Elinor Mills Abreu
SAN FRANCISCO: Computer security experts, who have long complained about
holes in Microsoft Corp. software, said on Thursday that they were pleased to
see chairman Bill Gates proclaim security as the highest priority after years of
lip-service.
In an e-mail sent to Microsoft's 47,000 employees on Tuesday and released to
the press on Wednesday, Gates said focusing on the security of products, instead
of new features, was vital to the success of the company's new .NET Web-based
services strategy.
"It's about time," said Marc Maiffret, chief hacking officer at
security firm eEye Digital Security, who discovered two security holes last
month in Microsoft's new XP operating system, touted by Microsoft as its most
secure ever.
"Because of Microsoft's dominant position in software, they have the
ability to singularly affect the security of the Internet," said Bruce
Schneier, chief technology of Counterpane Internet Security. "To have
Microsoft as a company focusing on security will make the Internet a safer
place."
In the past, Microsoft dismissed criticism, arguing that customers demanded
functionality and convenience over security. But an increase in the number of
Microsoft-specific security problems over the past year have raised concerns
just as the company begins rolling out its .NET platform.
The new software will not only make applications available over the Internet,
but will increase the exposure of computer users to malicious hackers and
viruses, experts say.
"They bet their whole company on the .NET strategy and if you can't
trust Microsoft to sell you software on a CD-ROM you're certainly not going to
trust them to provide you software online," said John Pescatore, research
director at market research firm Gartner Inc.
As part of its new strategy, the Redmond, Washington-based software giant
will provide security training to all 7,000 Windows developers over the next two
to three weeks and examine all its Windows .NET server code, said Steve Lipner,
Microsoft director of security assurance.
"Well actually, for over a year now we have really increased our focus
and investment on security and privacy," Rick Belluzzo, Microsoft chief
operating officer, told Reuters Television. "In fact we've introduced a
number of new services for customers to be updated with the latest security
releases."
Earlier, Microsoft announced that a $660 million legal charge from a proposed
class-action settlement pulled its second-quarter net profit down 6 cents to 41
cents per share from a year ago.
Cultural change
Microsoft executives acknowledge that the security directive will require a
huge cultural shift at the company.
"What we're doing is a mind-set change," said Pierre De Vries,
director of advanced product development at Microsoft, who added that protecting
the privacy of customer data would also be a priority.
Gates conceded in his memo that .NET could not succeed without the confidence
of customers and an improvement in the company's reputation. "Flaws in a
single Microsoft product, service or policy not only affect the quality of our
platform and services overall, but also our customers' view of us as a
company," Gates said.
"If I were in his position I'd be kind of embarrassed about all the
problems they've been having," said Richard M. Smith, a Boston-based
Internet security and privacy consultant. "The security and privacy
problems have been getting worse, not better."
.NET server to benefit
Although Lipner said customers would notice changes in .NET server, experts
said it would be a few years before the proof is in the products.
"It will be a lot of work, there's a lot of code there," said Gary
McGraw, chief technology officer at Cigital, a Dulles, Virginia company that
does software risk management.
While most viruses and security exploits affect Windows, last year two
high-profile viruses, Code Red and Nimda, proved nasty for Microsoft Internet
Information Server (IIS) users. Pescatore urged people to switch from IIS, while
British-based insurance underwriter J SWurzler previously had raised its rates
for IIS users.
While generally lauding Gate's action, Pescatore said he hopes Microsoft will
do more to make it difficult for computer users to get themselves in trouble.
For example, they should ship Windows XP with the personal firewall turned on,
instead of the default off setting.
"We'll truly have seen proof of change when they start proactively
releasing advisories on security holes they've discovered themselves,"
Maiffret said, somewhat skeptically, of Microsoft.
(C) Reuters Limited.