Next up on the companys security agenda: Porting the pertinent SP2 security fixes to Windows Server 2003 and certain versions of Internet Explorer; introducing new patching technologies, including Windows Update Services and Microsoft Update; and rolling out Microsofts next-generation "Active Protection" security technologies—starting with behavior-blocking technologies.
And thats not all. Microsoft also is working on its own antivirus offering, which it is expected to deliver as a service, as well as on new, hosted security offerings for small businesses.
But first things first. Microsoft still has a lot of work yet to do on Windows XP SP2, in terms of getting this collection of new features and fixes out to as many of the estimated 300 million Windows XP users as possible. Starting on Wednesday, August 25, Microsoft is set to begin pushing the service pack automatically to users desktops over the Web.
At the same time, Microsoft will need to continue field support calls from corporate and consumer customers whose applications are encountering compatibility problems with SP2.
"It seems that nobody tested the Service Pack in RC (release candidate beta) mode even though dramatic warnings were issued by Microsoft," said Bernie Robichau, a network administrator and security officer with the South Carolina Department of Parks, Recreation and Tourism, based in Columbia, S.C. "I think that the service pack is ready. [But the software] vendors didnt prepare in most cases. Our vendors are crying out, Dont install this service pack. Its not ready for prime time."
Regardless of who deserves the compatibility blame, "there will always be a few cases where Microsoft has to fix something on their end," Robichau added.
Microsofts next big job will be to incorporate the relevant SP2 security fixes into Windows Server 2003 Service Pack 1, the final ship date for which recently was delayed to mid-2005. The company also is working to roll out its next-generation patching services, specifically Version 2.0 of Windows Update Services (formerly named "Software Update Services) and the brand-new Microsoft Update service. Both are due out by mid-2005.
Microsoft also is expected to back-port some of the Internet-Explorer-specific security fixes from SP2 to older versions of Windows that bundle in Internet Explorer 6.0. The browser continues to be a significant target for malware attackers.
Earlier this year, Microsoft officials said the company was "highly likely" to make the relevant SP2 updates available for IE 6 for Windows 2000 Service Pack 5, according to software testers who requested anonymity. In addition, Microsoft also told some of its partners that it was considering strongly making the IE-specific SP2 updates available for Windows NT, Windows 98, Windows 98 Second Edition and Windows Millennium Edition, the insiders said.
However, Microsoft officials have said that the company has no plans to port the full set of SP2 fixes for older versions of Windows.
While SP2 is consuming much of the Windows teams time and attention, the unit hasnt lost sight of the longer-term security picture. On that front, new security services and Microsofts Active Protection security technologies are next up.
Microsoft acquired Romanian antivirus vendor GeCAD in June 2003. Contrary to speculation, Microsoft isnt planning to build antivirus software into Windows, according to company officials. The company is, instead, trying to figure out how to sell antivirus protection as a service that would be available separately to Windows customers. So far, Microsofts not committing to a timetable for rolling out such a service.
Earlier this month, there were rumors that Microsoft had begun alpha testing its antivirus service. But a Microsoft spokesman would not confirm that the company commenced its antivirus testing.
"I know the GeCAD technology has been critical in the creation of the [existing Microsoft] cleaner tools for worms and viruses like MyDoom and Sasser," the spokesman said. Meanwhile, "they [Microsoft] are continuing to work on the code they showed at the RSA 2004 [security conference]."