Microsoft Wakes Up to Security

Following Love Bug, company sets course to bolster software; represents major shift in policy

It took the globally debilitating "ILoveYou" virus and its link to vulnerabilities in the Outlook messaging software, but Microsoft Corp. says it has finally seen the error of its ways.

As a direct result of the infamous virus that struck one year ago and wiped out Outlook users graphics and audio files, as well as bogging down e-mail servers, the Redmond, Wash., software giant has been quietly implementing a far-reaching strategy to build security into every piece of software it develops. To be sure, the shift is a dramatic one for Microsoft, which for years has focused its development efforts on ease of use.

In addition to pumping out more secure software that requires far fewer security patches, company executives hope the moves, which include sweeping internal and external initiatives, will help Microsoft to shed its reputation for being aloof about security.

"Weve made a clean break with our past policy on security," said Scott Culp, security program manager at Microsoft, here last week at the RSA Security Conference. "We recognize now that every piece of software has vulnerabilities and bugs, and we have to deal with it."

The security edict came straight from the top of the company following last years Love Bug attacks, according to Microsoft officials. The initiatives, which were revealed here at the show, mark a 180-degree turnaround.

One of the first manifestations that will make it into customers hands will be a feature in the Windows XP client and Whistler server called Software Restriction Policies. This "managed code" feature will enable administrators to set policies and choose which kinds of code are permitted to run and where and how programs can run on a users machine. For instance, all Visual Basic script files could be rendered useless, except for those that contain a digital signature embedded in the script code.

Users are cautiously optimistic that such a method will end the trend of hackers targeting Windows with worm viruses such as the Love Bug.

"That could really be a great feature, but the proof will be when the product is released and the rest of the world has been banging on it for a while," said David Thompson, senior manager of the security practice at PricewaterhouseCoopers, of Boston. "This is about the third time theyve made this kind of pronouncement about security, but Im glad to see one of the major [operating system] vendors doing it. I dont see Sun [Microsystems Inc.] doing it."

Microsoft also has improved its process for responding to vulnerabilities and security incidents, officials said. As part of that process, Microsoft has developed a severity rating system for its patches so that customers will be able to decide whether they need to install the patch immediately or if they can wait for their next scheduled server maintenance. Officials said the company will enable "Hotfix" patches whenever possible that can be installed without requiring a reboot.

While acknowledging that Microsoft seems to be making a concerted effort to bolster the security of its products, many customers say there is still a lot of work to be done.

"They need to get serious about security," said Howard Jones, CIO at Snapper Inc., in McDonough, Ga. "I personally think they still have to increase the security in all of their operating systems."

That is the stated goal of another Microsoft program, called the Secure Windows Initiative, which involves continuous educational programs for developers and a stepped-up internal and external testing process for new code. To that end, Microsoft, which is famously tightfisted about showing the Windows source code to anyone outside the company, has begun giving the code to groups of universities as well as outside security experts and urging them to search for vulnerabilities.

Another significant chunk of Microsofts renewed security effort is its Security Services Partner Program, which has now grown to 50 companies with the addition last week of Computer Sciences Corp., of El Segundo, Calif.; Guardent Inc., of Waltham, Mass.; and Foundstone Inc., of Irvine, Calif.

In addition, Foundstone and Guardent announced new managed security services built for Microsoft environments. Foundstones FoundScan Managed Security Services for Windows is a subscription service that offers vulnerability assessment and intrusion detection for about $7,000 per month. Guardents managed security service for Microsofts Internet Security & Acceleration Server will start in June for about $2,000 per month, depending on the level of service.

The question that remains for IT managers is this: Will Microsofts new plans work?

Some developers think Microsoft may even be going too far, pointing to a new security feature in Outlook 2002, due as part of the Office XP package next month, that will ban all e-mail attachments by default. Officials said the protection can be switched off.

"Not everyone knows how to use all of the features of the software. Its going to make life challenging for a lot of people," said Skip Winitsky, chief operating officer of Learning Worlds Inc., of New York.

Scot Petersen

Scot Petersen

Scot Petersen is a technology analyst at Ziff Brothers Investments, a private investment firm. Prior to joining Ziff Brothers, Scot was the editorial director, Business Applications & Architecture,...