ad info

 
CNN.com  technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  

 

  Search
 
 

 
TECHNOLOGY
TOP STORIES

Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent

(MORE)

TOP STORIES

More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections

(MORE)

MARKETS
4:30pm ET, 4/16
144.70
8257.60
3.71
1394.72
10.90
879.91
 


WORLD

U.S.

POLITICS

LAW

ENTERTAINMENT

HEALTH

TRAVEL

FOOD

ARTS & STYLE



(MORE HEADLINES)
*
 
CNN Websites
Networks image


Microsoft security executive promises improvements

Computerworld

PITTSBURGH (IDG) -- The man who receives more complaints about the security of Microsoft Corp.'s software than anyone on the planet vowed here Monday that the company's products are improving in quality and will continue to become more secure.

In particular, Whistler, the planned next version of Windows 2000 for business users as well as consumers, is due to show the results of several security-improvement initiatives that are now in the works at Microsoft when it becomes available next year, said Steve Lipner, manager of the company's Security Response Center.

  ALSO
 

Lipner's comments at a security summit for officials from industry, government and academia come in the wake of a series of disclosures about security holes in Microsoft's products. For example, Microsoft last week said it was working to fix potentially dangerous holes in both its Outlook e-mail software and its Internet Explorer browser (see "Microsoft scrambling to fix new Outlook security hole," link below).

MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  Computerworld's home page
  Microsoft releases promised security patch for Outlook
  Microsoft scrambling to fix new Outlook security hole
  Batten down Windows' hatches!
  Reviews & in-depth info at IDG.net
  E-BusinessWorld
  TechInformer
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for IT leaders
  Search IDG.net in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

Lipner told attendees at the Cyber Security Summit, sponsored by Carnegie Mellon University's Institute for Survivable Systems, that the Microsoft response center typically receives 10 to 100 messages per day from users who are reporting security problems. "But recently, it's been closer to 100," he said.

He added, though, that the complaints often are about hacks that could have been prevented had users downloaded software patches published months -- and sometimes years -- earlier. Asked about the future of Microsoft products, Lipner said, "Believe it or not, I see fewer vulnerabilities and problems ahead" because of the work of external security researchers and Microsoft's own product developers.

Nonetheless, other speakers at the conference sounded a consistently pessimistic note about the escalating threats to computer security from viruses, denial-of-service attacks and the like -- and about the technology industry's failure to get on top of the problem thus far.

Dave McCurdy, president of the Electronic Industries Alliance in Arlington, Va., shared a panel with Lipner and said he's not convinced the situation is improving. "Steve, I don't necessarily agree with you that security is going to get better," McCurdy said. "Maybe at Microsoft it will get better."

And without singling out any vendor, Mike Jacobs, deputy director of the National Security Agency, said users "need more secure and stable operating systems" in order to better protect themselves from malicious attackers.

"It's in the realm of operating systems that the most troublesome problems exist," Jacobs said, noting that safeguards such as firewalls and encryption can fail if operating systems are flawed. But fully securing operating systems remains "an elusive goal," he added.

In an interview Monday, Lipner outlined several steps taken by Microsoft that he said are already helping to improve the security of its products. Design and code reviews have been beefed up, as have the internal "tiger team" attacks that the company uses to mimic security attacks before it releases products, he said.

Automated tools also are taking some of the guesswork out of designing software to be more secure, Lipner said. For example, compilers in many cases can now anticipate when code is likely to result in buffer overflows, a common flaw that can open up vulnerabilities and potentially cause system crashes.

In addition, the .Net framework announced by Microsoft last month will introduce a layer of software on top of Windows that sets up a "sandbox" within which downloaded code must run. Lipner said it can block access to machine resources by malicious code, except as permitted by the user.

Lipner also promised faster distribution of software patches via a more automated process. But he discounted the popular notion that there will be, anytime soon, "benign viruses" that can roam through a system or network to sniff out and then fix security flaws.

Some attendees at the summit called for Microsoft and others to open all source code for inspection, saying that's the only way users can have total confidence in the security of a software product. But Lipner said Microsoft is "not going to give up our intellectual property."

However, Lipner added, the number of universities that have been given Windows source code for security reviews has almost doubled in the past year to some 140 -- a trend that he said will continue.

Summit attendees also repeatedly pointed out the inherent conflict between the goals of making a system richly functional and making it more secure and reliable. Asked if many users wouldn't gladly trade a few bells and whistles to get software that was less prone to attacks, Lipner said Microsoft took a step in that direction last month when it released a patch for Outlook that disables some functions in an attempt to tighten security (see "Microsoft releases promised security patch for Outlook," link below).

But it's not clear that users really are willing to make that trade-off, according to Lipner. "My informal impression is, most customers still like the functionality," he said.




RELATED STORIES:
Microsoft scrambling to fix new Outlook security hole
July 21, 2000
Microsoft pushes smart cards
June 29, 2000
Outlook patch called overkill
May 23, 2000
Microsoft, Netscape battle over browser hole
May 10, 2000
Microsoft claims 1 millionth Windows 2000 sale
March 17, 2000

RELATED IDG.net STORIES:
Microsoft scrambling to fix new Outlook security hole
(Computerworld)
Microsoft releases promised security patch for Outlook
(Computerworld)
Batten down Windows' hatches!
(PC World Online)
How secure is Mac OS X?
(Macworld)
Is Linux a security risk?
(Computerworld Australia)
Security holes going unpatched
(FCW)
Denial-of-service victims share lessons learned
(Computerworld)
True crime: The Omega files
(Network World Fusion)

RELATED SITES:
Microsoft Corp.
Official Microsoft .NET announcement

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

 Search   

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.