Microsoft to Tweak Trustworthy

With vulnerabilities in its newest-and supposedly more secure-products piling up and users growing more frustrated with patches and updates, Microsoft Corp. is launching an effort to re-energize its Trustworthy Computing campaign.

With vulnerabilities in its newest—and supposedly more secure—products piling up and users growing more frustrated with patches and updates, Microsoft Corp. is launching an effort to re-energize its Trustworthy Computing campaign.

The Redmond, Wash., company began the initiative two years ago as an internal push to improve the security of its products. Since then, much of the attention has focused on training developers and performing code reviews.

Microsoft also changed the way it configures Windows and other products by default, sacrificing some usability or convenience for security.

So far, however, the results have been mixed. Trustworthy Computing has resulted in nine security bulletins for Windows Server 2003, the product that Microsoft executives said should be the standard-bearer for Trustworthy Computing. Those same officials concede now that there is still much work to be done.

"Is nine too many? Absolutely. Sure it is," said Scott Charney, chief security strategist at Microsoft. "But were making progress."

In an interview at the Security Decisions Conference here last week, Charney said the new focus at Microsoft is to find better ways to apply the strategy of defense in-depth in its products. Officials are looking at ways to encircle the operating system in multiple, concentric layers of protection, including anti-virus, firewall and other technologies.

One idea Microsoft is considering is how to implement some form of behavior blocking in Windows. The goal is to prevent anomalous activities such as a users PC suddenly sending out hundreds of ping requests. Charney said there needs to be a mechanism in the machine—in the operating system itself or delivered in a plug-in or third-party application—that can recognize bad behavior and stop it.

"That kind of method is still evolving, but we need to spend a lot of time on it," Charney said. "Wheres the state of the art right now? Thats always evolving. But the ability to control what code executes is huge."

Another piece of the puzzle is the plan to add more functionality to the Internet Connection Firewall thats included with Windows XP.

The vendors renewed plan also seeks to improve the quality of patches and the way they are delivered and installed. Microsoft has developed a new internal testing process for patches that is designed to minimize the number of defects. So far, the process has been used on Windows 2000 fixes, and since its implementation, none of the patches have been found to have a problem, Charney said. The new testing process takes five weeks, and it will soon be extended to the other Windows platforms.

Microsoft is also reducing, from eight to two, the number of patch installers it makes available to customers.

In addition, Microsoft is revamping the way it releases patches, which, until now, have been released on a weekly basis. The company is planning to release monthly packages of patches, reasoning that giving its customers all the fixes at once and on a regular schedule will enable enterprises to establish programs for testing and deployment.

"I have a lot of problems with Microsofts fundamental philosophy on patch handling. I have never installed a Microsoft update off the Internet. I wait for service packs," said Joseph Newcomer, founder of FlounderCraft Ltd., a consultancy in Pittsburgh. "The hot fixes have had a reputation for not being thoroughly tested and having serious negative side effects."

Discuss this in the eWEEK forum.