Facing tough questions about the direction of its heavily used and heavily targeted Windows platform, Microsoft acknowledged it has work ahead to build more effective software-management capabilities into its products while at the same time ridding those products of the vulnerabilities that continue to open the door to attacks.
Along with pronouncements on Microsoft’s renewed dedication to manageability and security this week from executives — including CEO Steve Ballmer — the company announced it had to revise some of its monthly patch updates that were meant to simplify the process.
However, despite apparent setbacks, Microsoft has won some measure of praise for improving its development process and dealing with the onslaught of security holes in its software.
“They’ve taken significant and serious steps,” Forrester analyst Jan Sundgren told TechNewsWorld, referring to both future and present benefits from the Redmond, Washington-based software company’s initiatives. “There could be more vulnerabilities if Microsoft didn’t go through all of this.”
When asked about Microsoft’s reputation for releasing software that has not been designed with application-management features in mind — which is a key component of the company’s .NET Web services initiative — Ballmer agreed that Microsoft must begin to fold management into its software from the start.
Speaking at the Gartner Symposium in Lake Buena Vista, Florida, Ballmer admitted that Microsoft’s emphasis on building features into its applications has made managing those applications difficult.
Gartner research vice president Richard Stiennon told TechNewsWorld that Microsoft tends to build in unnecessary features that increase complexity and often weaken security.
“They are convinced internally when they build in functionalities that the rest of the world needs those too, yet many [people] don’t,” Stiennon said. He cited Microsoft’s use of Visual Basic functionality in e-mail software that paved the way for early virus and worm outbreaks and has since been “totally turned off, finally.”
Security Song and Dance
Ballmer also referred this week to increased security efforts, telling symposium attendees that Microsoft is at least as secure as open-source software, including rival operating system Linux.
Ballmer, who recently likened Microsoft’s focus on security to the software giant’s eventual embrace of the Internet in 1995, said he hopes and believes that 2004 will be marked by fewer security issues in Microsoft products than this year, which brought the Slammer, Blaster, SoBig and other worms designed to exploit vulnerabilities in the company’s systems.
“Some of those are long-term goals,” Microsoft security program manager Stephen Toulouse told TechNewsWorld. “Software is made by humans and it will have errors in it, but I think, in the long term, it is realistic to say we’ll work toward these goals.”
Patching Up Procedure
One of Microsoft’s more immediate security response moves has been to issue monthly vulnerability and patch updates — except when critical holes require more immediate measures. However, the first monthly update, released last week, required two major revisions for Microsoft’s Windows operating system and the company’s Exchange e-mail server.
Toulouse said the patches would not work with some foreign-language versions of the software or with other applications, such as antivirus and networking software. He indicated the issues highlight both the complexity of patching and Microsoft’s efforts to simplify it.
“After we release our patches, the investigation of security vulnerabilities doesn’t stop,” Toulouse said. “We are diligently working with support people so we can make sure they can install [patches].”
Better by the Worm
Forrester’s Sundgren said it is good that Microsoft has recognized the difficulties associated with patch management, which increasingly is being simplified by specialized software. “More companies will be using those tools,” Sundgren said.
Stiennon said Gartner views the Microsoft security update move, which will now mean monthly updates on the second Tuesday of every month, as helping corporations deal with patches. However, he added that waiting to release a patch for a known vulnerability also presents a risk, and, unfortunately, security improvements are often based primarily on threats that force action.
“They’re getting better with each worm,” Stiennon said of Microsoft’s patching process. “It’s very painful, but more people are up to date on their antivirus, and now a lot more are using firewalls.”