Microsoft once again is discussing plans to overhaul its security just as the company has released five patches for seven newly discovered vulnerabilities in Windows desktop and server software.
Microsoft issued the patches for a range of Windows systems that could be compromised as a result of the vulnerabilities — five of which were rated critical because they could provide attackers with direct access to computers via HTML e-mail or via malware, such as the Blaster worm that hit half a million machines last August.
As the volume of vulnerabilities and patches increases, the Redmond, Washington-based company repeatedly has said it is taking distinct steps to secure its flagship operating system: moving to a monthly patch schedule except for critical vulnerabilities; updating Windows XP to secure memory and force firewall use; and providing a site for users to find out more about protection.
But Microsoft’s commitment to security is something an attack-rattled industry has heard before, Forrester analyst Jan Sundgren told TechNewsWorld. “These are not huge steps. It’s not that dramatic, but it’s still steady progress.”
Locking Windows
Speaking at a conference in New Orleans, Louisiana, this week, Microsoft chief executive Steve Ballmer announced the company’s next service pack for Windows XP will include more secured memory to ward off buffer overrun exploits, which have plagued Windows and other software.
With the XP update, due in the first half of next year, Microsoft also will turn on the operating system software’s built-in firewall, which was not necessarily on by default before.
Microsoft spokesperson Sean Sundwall told TechNewsWorld that some of the measures — such as a protection site where Microsoft recommends firewall, computer updates and up-to-date antivirus software — are already under way.
Other measures, including the Windows XP service pack, will not be put in place until next year, Sundwall said.
Security Echo
Analysts agreed that Microsoft continues to improve its security practices, but the flow of vulnerabilities and patches seems to be increasing as much as Microsoft’s security talk.
“They definitely need to improve security,” Sundgren said. “Most importantly, they need to reduce the number of vulnerabilities that are emerging in their software. The problem is, there’s so much legacy code, it takes time to find the vulnerabilities.”
In response to criticisms that Microsoft’s security speeches have been nearly as numerous as security holes in its products, Sundwall told TechNewsWorld, “Yes, we’ve said we are committed to security before, and we have been; as security takes different twists and turns, we adapt to that and make changes.”
Long Haul
Analysts agreed that while Microsoft is making improvements to its software security, it will take time for the measures to slow down the bad guys.
Gartner research vice president Richard Stiennon told TechNewsWorld that Microsoft has improved security by “finally” shipping products without open ports and services that unnecessarily expose users to attack.
Sundgren referred to the software maker’s efforts with developers, which he said is one of the security measures that is well under way.
“I think they have trained their developers to be more security-minded, and that’s an important part of their strategy,” Sundgren said. “The impact is not going to be dramatic and instant, though. It will occur over time, and it will be harder [for attackers] to find those vulnerabilities.”