You Call This Trustworthy Computing?

Three years into Microsoft's security initiative, the bugs keep coming
Microsoft security VP Mike Nash last week tried to clear up some of the confusion. During a Webcast to discuss the newly issued patches and the Sybari acquisition, Nash said Microsoft is "working hard" on desktop antivirus software that's based on the GeCAD antivirus scanning engine. That software will be tweaked to work with the Sybari products this year. The Sybari acquisition is expected to close by midyear, pending regulatory approval (see story, All For One: Microsoft Ups Its Security Software Tools).

Nash acknowledged it's important that customers be able to manage Microsoft's security tools together. "We do think that there needs to be a management capability to allow enterprises to both control and monitor their security technologies like anti-spam and antivirus," he said. "We're currently working through specific requirements."

There appears to be a ready market for security products that come directly from Microsoft. Last month, the company released a test version of the Giant Software tool, now called Windows AntiSpyware, and it's already been downloaded more than 5 million times. The product will go through at least one more test before release, Nash says. However, there's a problem: Windows AntiSpyware itself has become the target of virus writers. Malicious code aimed at the product attempts to suppress warning messages it displays and to delete all files within the program's folder. "This is the beginning of a wave of attempts to undermine the effectiveness of this new product," predicts Gregg Mastoras, senior security analyst with security software company Sophos plc.

Microsoft officials insist things are moving in the right direction, pointing out that Windows Server 2003 has had half as many security bulletins as Windows 2000 Server over the same period, that the number of annual security bulletins is on a downward trend, and that there's a sharp increase in usage of its software-update services. Last week, the company released a test version of Windows Server 2003 Service Pack 1, which promises improved security. "We have made progress toward our goals," writes a company spokeswoman, "but there is still a lot of work to be done."

That includes delivering a more bulletproof version of Windows. "They still haven't shipped a desktop operating system that was designed and coded after they started caring about security," says Gartner analyst John Pescatore via E-mail. The next-generation of Windows, code-named Longhorn, is due next year. Among other other security advances, Longhorn is expected to minimize situations in which PC users have administrative privileges, leaving systems more open to attack.

Many customers credit Microsoft with making progress. "Microsoft is absolutely stepping up to the challenge," says Jason Stefanich, client-server engineering manager with Dow Corning Corp., where high-priority patches are usually completed within a day.

Even so, Dow Corning is using a product from Ardence Inc. that moves the operating system off desktop PCs and onto servers, in part to provide better security and more manageable updates. And while the manufacturer uses Windows XP to drive those PCs, it hasn't yet upgraded to Service Pack 2, which Microsoft bills as its most-secure desktop environment. "It breaks a lot of [applications]. We can't have 8,000 people calling our help desk with issues," Stefanich says. "Microsoft missed the boat with SP2."

So it goes. Microsoft customers are getting better at securing their Windows environments, partly because Microsoft is providing tools to help, but also through increased attention to internal processes, use of third-party products, and new tactics. Freeze has placed Windows' Internet Information Services, a favorite target of hackers, behind a firewall. Instead, its Windows-based Web servers run open-source Apache software.

No one is calling Windows security easy. "It's a big pain," says an IT manager with an East Coast manufacturing company who manages about 200 PCs. "It's not something we feel is under our control." The company is contemplating a move to Microsoft's Systems Management Server to automate software updates. How are those done now? Manually, one computer at a time.

Microsoft remains focused on making things better, says the spokeswoman. "Ultimately, what matters is not what we say, but what we do," she says. When Bill Gates talks this week, that's something to remember.

--With George V. Hulme and TechWeb's Gregg Keizer