You Call This Trustworthy Computing? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications
07:25 PM
John Foley
John Foley
Connect Directly

You Call This Trustworthy Computing?

Three years into Microsoft's security initiative, the bugs keep coming

When Bill Gates takes the stage at the RSA conference in San Francisco this week, you can be sure he'll give an upbeat assessment of Windows security. The pending acquisition of security vendor Sybari Software Inc., disclosed last week, adds to a growing portfolio of products that promise to batten down Windows networks. And, as he's done in the past, Microsoft's chairman likely will detail other accomplishments and forward-looking plans that portray a company delivering on his 3-year-old promise to make Windows environments "trustworthy."

It's a compelling message, except for one unavoidable fact: The software patches just keep coming.

Microsoft last week issued a dozen security bulletins addressing 17 software vulnerabilities, tantamount to a shotgun blast of holes through the company's product line. Nine bulletins, many graded "critical" in importance, affect various versions of Windows. Others address problems with Microsoft's .Net Framework, SharePoint Services, Windows Media Player, MSN Messenger, Internet Explorer, and Office suite.

Even Microsoft's most-secure operating system, Windows XP Service Pack 2, wasn't immune: More than half the bulletins involve SP2. To repair all the vulnerabilities in all affected products would require more than 60 patches on English-language computers alone. "It's an almost endless list," says Kyle Ohme, director of IT with, a Web-site operator that uses about four dozen Windows servers, some of which are IBM blade servers, to offer screen savers to millions of users each day.

By Microsoft's own account, the vulnerabilities leave its software open to everything from buffer overruns to remote code execution. Just one day after Microsoft posted the patches, someone released exploit code to attack one of the vulnerabilities. "If we don't patch, we definitely have the ability to be exploited relatively soon," Ohme says.

So Ohme and many IT professionals like him were busy last week assessing, downloading, testing, and deploying Microsoft's latest round of patches across their IT infrastructures. It's a process that can take days or even weeks.

"For us, and the resources we have, it could [have been] a daunting task to get all of those patches to all of our systems quickly enough," says Daniel Hereford, data-security officer with First Bank and Trust Co. In January, the bank began using a service from Qualys Inc. to locate vulnerabilities and ensure that they're fixed, and now it reacts more quickly to Microsoft's monthly security bulletins. "Ninety percent of our software-security issues are centered around Windows," Hereford says.

Despite all the work involved, it's an improvement compared with Windows security three years ago. In January 2002, following the Code Red and Nimda virus attacks that hit many Microsoft customers hard, Gates made "trustworthy computing" the company's top priority. Since then, Microsoft has trained its programmers to write more-secure code, established a predictable patch schedule, released more-secure operating systems (Windows Server 2003 and Windows XP), and acquired security products from other companies to fill gaps in its own line. "They've taken the right initiatives," Hereford says.

There's still much more to do, as last week's bug blast and Sybari acquisition demonstrate. Key missing pieces are Windows Update Services and Microsoft Update, both of which promise to help companies roll out patches more quickly to Windows and other Microsoft products. Windows Update Services, which has been delayed twice, is in testing now and scheduled for availability by midyear.

And, while Microsoft has acquired a variety of security companies and products over the past two years--including GeCAD Software (antivirus), Giant Company Software (spyware detection), and Pelican Software (behavior-based security)--it hasn't shown how or when all the pieces will fit together.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll