You Call This Trustworthy Computing? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Enterprise Applications
News
2/11/2005
07:25 PM
John Foley
John Foley
Features
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

You Call This Trustworthy Computing?

Three years into Microsoft's security initiative, the bugs keep coming

When Bill Gates takes the stage at the RSA conference in San Francisco this week, you can be sure he'll give an upbeat assessment of Windows security. The pending acquisition of security vendor Sybari Software Inc., disclosed last week, adds to a growing portfolio of products that promise to batten down Windows networks. And, as he's done in the past, Microsoft's chairman likely will detail other accomplishments and forward-looking plans that portray a company delivering on his 3-year-old promise to make Windows environments "trustworthy."

It's a compelling message, except for one unavoidable fact: The software patches just keep coming.

Microsoft last week issued a dozen security bulletins addressing 17 software vulnerabilities, tantamount to a shotgun blast of holes through the company's product line. Nine bulletins, many graded "critical" in importance, affect various versions of Windows. Others address problems with Microsoft's .Net Framework, SharePoint Services, Windows Media Player, MSN Messenger, Internet Explorer, and Office suite.

Even Microsoft's most-secure operating system, Windows XP Service Pack 2, wasn't immune: More than half the bulletins involve SP2. To repair all the vulnerabilities in all affected products would require more than 60 patches on English-language computers alone. "It's an almost endless list," says Kyle Ohme, director of IT with Freeze.com, a Web-site operator that uses about four dozen Windows servers, some of which are IBM blade servers, to offer screen savers to millions of users each day.

By Microsoft's own account, the vulnerabilities leave its software open to everything from buffer overruns to remote code execution. Just one day after Microsoft posted the patches, someone released exploit code to attack one of the vulnerabilities. "If we don't patch, we definitely have the ability to be exploited relatively soon," Ohme says.

So Ohme and many IT professionals like him were busy last week assessing, downloading, testing, and deploying Microsoft's latest round of patches across their IT infrastructures. It's a process that can take days or even weeks.

"For us, and the resources we have, it could [have been] a daunting task to get all of those patches to all of our systems quickly enough," says Daniel Hereford, data-security officer with First Bank and Trust Co. In January, the bank began using a service from Qualys Inc. to locate vulnerabilities and ensure that they're fixed, and now it reacts more quickly to Microsoft's monthly security bulletins. "Ninety percent of our software-security issues are centered around Windows," Hereford says.

Despite all the work involved, it's an improvement compared with Windows security three years ago. In January 2002, following the Code Red and Nimda virus attacks that hit many Microsoft customers hard, Gates made "trustworthy computing" the company's top priority. Since then, Microsoft has trained its programmers to write more-secure code, established a predictable patch schedule, released more-secure operating systems (Windows Server 2003 and Windows XP), and acquired security products from other companies to fill gaps in its own line. "They've taken the right initiatives," Hereford says.

There's still much more to do, as last week's bug blast and Sybari acquisition demonstrate. Key missing pieces are Windows Update Services and Microsoft Update, both of which promise to help companies roll out patches more quickly to Windows and other Microsoft products. Windows Update Services, which has been delayed twice, is in testing now and scheduled for availability by midyear.

And, while Microsoft has acquired a variety of security companies and products over the past two years--including GeCAD Software (antivirus), Giant Company Software (spyware detection), and Pelican Software (behavior-based security)--it hasn't shown how or when all the pieces will fit together.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Slideshows
Reflections on Tech in 2019
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  12/9/2019
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll