Microsoft Reacts to Security Stings with Tools, Promises, and Mea Culpas
SUS 2.0 leads anti-hacker charge
NEW ORLEANS -- Stung by relentless viruses and hacker attacks, and a patch cycle that is spinning completely out of control, Microsoft on Thursday unveiled a wide-ranging plan to mitigate, but unfortunately not eliminate, the crisis.
The approach includes:A new rev of Software Update Services (SUS).
More consistent patching.
Higher quality patches and patch rollback to resolve conflicts.
More secure versions of XP and Windows Server 2003 delivered via service packs next year.
More security defaults for desktop and server OSes.
Laptop and remote PC security inspection technologies.
The new strategy was announced in bombastic fashion by feisty Microsoft CEO Steve Ballmer at the Microsoft Worldwide Partner Conference 2003, a gathering of 5,400 partners from over 100 countries, all chaperoned by some 1,500 Microsoft employees clad in a colorful array of Microsoft-logoed sport shirts.
Ballmer believes the security problem must be beaten back before IT can have confidence to truly embrace new technologies. “Our whole industry is in some sense threatened by people’s fear to do new things because of these security issues,” Ballmer argued.
But perhaps the biggest impetus is customer complaints, and an unrelenting river of bad press.
“There come times in any industry when you have to step back and hear what people are saying, and take that as defining moments to galvanize you into action,” a more subtle way of describing the public flogging Microsoft has withstood due to security breaches.
The first phase of the Microsoft counterattack is Software Update Services (SUS), a free but barely used tool that downloads patches from Microsoft Update to a corporate server, and distributes them based on IT policies.
Due in the first half of next year, SUS 2.0 will manage patches for Windows, Office, Exchange, and SQL Server. In announcing the rev, Ballmer asked for a show of hands from those that use SUS 1.0. The paltry number of hands is part of the problem. Many do not implement security tools, even when they are free and designed to ease a burden such as installing a never-ending supply of patches.
The next rev of Systems Management Server will be a superset of SUS 2.0.
But SUS 2.0 can’t solve the patch problem on its own. Microsoft plans to reduce the size of patches through delta patching by 30 percent to 80 percent, and reduce the need to reboot by up to 30 percent. Also, non-emergency patches will be issued no more than once a month, while emergency patches will still be sent out immediately. Currently, Microsoft sends out non-emergency patches on Wednesdays.
While recent viruses attacked Windows XP and ignored Windows 9.x, the most vulnerable systems are often older computers. To address this, Microsoft is extending security support until June 2004 for Windows 2000 SP2 and Windows NT Workstation SP 6a. However, Ballmer strongly suggested that desktops migrate to Windows XP, an operating system that will be upgraded next year with a host of security tweaks.
The patch problem is as complex as Ballmer’s proposed solution. There are too many holes in today’s software products. IT doesn’t have time to handle patches, the patches are too large, and their release is inconsistent. Also, patch quality is lacking.
More importantly, it takes less and less time for hackers to pore through the patches, and write code that exploits unpatched systems. For instance, it took 321 days to write Nimda, but only 25 days to do Blaster. The industry will watch closely to see if Microsoft efforts can help seal up our systems.
Microsoft isn’t just focused on patches, but hopes to protect systems by building a kind of perimeter around PCs and servers. An upgrade to Windows XP, in beta later this year, will include some of these features. Windows XP SP2 will include protections against e-mail and malicious Web code attacks, port-based attacks, and buffer overruns.
Windows XP SP2 will have its Internet Connection Firewall on by default, and these firewalls can be centrally managed. More security defaults will be created, such as requiring a user to explicitly trust a Web site before running ActiveX controls. There is also an improved memory model to guard against stack overruns.
An upgrade of Windows Server 2003, SP1, will be able to inspect laptops and PCs that connect via VPN, and determine if there are any security risks before allowing them on the network. “From a corporate level, VPN from home or users bringing in infected laptops are top sources of infection,” Ballmer explained. Windows Server 2003 will follow shortly after the release of Windows XP SP2.
Education will also improve. There will be a new Global education program, TechNet security seminars, monthly security web casts and a Professional Developers Conference seminar on writing secure code. Ballmer hopes to train over 500,000 people over the next 12 months. The company also launched Microsoft.com/security, an online security zone for IT professionals.
Finally, Ballmer left attendees with some basic advice, as ignoring the basics is what got us into this mess in the first place.Do a security audit.
Build a security plan.
Create a patch management plan.
Move desktops to Windows XP.
Move Internet-facing servers to the more secure Windows Server 2003.
In classic Microsoft fashion, Ballmer refused to suffer his critics gladly. He blamed security researchers for publicly disclosing holes before they were plugged. “It would be best for the world if these people would just be quiet,” he said, adding that Microsoft is working closely with many researchers to close holes before they’re disclosed.
He pointed to Red Hat Linux with its dozens of vulnerabilities, and cracked wise about the innumerable versions of Linux. And he took a pot shot at the recent report that suggested Microsoft’s sheer dominance creates an overall vulnerability. “There are those that say, ‘the best thing I can do for security is to walk away from Microsoft, that a monoculture is bad for security.’ That is hogwash. There is no port in this security storm that is safer than this port,” he claimed.
The crowd applauded at several points, but one attendee thought the overall approach was reactive, not proactive. “Hackers are terrorists and it is time to declare war on hackers. Everything you’ve (Ballmer) described addresses fixing it after it happens,” said the attendee, who then suggested a pool of reward money doled out to those that hunt down hackers. “It is time to attack the root.”
Ballmer agreed with all of the gentleman’s points, and hinted that Microsoft might be interested in the bounty approach, though he emphasized that such a program would have to run in cooperation with law enforcement. “We won’t be shy about using money.”
Microsoft revenues continue to rise, despite the high tech malaise, leading the Microsoft CEO toward optimism. “Is IT done for, past its glory days? All of that is such hogwash; I am so excited about the next ten years. We have the chance to change the world, to do innovative work.” Ballmer attested to Microsoft’s bullishness by pointing this year’s budget of $6.8 billion for R&D. “We have so much confidence. We have the pedal to the metal.” Hot areas of innovation include real-time communications, reading and annotation, collaboration, business applications, integration, mobility and business intelligence.
Doug Barney is editor in chief of Redmond magazine and the VP, editorial director of Redmond Media Group.