Feeds

Ballmer's new MS security fix – same patches, but ‘nicer’

New regime strangely similar to old regime...

  • alert
  • submit to reddit

Combat fraud and increase customer satisfaction

A few weeks ago Microsoft appeared to be tacitly conceding that, in the face of repeated and damaging attacks, the 'patch and patch again' approach to security was a busted flush, and that 'securing the perimeter' was the way to go. But how do you get there from here? It's hard, so it's not exactly surprising that the most immediate meat of the company's "new security inititatives" put forward today is, er, patch management.

The manifesto was nailed to the door by Microsoft president Steve Ballmer today at the company's Worldwide Partner Conference in New Orleans, and comes in three broad categories (we quote):

- Improved patch management processes, policies and technologies to help customers stay up to date and secure
- Global education programs to provide better guidance and tools for securing systems
- Updates to Microsoft Windows XP and Windows Server 2003 with new safety technologies that will make Windows more resistant to attack even if patches do not yet exist or have not been installed

Feel free to be as unimpressed by the middle one as we are - if they don't know already, they ain't going to learn, so this is largely a 'be seen to be doing something' play. But you can read more here, and the full transcript of Steve's speech will no doubt be up shortly.

Also on that page you'll see the subhead "Improving the Patch Experience", which sounds something of a kamikaze mission. This however is intended to make patch management easier, to introduce "new processes for patch distribution" and to include a move over to monthly patch releases. So, the need to patch still exists (well, obviously, given that the holes will keep appearing for the foreseeable future), but Microsoft will get its act together better on management.

It entirely escapes us how you do that. Granted, Microsoft's update systems are not exactly stellar, and have plenty scope for improvement. However, worms do not keep to regular monthly schedules, people will get very angry if you do not deal with them now, which means you have to rush out patches, some of which turn out not to work or to break things worse, which means... status quo ante? In the business market Microsoft will be releasing Software Update Services 2.0 in H1 2004, providing a "seamless patch, scanning and installation experience for Windows, SQL Server, Office, Exchange Server and Visio," but that doesn't help the rest of us.

We suspect that the deep structure meat of the new approach to patch management, what maybe makes it not the same as the old approach, is that we'll see the switch over to auto updating by default that Microsoft trailed earlier this year, so all of the crap still happens, but with a bit of luck you don't notice because it's going on in the background. But yes, in summary, what we appear to have here is first, patching doesn't work, we've got to do something else; second, but we can't do something else immediately, so; third, we've got to keep patching while we sort out the something else but; fourth, we'll try to make patching hurt less, OK?

Onwards to something else, part one. Ballmer speaks of security updates for Windows XP and Server 2003 due in the first half of 2004 in SP2 for XP, and "subsequently" in SP1 for Server 2003. Ballmer says approximately what these are intended to do, but not how they do it. They are "designed to enable customers to more effectively protect their computers and systems from malicious attacks even if patches do not yet exist or have not yet been installed" and will "focus on protections against the four types of attacks that constitute the largest percentage of threats: port-based attacks, e-mail attacks, malicious Web content and buffer overruns."

You will note that how they do these things, how effectively, resiliently, and with what effect on the system, are topics that will bear investigation in the coming months.

Alongside Ballmer's announcements, which seem to us to fall largely in the firefighting department, Microsoft also trotted out one of these sad cases of the company interviewing itself, in this case allowing Security Business Unit VP Mike Nash to answer all the questions he'd prefer journalists to ask. The gist of this is that he stresses the "key role" Microsoft's partners play in the new security inititatives, but note that the examples he gives are heavily slewed towards security in medium to large business, and there's no word here about "securing the perimeter" either.

Paula Rooney of CRN does however seem to have induced senior VP Bob Muglia to talk about it during an interview. Asked if the securing the perimeter inititative was "just marketecture," Muglia responded, "You need to have multiple levels of security... It's like a gated community. You need additional levels of security, doors locked and alarms turned on, and additional defenses--countermeasures, such as putting up a fence--to be protected. A year from now you'll see additional countermeasures in place, as well as better firewalls."

Sounds depressingly like a 'yes' to us. ®

SANS - Survey on application security programs

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'
Plus: Condoleezza Rice at Dropbox 'maybe she can find ... weapons of mass destruction'
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
New Facebook phone app allows you to stalk your mates
Nearby Friends feature goes live in a few weeks
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.