Feeds

Ballmer's new MS security fix – same patches, but ‘nicer’

New regime strangely similar to old regime...

  • alert
  • submit to reddit

Security for virtualized datacentres

A few weeks ago Microsoft appeared to be tacitly conceding that, in the face of repeated and damaging attacks, the 'patch and patch again' approach to security was a busted flush, and that 'securing the perimeter' was the way to go. But how do you get there from here? It's hard, so it's not exactly surprising that the most immediate meat of the company's "new security inititatives" put forward today is, er, patch management.

The manifesto was nailed to the door by Microsoft president Steve Ballmer today at the company's Worldwide Partner Conference in New Orleans, and comes in three broad categories (we quote):

- Improved patch management processes, policies and technologies to help customers stay up to date and secure
- Global education programs to provide better guidance and tools for securing systems
- Updates to Microsoft Windows XP and Windows Server 2003 with new safety technologies that will make Windows more resistant to attack even if patches do not yet exist or have not been installed

Feel free to be as unimpressed by the middle one as we are - if they don't know already, they ain't going to learn, so this is largely a 'be seen to be doing something' play. But you can read more here, and the full transcript of Steve's speech will no doubt be up shortly.

Also on that page you'll see the subhead "Improving the Patch Experience", which sounds something of a kamikaze mission. This however is intended to make patch management easier, to introduce "new processes for patch distribution" and to include a move over to monthly patch releases. So, the need to patch still exists (well, obviously, given that the holes will keep appearing for the foreseeable future), but Microsoft will get its act together better on management.

It entirely escapes us how you do that. Granted, Microsoft's update systems are not exactly stellar, and have plenty scope for improvement. However, worms do not keep to regular monthly schedules, people will get very angry if you do not deal with them now, which means you have to rush out patches, some of which turn out not to work or to break things worse, which means... status quo ante? In the business market Microsoft will be releasing Software Update Services 2.0 in H1 2004, providing a "seamless patch, scanning and installation experience for Windows, SQL Server, Office, Exchange Server and Visio," but that doesn't help the rest of us.

We suspect that the deep structure meat of the new approach to patch management, what maybe makes it not the same as the old approach, is that we'll see the switch over to auto updating by default that Microsoft trailed earlier this year, so all of the crap still happens, but with a bit of luck you don't notice because it's going on in the background. But yes, in summary, what we appear to have here is first, patching doesn't work, we've got to do something else; second, but we can't do something else immediately, so; third, we've got to keep patching while we sort out the something else but; fourth, we'll try to make patching hurt less, OK?

Onwards to something else, part one. Ballmer speaks of security updates for Windows XP and Server 2003 due in the first half of 2004 in SP2 for XP, and "subsequently" in SP1 for Server 2003. Ballmer says approximately what these are intended to do, but not how they do it. They are "designed to enable customers to more effectively protect their computers and systems from malicious attacks even if patches do not yet exist or have not yet been installed" and will "focus on protections against the four types of attacks that constitute the largest percentage of threats: port-based attacks, e-mail attacks, malicious Web content and buffer overruns."

You will note that how they do these things, how effectively, resiliently, and with what effect on the system, are topics that will bear investigation in the coming months.

Alongside Ballmer's announcements, which seem to us to fall largely in the firefighting department, Microsoft also trotted out one of these sad cases of the company interviewing itself, in this case allowing Security Business Unit VP Mike Nash to answer all the questions he'd prefer journalists to ask. The gist of this is that he stresses the "key role" Microsoft's partners play in the new security inititatives, but note that the examples he gives are heavily slewed towards security in medium to large business, and there's no word here about "securing the perimeter" either.

Paula Rooney of CRN does however seem to have induced senior VP Bob Muglia to talk about it during an interview. Asked if the securing the perimeter inititative was "just marketecture," Muglia responded, "You need to have multiple levels of security... It's like a gated community. You need additional levels of security, doors locked and alarms turned on, and additional defenses--countermeasures, such as putting up a fence--to be protected. A year from now you'll see additional countermeasures in place, as well as better firewalls."

Sounds depressingly like a 'yes' to us. ®

Website security in corporate America

More from The Register

next story
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
'People have forgotten just how late the first iPhone arrived ...'
Plus: 'Google's IDEALISM is an injudicious justification for inappropriate biz practices'
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
Not fit for purpose on day of launch, says Cupertino
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.