In the most significant security announcement since chairman Bill Gates unveiled the software giant's Trustworthy Computing Initiative, Ballmer told attendees during a keynote address at the software giant's first Worldwide Partner Conference in New Orleans that Microsoft will redouble its efforts to secure its users.
"Our goal is simple: get our customers secure and keep them secure," Ballmer said in a statement. "Our commitment is to protect our customers from the growing wave of criminal attacks."
The pledge comes as Microsoft is trying to recover from the attacks of online vandals and critics. In August and September, the MSBlast worm probably infected more than a million computers that run Microsoft Windows.
The SoBig.F email virus also spread widely during those months, compromising many more systems. Such incidents were used to support a position paper seven well-respected security researchers wrote, which the Computer and Communications Industry Association, a noted Microsoft critic, released on 24 September.
And a lawsuit that charges Microsoft with making computer users' personal data vulnerable was filed against the company a week ago, on behalf of a victim of identity fraud.
Microsoft said it will focus on initiatives in three areas: improving its system of patching its software products; adding and improving security technologies to Windows XP and 2003; and educating customers.
A major change for system administrators bogged down by a to-do list of patches to apply to Windows computers is the software giant's move to a monthly patch release schedule. Microsoft will immediately start to release software updates once a month, unless the security flaw needs to be fixed immediately in order to help customers avoid an attack, said Amy Carroll, director of product management in Microsoft's security business unit.
"One of the things that we have heard from our customers is that deploying patches on a weekly basis is too difficult," she said. "There is some anecdotal evidence that deploying a patch is what prompts the release of exploit code."
The software giant also plans to shrink the size of patches up to 30 percent by next May and reduce the number of updates that require the user to reboot the system. Microsoft will also reduce the number of patching systems for its products lines to two. The company has also pledged to continue support for users of Windows NT4 service pack 6a and Windows 2000 service pack 2, both of which are products for which the company had previously halted support.
Building on set base
Microsoft will focus on modifying and adding to the security measures it has already taken for its current products, Carroll said.
PC and network protection measures such as the Internet Connection Firewall will be turned on by default and will be designed to work better with other applications. Executable file filtering, which is a measure that protects Outlook users from attachments that could carry viruses and Trojan horse programs, will be expanded to other Microsoft products. Internet Explorer's system of security zones will be revamped to better protect users. And better defences against memory flaws will be erected in the software development process and, potentially, in hardware.
"The areas that we are focusing on represent the four main vectors of attacks that we have seen," Carroll said.
The company also plans to further educate its customers in hopes that it can help them become more secure, she said. Monthly Webcasts will be published on the company's site to train customers in good security practices, and the company will use itself -- in a series called "How Microsoft secures Microsoft" -- as an example to teach system administrators ways to secure their systems.
"We have the goal of, by the end of 2004, that we have trained to some extent 500,000 customers," Carroll said.
Security company Symantec fully supports the Microsoft initiatives, the company stated in a release, despite indications that Microsoft might move into the antivirus software market. In June, the software giant bought Romania-based antivirus firm GeCad.
However, Symantec pointed to a recent report its researchers released as reason enough to support Microsoft's initiatives. The report indicated that attackers were quickly taking advantage of new software security holes.
"Now, more than ever, computer users need to take proper steps to protect themselves from online threats," Janice Chaffin, chief marketing officer at Symantec, said in a statement.
Microsoft plans to provide more details in the future and will continue to modify its security practices until it finds the right recipe, said Neil Charney, director of product management for Microsoft's Windows client group.
"What we learned from customers is that it is not an easy process to secure their systems," he said. "The impetus (behind these changes) is the recognition that there is still work to be done."
Talkback
There is always a new security plan or scheme for Microsoft -"all mouth". It is now the kind of publicity that has become a great deal more than irritating.
Though they give grandeouse names to these new schemes, they seem intent on breaking fundamental security principles at every turn while blaming the crackers for all their woes. A bit like going on holliday to a well documented and advertised mosquito infested swamp only to come back blaming mosquitoes for your malaria.
Everything now shall be thrown in to the kernel, browser & all, and in that manner the kernel shall become everything. Much like giving every cracker a master key to all the doors of a city. This is not the type of design that anyone in their right minds should dream of using for systems outside of the realms of real time operations, embedded operations (caution!), or of single task servers (caution!).
I, like many, grow tired of Microsoft and their sterile hype....