10 October 2003 Microsoft CEO Steve Ballmer has made a new series of pledges to improve the security of Microsoft products and improve its patching processes.
The promises were made at the company’s first Worldwide Partner Conference in New Orleans, Louisiana. Microsoft’s efforts will focus on three main areas: improving Microsoft’s poor record on patching software flaws; better educating users about security; and improving the security features of Windows XP and Windows 2003, the company’s main operating system platforms.
“Our goal is simple: Get our customers secure and keep them secure? Our commitment is to protect our customers from the growing wave of criminal attacks,” said Ballmer.
First, the company plans to move to a monthly patch release schedule to cut down on the random scatter-gun of patches currently issued by Microsoft. Unless a flaw needs to be fixed immediately for security reasons, Microsoft will wait until the end of the month to roll it up with other updates before releasing it, said Amy Carroll, director of product management at Microsoft’s security business unit.
She admitted: “There is some evidence that deploying a patch is what prompts the release of exploit code”.
As part of the initiative to ease the patch process, Microsoft intends to reduce the size of patches by one-third and cut the number of times a user needs to re-boot their systems when they implement the patches — something Linux users do not need to do.
In addition, the company will reduce the number of patching systems from eight to two and continue support for Windows NT 4 running on service pack 6a and Windows 2000 users running on service pack two. It had earlier said that support for these two systems would be discontinued.
Microsoft’s Windows operating systems, particularly those for home users, would also be tightened up. The built-in firewall in Windows XP — called Internet Connection Firewall — would be switched on by default.
At the moment, it is switched off by default and often does not work well with other applications. Some applications even have to switch it off in order to be able to work, exposing the user to some risk.
At the same time, the risk of security attacks via the Internet Explorer web browser will be reduced by a revamp of its ‘security zones’.
Patch panic (November 2002)
Software patches are the bane of IT organisation’s lives and many respond by simply ignoring them.