Microsoft would like extend its Windows patch cycle from once a month to once every six months, but only after the company is confident its customers will remain safe between the updates.
George Stathakopoulos, director of Microsoft product security, told ZDNet UK sister site ZDNet Australia on Wednesday that his long term goal is to create an operating system that will never need patching. But he concedes that because software is so complex this is a virtual impossibility.
However, Stathakopoulos said that as Microsoft continues to rid Windows of bugs and improves its overall resilience, the company is hoping to extend the time between patches from the current monthly update to as much as six months between updates.
"I would prefer [it] if I never have to release another patch again. When it comes to six months -- this is a direction we may decide to go in at some point. Right now, we have to balance the risk of exposing our customers and the speed at which we can deliver a patch," said Stathakopoulos.
According to Stathakopoulos, extending the patch cycle is possible as Microsoft strengthens Windows defences. He believes SP2 is a step in the right direction because it brings greater resiliency to the Windows OS, which would mean an MSBlast-type attack on an SP2 system would not cause as much chaos because administrators would have more time to react.
"Take the RPC vulnerability -- that enabled the MSBlast worm. It was a buffer overrun and it scanned for other systems to infect. If you had a personal firewall, the vulnerability doesn't exist. Even if you take down the firewall, XP SP2 now has memory protection that filters buffer overruns.
"So if you had an XP SP2 machine with an MSBlast-like worm, you would still need to deploy the patch but it would be on your own schedule," said Stathakopoulos.
Microsoft hopes to build isolation and resiliency into more of its products, not just Windows, he said.
"We want to change the rules so even when a hacker can exploit a buffer overrun he can’t do anything material with it," said Stathakopoulos.
Neil Campbell, national security manager at Internet security specialists Dimension Data, welcomes Microsoft’s efforts at increasing the time between patches.
"Patching is time consuming and risky. It is important to patch but you want to minimise the number of times you want to patch throughout the year. Microsoft is definitely working towards reducing the number of times companies have to patch," said Campbell.
However, Campbell said AMD and Intel have improved their processor technology to aid Microsoft's cause by using hardware controls to defend against software flaws.
"If an application tries to write to a part of memory that it shouldn’t have access to, it will get stopped through a combination of software and hardware. This is a great catch-all for buffer overflows," said Campbell.
Munir Kotadia reported from Sydney for ZDNet Australia. For more ZDNet Australia stories, click here.
Talkback
Too little, too late.
It's still about adding stuff rather then a total redesign from scratch. Lots of promises (if you buy their future products) yet consistent bad results so far.
The front door (which most users look at) is made more solid (and thus less 'consumer friendly'). The back door (which 'the bad guys' look at) is mostly left open and unlocked. In other words: before you buy that dream house do check the ground it stands on as well as its surroundings for now and in the future (e.g.: in case someone has plans to build a 'high security' prison right next to your dream house two years from now).
Interesting to note that only after prolonged and great pressure on a global scale Microsoft is making some effort. With the history of IE in mind that brings up the question how much effort Microsoft will put in security once choice has been destroyed enough again to be of concern for them.
I'm sure that if an average employer would produce similiar results under similiar conditions the most logical thing to do would be to promote that employer to general director along with a huge salary increase. And ofcouse sack all the employees who've been working for the company, day in, day out, without complaint nor real issues at the same time. In short: rewarding promises rather then results.