firewall, anti-virus protection and automatic software updates from a single point.
Microsoft also promises better file attachment handling in Outlook Express and Windows Messenger instant messaging, a move designed to reduce the chance of users unwittingly opening malicious code.
Buffer overflow slaying
Most significant off all in the longer terms is revamped memory protection to prevent buffer overruns, the perennial source of so many security problems. AMD already supports this technology with a range of its chips and Intel is also committed to introducing support in microprocessors due out from autumn this year onwards.
With XP SP2 Microsoft is applying the security philosophy (secure by default etc.) it introduced with Windows Server 2003 to its three year-old client OS.
That process goes both ways, it seems.
Gates said Microsoft plans to ship security advances in Windows Server 2003 Service Pack 1 in the second half of 2004 that will include the server-relevant security technologies found in Windows XP SP2. This service pack will also remove older, unused technology in a bid to reduce the potential for vulnerabilities.
Patches, patches, who’s for my lovely patches
Gates continues to trot out a statistic, first mentioned by Steve Balmer, which has been attacked as misleading by open source advocates.
He says the number of "critical" or "important" security bulletins issued for Windows Server 2003, compared to Windows 2000 Server, dropped from 40 to nine in the first 320 days each product was on the market.
Even if you accept this statistic at face value, patches are still a necessity of IT security, whatever the platform. Last November, Microsoft moved to monthly releases of updates to improve predictability and manageability.
"We also are improving testing processes to minimize update inconsistencies and recall rates, and by this summer most of our updates will have full rollback capabilities," Gates writes.
Passwords out – biometric in
Improving authentication and access control is another key aspect as Microsoft’s security manifesto. Gates writes of the need to move away from passwords to more secure technologies like two-factor authentication and smartcards.
"Farther out, a Tamper-Resistant Biometric ID Card system will provide an innovative, simple and affordable solution for providing cryptographically secure photo-ID cards using a unique combination of public key cryptography, compression and barcode technologies," he says.
Looking further ahead, Microsoft is investing R&D budget in developing "active prevention" technologies including application-aware firewall and intrusion prevention technologies as well as technologies that can dynamically adjust to an environment a user is working from.
Intrusion prevention, along with SSL VPNs, are the hottest areas of the security landscape just now. But security vendors shouldn't worry too much because Microsoft's plans in this area remain vague, at least at present.
On which note - there's still no indication about what Microsoft intends to do with GeCAD, the Romanian anti-virus firm is acquired last year.
Education for free!
In his email, Gates also stressed the need for user education. By the end of 2004, Microsoft aims to reach 500,000 business customers worldwide with information on how to optimise their systems and networks for security.
Starting in April, Microsoft will host the first of 21 Security Summits in cities across the US, "intended to provide deep technical security training for IT and Developer professionals". This training will be offered at no charge (our emphasis), Gates promises. ®
MS bigs up Windows XP SP2
Beefed-up firewall, new version of Update for XP SP2
MS takes fight to the spammers
Microsoft enters AV market
Ballmer's new MS security fix - same patches, but 'nicer'
Ballmer on why Windows is more secure than Linux
Ballmer to crackers: this PC ain't big enough for the both of us