Feeds

Ballmer's new MS security fix – same patches, but ‘nicer’

New regime strangely similar to old regime...

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

A few weeks ago Microsoft appeared to be tacitly conceding that, in the face of repeated and damaging attacks, the 'patch and patch again' approach to security was a busted flush, and that 'securing the perimeter' was the way to go. But how do you get there from here? It's hard, so it's not exactly surprising that the most immediate meat of the company's "new security inititatives" put forward today is, er, patch management.

The manifesto was nailed to the door by Microsoft president Steve Ballmer today at the company's Worldwide Partner Conference in New Orleans, and comes in three broad categories (we quote):

- Improved patch management processes, policies and technologies to help customers stay up to date and secure
- Global education programs to provide better guidance and tools for securing systems
- Updates to Microsoft Windows XP and Windows Server 2003 with new safety technologies that will make Windows more resistant to attack even if patches do not yet exist or have not been installed

Feel free to be as unimpressed by the middle one as we are - if they don't know already, they ain't going to learn, so this is largely a 'be seen to be doing something' play. But you can read more here, and the full transcript of Steve's speech will no doubt be up shortly.

Also on that page you'll see the subhead "Improving the Patch Experience", which sounds something of a kamikaze mission. This however is intended to make patch management easier, to introduce "new processes for patch distribution" and to include a move over to monthly patch releases. So, the need to patch still exists (well, obviously, given that the holes will keep appearing for the foreseeable future), but Microsoft will get its act together better on management.

It entirely escapes us how you do that. Granted, Microsoft's update systems are not exactly stellar, and have plenty scope for improvement. However, worms do not keep to regular monthly schedules, people will get very angry if you do not deal with them now, which means you have to rush out patches, some of which turn out not to work or to break things worse, which means... status quo ante? In the business market Microsoft will be releasing Software Update Services 2.0 in H1 2004, providing a "seamless patch, scanning and installation experience for Windows, SQL Server, Office, Exchange Server and Visio," but that doesn't help the rest of us.

We suspect that the deep structure meat of the new approach to patch management, what maybe makes it not the same as the old approach, is that we'll see the switch over to auto updating by default that Microsoft trailed earlier this year, so all of the crap still happens, but with a bit of luck you don't notice because it's going on in the background. But yes, in summary, what we appear to have here is first, patching doesn't work, we've got to do something else; second, but we can't do something else immediately, so; third, we've got to keep patching while we sort out the something else but; fourth, we'll try to make patching hurt less, OK?

Onwards to something else, part one. Ballmer speaks of security updates for Windows XP and Server 2003 due in the first half of 2004 in SP2 for XP, and "subsequently" in SP1 for Server 2003. Ballmer says approximately what these are intended to do, but not how they do it. They are "designed to enable customers to more effectively protect their computers and systems from malicious attacks even if patches do not yet exist or have not yet been installed" and will "focus on protections against the four types of attacks that constitute the largest percentage of threats: port-based attacks, e-mail attacks, malicious Web content and buffer overruns."

You will note that how they do these things, how effectively, resiliently, and with what effect on the system, are topics that will bear investigation in the coming months.

Alongside Ballmer's announcements, which seem to us to fall largely in the firefighting department, Microsoft also trotted out one of these sad cases of the company interviewing itself, in this case allowing Security Business Unit VP Mike Nash to answer all the questions he'd prefer journalists to ask. The gist of this is that he stresses the "key role" Microsoft's partners play in the new security inititatives, but note that the examples he gives are heavily slewed towards security in medium to large business, and there's no word here about "securing the perimeter" either.

Paula Rooney of CRN does however seem to have induced senior VP Bob Muglia to talk about it during an interview. Asked if the securing the perimeter inititative was "just marketecture," Muglia responded, "You need to have multiple levels of security... It's like a gated community. You need additional levels of security, doors locked and alarms turned on, and additional defenses--countermeasures, such as putting up a fence--to be protected. A year from now you'll see additional countermeasures in place, as well as better firewalls."

Sounds depressingly like a 'yes' to us. ®

Providing a secure and efficient Helpdesk

More from The Register

next story
Preview redux: Microsoft ships new Windows 10 build with 7,000 changes
Latest bleeding-edge bits borrow Action Center from Windows Phone
Google opens Inbox – email for people too thick to handle email
Print this article out and give it to someone tech-y if you get stuck
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Entity Framework goes 'code first' as Microsoft pulls visual design tool
Visual Studio database diagramming's out the window
Google+ goes TITSUP. But WHO knew? How long? Anyone ... Hello ...
Wobbly Gmail, Contacts, Calendar on the other hand ...
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Ubuntu 14.10 tries pulling a Steve Ballmer on cloudy offerings
Oi, Windows, centOS and openSUSE – behave, we're all friends here
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.