While Microsoft execs wouldn't go into detail regarding the security initiative, the software vendor is going to dramatically change the way it discloses software vulnerabilities in the near future. Amy Carroll, director of product management in Microsoft's security business unit, says the company will soon switch to monthly security bulletins and security updates instead of the current sporadic Wednesday evening announcements. The goal, she says, is designed to help customers better allocate their resources for security upgrades. However, if exploits or other risks concerning a security hole become apparent, Microsoft will decide on a case-by-case basis whether to publish an emergency patch, she adds.
The move comes after a summer of virus and worm attacks, such as Blaster and SoBig, that targeted vulnerabilities in Microsoft software. Customers have increasingly expressed concern over the constant treadmill of security updates.
Microsoft also is working on an improved patch-management platform. By early 2004, the company says, it will enhance the entire patch-management process, including improvements to Microsoft Software Update Services. "The idea is to make patch management as transparent to the user as possible," Carroll says.
While declining to provide specifics, Microsoft also plans to improve the firewall included with Windows XP and Windows 2000, and to ship operating systems with the firewall turned on by default--something it hopes will block many of the worm attacks even if customers haven't had time to install a patch. Microsoft also spelled out an aggressive outreach campaign to help home, small, and large businesses better secure their systems. "This will reach 500,000 customers and build awareness of simple steps they can take to improve their security today," Carroll says.
Gartner analyst John Pescatore says the security enhancements are a welcome step, but that many companies will be leery of relying on Microsoft for security. Says Pescatore, "Enterprises certainly won't jump on trusting Microsoft for enterprise security right off of the bat."