Security Watch

Microsoft Brings the November Pain

November just gets patchier and patchier. Plus: Exchange 2010 gets a security component; vendors tackle absentee security; more.

On top of preparing for today's patch rollout, security pros have another Microsoft security issue to contend with: Last week, Redmond issued an update to an Internet Explorer patch it released in October.

The update is a response to customer complaints that IE 8 was performing slowly or sluggishly or crashing outright after installation of the October security patch.

If that's not enough to consider, the six patches Microsoft rolled out today address 15 vulnerabilities -- no small number. Also, the number of patches continues to grow for an otherwise "light" month, considering the Veterans Day and Thanksgiving holidays: The November 2008 and 2007 rollouts only had a combined four patches.

Exchange 2010 Gets Security Component
Microsoft started off the week by launching Forefront Protection 2010 for Exchange at Tech-Ed Europe.

"It's a built-in versus bolted-on approach," said J.G. Chirapurath, Microsoft's senior director for identity and security, in a phone interview discussing the product launch. "Of course, it's a free world and you have free choice. If a customer has a basic built-in, you can choose Microsoft or you can use a competitor to protect the Exchange service."

Either way, Chirapurath said there's tremendous pressure on IT orgs to harness a secure messaging experience with so many different messaging components (e-mail, instant messaging, Internet protocol and telephony, and so on).

"People within an organization have the expectation that IT is there to protect you," he said. "But the IT department knows that there are a lot of areas to cover. We think this is a step in the right direction."

Absentee Security?
Mobile offices and remote access are slowly becoming more and more pervasive in many enterprise environments where cost-cutting and lower overhead have become necessity.

Much has also been made of potential large-scale office absences due to H1N1 scares, sudden layoffs and -- with the holidays coming up -- vacation time for key personnel whose automatic response messages usually read, "Limited access to voicemail and e-mail."

Translation: They're gone and with them, sometimes, is access to key information.

Microsoft and other third-party security firms such as ActivIdentity are looking at ways to ensure business continuity while maintaining security in a Windows enterprise environment. (And by "business continuity," they mean as it relates to missing cogs that are hard to find outside of a centralized location, not as it relates to disaster response.)

"Lighter-weight [and] strong authentication methods...can provide the appropriate level of security for temporary remote access while keeping costs in check," said David Berman, senior solutions marketing manager for ActivIdentity.

Microsoft Pushes Agile
According to a recent Microsoft report, worms and trojans remain omnipresent threats. So why not embed security commands into software as it's being developed?

At least, that's what the folks at Redmond have been thinking. They've been fervently pushing the Security Development Lifecycle (SDL) framework to channel partners, developers, and Windows IT generalists and enthusiasts.

The latest component to the strategy is agile security guidelines, which deal with Web-based applications and address potential browser threats. Agile mostly focuses on code development called "sprints," which are for more temporary Web applications but can nonetheless protect against worms and malicious software.

Microsoft contends that while agile is mostly for one-time tasks, with each sprint it can also be applied to so-called "bucket" tasks, which are also one-off development projects that may need to be repeated over a period of time.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.