Security a work in progress for Microsoft

Two years after Chairman Bill Gates called on Microsoft to redouble its efforts to secure its software, the company is beginning to make progress, according to customers--but much work remains.

In January 2002, Gates launched a program called "Trustworthy Computing," designed to focus Microsoft employees on building better security into products and on improving customer response. The software maker halted production to review code, delayed shipments and retooled its development process as a result.

Now, though Microsoft is touting the large number of changes it has made in its approach to security as a measure of its success, the most telling pieces of evidence may be the numbers.

Six months after the release of the Windows 2000 operating system, Microsoft had warned of system flaws in 32 security advisories; 21 vulnerabilities were gauged to be critical. Yet six months after Microsoft released Windows Server 2003, the successor to Windows 2000, after extensive code reviews, the number of flaws had shrunk to 14, with only 6 critical issues.

"Customers are better off today than they were a year ago, and they will be even better off in the future," said Kevin Kean, a group manager at Microsoft's Security Response Center.

Some Microsoft customers CNET News.com contacted agree that the latest products show signs of improvement. But they note that the changes haven't been fully extended to products the software giant launched before the initiative, which make up the bulk of installations.

"The problem is, there is still a wide base of products," said Joe Peloquin, an information systems administrator for a large retail chain. "The new code is a step in the right direction...but I don't think they are doing enough to secure the stuff that is already out there."

Other customers agreed and said that since the initiative's launch, Microsoft has done a better job of providing the tools they need to keep their systems up and running. The initiative "has given us some tools that are more useful for software monitoring," said Joe Brunner, an MIS manager at Sleepeck Printing in Bellwood, Ill.

"Security has overshadowed things at the moment," Brunner said. "Microsoft continues to make that effort a priority. But this won't be solved in a week or with a single press announcement."

Four pillars of trust
Security is only one of the four pieces of the Trustworthy Computing initiative, but it's arguably the most visible. Microsoft's efforts in the three other areas--privacy, reliability and business integrity--haven't been as evident or controversial as its moves in the security world. Computer worms such as MSBlast and Microsoft SQL Slammer spotlight the company's failings in the high-wattage glow of Internet meltdowns.

While Slammer affected a product that had been developed prior to the Trustworthy Computing push, MSBlast--also called Blaster--exploited errors missed by the Microsoft reviews.

"Blaster is certainly an indictment, to some extent," said Stephen O'Grady, an analyst at research firm Red Monk. "If I was working for (the Trustworthy Computing group), that is something that would keep me up at night."

Such incidents, Microsoft executives admitted, have resulted in businesses holding off buying new products and, instead, patching their existing infrastructure. Initial signs of that sort of backlash prompted Gates to launch the initiative.

"Today, in the developed world, we do not worry about electricity and water services being available," Gates wrote in the memo sent to Microsoft employees and customers two years ago. "With telephony, we rely both on its availability and its security for conducting highly confidential business transactions without worrying that information about who we call or what we say will be compromised. Computing falls well short of this."

In the past year, Microsoft has released three products--Windows Server 2003, Windows Office 2003 and Exchange Server 2003--that have benefited from renewed focus on security. Other products now in development, such as a planned update to Microsoft's SQL Server database, code-named Yukon, are being constantly reviewed as they are built to make sure that security is up to snuff.

However, with many older--and less secure--versions of Windows and other Microsoft products still on the market, the software giant has also had to focus on helping customers reduce their risk.

The company has released tools to help information technology professionals lock down their networks and has published extensive white papers that detail how its employees can secure its own computers. In addition, it has attempted to educate consumers through its "Protect Your PC" campaign and has urged them to turn on the basic firewall protection available with Windows XP and to regularly update operating systems and antivirus definitions.

"There is an order of magnitude--more people using Automatic Update and downloading patches," Microsoft's Kean said.

Microsoft does make patches available more quickly than in previous years, said Mitchell Rubin, president of Lynx Consulting Group in Springfield, Penn., which specializes in Windows-based systems. But the process needs to be streamlined. "It's still difficult to figure out which patch to download, and you have to go to multiple places to do updates for Windows and Office," he said. Microsoft has said it is working on a revamped patch management system, which is expected to debut in the spring.

In addition, the company is planning extensive security modifications to Windows XP as part of the second service pack that Microsoft plans to release for the operating system by summer this year.

Microsoft milestone
Rubin said that overall, the Trustworthy Computing push has been a milestone for Microsoft. "They have improved a lot, especially in the last year. They launched the initiative two years ago but took six-to-nine months to sort things out. In some senses, Microsoft has too many products, so that makes it harder."

As a result of the initiative, Microsoft has also changed how it handles security advisories, which it issues to alert customers about security problems and the severity of these.

Rather than releasing advisories every two or three weeks, the company now publishes the notifications once a month. It has also turned up the pressure on the underground programmers that create worms and viruses by offering a bounty on the people or groups who released the Sobig.F virus and the MSBlast worm.

Moreover, some of the bug finders that have been the bane of Microsoft's public image for years are starting to take a softer stance toward the company, encouraged by greater cooperation from the company's security groups.

"They are acting more responsibly," said Thor Larholm, a senior security researcher for security firm PivX Solutions and a frequent finder of bugs in Microsoft's products. "The have lived up to the spirit of Trustworthy Computing, even if they still have problems."

Yet some security experts wonder if Microsoft's flurry of activity actually indicates progress.

"There is a lot of action but not necessarily a lot of results," said Bruce Schneier, the chief technology officer at Counterpane Internet Security and the author of "Beyond Fear: Thinking Sensibly about Security in an Uncertain World." Schneier is also one of seven security experts who penned a report warning that Microsoft's dominance in the IT market carries a risk of catastrophic failure.

The risks to the IT infrastructure have even Microsoft's competitors hoping that the company gets it right.

"On the macro level, you want every vendor to do a better job of security," said Mary Ann Davidson, the chief security officer at database maker Oracle.

Davidson sees Microsoft's focus on security, paired with the fact that the company admits to losing sales because of security issues, as proof that customers can demand better products. "You have the moral liability to your customers--they bet their business on your software," she said. "They expect it not to break, and they should get that."

For its part, Microsoft is repeating a mantra of a year ago: Patience--security is a journey.

"You can't turn around the infrastructure in 24 months," said Scott Charney, a Microsoft security strategist who has repeatedly likened the initiative to NASA's 10-year march to the moon.

"You need better education, you need better tools, better technology," he said. "Are we committed to providing those things? Yes. Are we making progress? Yes. But are we anywhere near done? No."

Analyst O'Grady said he'd give Microsoft "improved marks." "But are they where they need to be? No, they are not. The numbers indicate that they are at least taking it seriously."

CNET News.com's Mike Ricciuti contributed to this report.