Microsoft Says Security Efforts Showing Fruit - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News
News
9/20/2005
03:19 PM
50%
50%

Microsoft Says Security Efforts Showing Fruit

Microsoft's chief security executive says the company is keeping pace with faster-on-their-feet attackers.

Microsoft's chief security executive on Tuesday claimed that the company was keeping pace with faster-on-their-feet attackers as threats continue to shift toward hacking for profit rather than notoriety.

"Attackers are getting more efficient," said Mike Nash, vice president for Microsoft's security business unit. "Where once there were 17 days between the disclosure of a vulnerability and the release of an exploit, with Zotob, it was just three-and-a-half days.

"But Microsoft is also getting faster," said Nash. "We had Windows Malicious Software Removal Tool updated for Zotob in just hours."

Nash's claim that Microsoft's picking up the pace isn't always backed by independent third parties. According to eEye Digital Security, for example, which tracks the vulnerabilities it's submitted to Microsoft and logs the days it takes the Redmond, Wash.-based developer to produce a patch, Microsoft burned an average of 132 days to come up with a fix for an eEye-uncovered bug.

During a Q&A part of the monthly Security 360 Webcast that Nash hosted Tuesday, a Microsoft spokesperson responded to a TechWeb query about the long time-to-patch by saying that "creating security updates that effectively fix vulnerabilities is an extensive process.

"There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability presents its own unique challenges. Once the update is built, it must be tested with the different operating systems and applications it affects, then localized for many markets and languages." Nash also boasted that overall security is improving on the Windows platform, and again claimed that since Windows XP SP2 was released in 2004, the number of security bulletins Microsoft's released has dropped significantly. "The good news is that the industry has made great strides in its efforts to combat and prevent malicious software attacks," said Nash.

By Symantec's reckoning, however, security has not noticeably improved.

The number of viruses and worms targeting Windows, for example, ballooned by 48 percent in the first half of 2005, compared to the last six months of 2004, Symantec said in its semi-annual Internet Security Threat Report. And the number of vulnerabilities industry wide -- not Microsoft's specifically -- reached an all-time high of 1,862, a 31 percent surge over 2004's second half and 25 percent more than the previous record of the first half of 2003.

During Nash's presentation -- which included interviews with Microsoft employees, industry analysts, and officials from security firms -- there was also much talk about how malicious code campaigns have changed, a trend analyzed by virtually every security vendor or consultant this year and last.

"Malicious code writing is a business now," said Natalie Lambert, analyst at Forrester Research.

According to Symantec's report, that's true, and in spades.

"Financially-motivated attacks have reached an unprecedented rate," said Oliver Friedrichs, senior manager of Symantec's security response research team. "There's an entirely new economy focused on the bartering and purchasing of confidential information. And with the higher stakes, we're seeing professional caliber efforts going into today's threats."

Nash also laid out a checklist of best practices and touted such Microsoft products as its anti-spyware and still-in-beta OneCare, a security and anti-virus service that has yet to be priced by the company.

He also recommended that enterprise managers tune into his monthly hour-long Webcasts. "One of the most important defenses against malicious software is keeping informed and vigilant," he concluded.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Slideshows
10 RPA Vendors to Watch
Jessica Davis, Senior Editor, Enterprise Apps,  8/20/2019
Commentary
Enterprise Guide to Digital Transformation
Cathleen Gagne, Managing Editor, InformationWeek,  8/13/2019
Slideshows
IT Careers: How to Get a Job as a Site Reliability Engineer
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/31/2019
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll