Feeds

Ballmer's new MS security fix – same patches, but ‘nicer’

New regime strangely similar to old regime...

  • alert
  • submit to reddit

High performance access to file storage

A few weeks ago Microsoft appeared to be tacitly conceding that, in the face of repeated and damaging attacks, the 'patch and patch again' approach to security was a busted flush, and that 'securing the perimeter' was the way to go. But how do you get there from here? It's hard, so it's not exactly surprising that the most immediate meat of the company's "new security inititatives" put forward today is, er, patch management.

The manifesto was nailed to the door by Microsoft president Steve Ballmer today at the company's Worldwide Partner Conference in New Orleans, and comes in three broad categories (we quote):

- Improved patch management processes, policies and technologies to help customers stay up to date and secure
- Global education programs to provide better guidance and tools for securing systems
- Updates to Microsoft Windows XP and Windows Server 2003 with new safety technologies that will make Windows more resistant to attack even if patches do not yet exist or have not been installed

Feel free to be as unimpressed by the middle one as we are - if they don't know already, they ain't going to learn, so this is largely a 'be seen to be doing something' play. But you can read more here, and the full transcript of Steve's speech will no doubt be up shortly.

Also on that page you'll see the subhead "Improving the Patch Experience", which sounds something of a kamikaze mission. This however is intended to make patch management easier, to introduce "new processes for patch distribution" and to include a move over to monthly patch releases. So, the need to patch still exists (well, obviously, given that the holes will keep appearing for the foreseeable future), but Microsoft will get its act together better on management.

It entirely escapes us how you do that. Granted, Microsoft's update systems are not exactly stellar, and have plenty scope for improvement. However, worms do not keep to regular monthly schedules, people will get very angry if you do not deal with them now, which means you have to rush out patches, some of which turn out not to work or to break things worse, which means... status quo ante? In the business market Microsoft will be releasing Software Update Services 2.0 in H1 2004, providing a "seamless patch, scanning and installation experience for Windows, SQL Server, Office, Exchange Server and Visio," but that doesn't help the rest of us.

We suspect that the deep structure meat of the new approach to patch management, what maybe makes it not the same as the old approach, is that we'll see the switch over to auto updating by default that Microsoft trailed earlier this year, so all of the crap still happens, but with a bit of luck you don't notice because it's going on in the background. But yes, in summary, what we appear to have here is first, patching doesn't work, we've got to do something else; second, but we can't do something else immediately, so; third, we've got to keep patching while we sort out the something else but; fourth, we'll try to make patching hurt less, OK?

Onwards to something else, part one. Ballmer speaks of security updates for Windows XP and Server 2003 due in the first half of 2004 in SP2 for XP, and "subsequently" in SP1 for Server 2003. Ballmer says approximately what these are intended to do, but not how they do it. They are "designed to enable customers to more effectively protect their computers and systems from malicious attacks even if patches do not yet exist or have not yet been installed" and will "focus on protections against the four types of attacks that constitute the largest percentage of threats: port-based attacks, e-mail attacks, malicious Web content and buffer overruns."

You will note that how they do these things, how effectively, resiliently, and with what effect on the system, are topics that will bear investigation in the coming months.

Alongside Ballmer's announcements, which seem to us to fall largely in the firefighting department, Microsoft also trotted out one of these sad cases of the company interviewing itself, in this case allowing Security Business Unit VP Mike Nash to answer all the questions he'd prefer journalists to ask. The gist of this is that he stresses the "key role" Microsoft's partners play in the new security inititatives, but note that the examples he gives are heavily slewed towards security in medium to large business, and there's no word here about "securing the perimeter" either.

Paula Rooney of CRN does however seem to have induced senior VP Bob Muglia to talk about it during an interview. Asked if the securing the perimeter inititative was "just marketecture," Muglia responded, "You need to have multiple levels of security... It's like a gated community. You need additional levels of security, doors locked and alarms turned on, and additional defenses--countermeasures, such as putting up a fence--to be protected. A year from now you'll see additional countermeasures in place, as well as better firewalls."

Sounds depressingly like a 'yes' to us. ®

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Windows XP still has 27 per cent market share on its deathbed
Windows 7 making some gains on XP Death Day
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.