Security News > 2000 > July > Microsoft Security Exec Sees Improvements

http://www.pcworld.com/pcwtoday/article/0,1510,17825,00.html The company has taken several steps, including faster distribution of software patches, he says. by Gary H. Anthes, Computerworld July 25, 2000, 2:14 p.m. PT The man who receives more complaints about the security of Microsoft software than anyone on the planet vowed Monday that the company's products are improving in quality and will continue to become more secure. In particular, Whistler, the planned next version of Windows 2000 for business users as well as consumers, is expected to show the results of several security improvement initiatives that are now in the works at Microsoft when it becomes available next year, says Steve Lipner, manager of the company's Security Response Center. (See "Microsoft Beefs up Security Center.") Lipner's comments at a security summit for officials from industry, government, and academia come in the wake of a series of disclosures about security holes in Microsoft's products. For example, Microsoft last week said it was working to fix potentially dangerous holes in both its Outlook e-mail software and its Internet Explorer browser. (See "Closing Another IE Security Hole.") Lipner told attendees at the Cyber Security Summit in Pittsburgh, sponsored by Carnegie Mellon University's Institute for Survivable Systems, that the Microsoft response center typically receives 10 to 100 messages per day from users who are reporting security problems. "But recently, it's been closer to 100," he says. He adds, though, that the complaints often are about hacks that could have been prevented had users downloaded software patches published months--and sometimes years--earlier. Asked about the future of Microsoft products, Lipner says, "Believe it or not, I see fewer vulnerabilities and problems ahead," attributing the work of external security researchers and Microsoft's own product developers. A Failure Thus Far Nonetheless, other speakers at the conference sounded a consistently pessimistic note about the escalating threats to computer security from viruses, denial-of-service attacks, and the like--and about the technology industry's failure to get on top of the problem thus far. And without singling out any vendor, Mike Jacobs, deputy director of the National Security Agency, says users "need more secure and stable operating systems" in order to better protect themselves from malicious attackers. "It's in the realm of operating systems that the most troublesome problems exist," Jacobs says, noting that safeguards such as firewalls and encryption can fail if operating systems are flawed. But fully securing operating systems remains "an elusive goal," he added. Tiger Team Attacks In an interview Monday, Lipner outlined several steps taken by Microsoft that he said are already helping to improve the security of its products. Design and code reviews have been beefed up, as have the internal "tiger team" attacks that the company uses to mimic security attacks before it releases products, he said. In addition, the .Net framework announced by Microsoft last month will introduce a layer of software on top of Windows that sets up a "sandbox" within which downloaded code must run. Lipner says it can block access to machine resources by malicious code, except as permitted by the user. Lipner also promises faster distribution of software patches via a more automated process. But he discounted the popular notion that there will be, anytime soon, "benign viruses" that can roam through a system or network to sniff out and then fix security flaws. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".

News URL

http://www.pcworld.com/pcwtoday/article/0,1510,17825,00.html