Last week, I began a discussion about Microsoft's new plan to secure Windows and its other products, but I ran out of space. This week, I'd like to complete that thread and briefly discuss the feedback I received to a related Windows & .NET Magazine UPDATE editorial, "Should Microsoft Be Held Financially Liable for the Bugs in its Products?" (http://www.winnetmag.com/article/articleid/40473/40473.html ).
You might recall that Microsoft CEO Steve Ballmer recently discussed his company's ever-evolving plans to secure its users' systems at the Microsoft Worldwide Partner Conference 2003 in New Orleans. Going forward, Ballmer pledged that Microsoft would reduce the size of patches, reduce the number of reboots that patches cause, introduce better patch-deployment automation, address the needs of legacy systems, provide more predictable patch schedules, and provide more guidance about securely deploying and managing Microsoft systems.
That wasn't all Ballmer had to say, however. A growing feeling among security experts at the software giant is that a new strategy of better securing the edges of networks might ultimately better protect the numerous Windows systems found within those networks. This strategy, called "Securing the Perimeter," is now a core tenet of Microsoft's wider Trustworthy Computing initiative, and it will affect all IT administrators and decision makers that use Microsoft products.
The idea behind "Securing the Perimeter" is simple: By hardening the network entry points to your vulnerable Windows machines, you can install security patches whenever you want, after they've been tested inhouse, and not panic when the next massive virus or worm outbreak occurs. "Patching is critical, but patching is insufficient ... in terms of the speed with which new vulnerabilities are coming out," Ballmer said. "What we really want to do is make our customers resilient to attack, even when patches are not installed. You should be able to have a kind of perimeter around you that protects you so that you can install patches on your own schedule--I'm not saying patching becomes irrelevant--but you should be able to apply patches on your own schedule, not on the schedules of the hackers."
Part of the strategy is simple pragmatism: Microsoft can't go back and fix every vulnerability in every product it's ever made, a situation made more difficult by the wide range of Microsoft products in constant use at so many enterprises, businesses, and homes worldwide. But even if the company did fix every vulnerability, one problem that the MSBlaster (LoveSan) and SoBig.F attacks made clear was that no amount of technology or communication on Microsoft's part will ever convince the majority of its customers to install those patches. By securing the entry points to networks, Microsoft is logically handling what seemed to be a fairly insurmountable problem.
For a secure perimeter, you must have secure end-user desktops (albeit those running recent Windows versions) and firewalls on the network's edge. End-user desktops need to be secured because these machines are often attached directly to the Internet or to non-Windows devices that Microsoft can't control. Also, you must consider nonsecured notebooks that are brought into work or that connect through a VPN into a network. Microsoft is looking at some obvious attack vectors: malicious email messages, viruses, and worms that scan ports on the Internet; malicious Web content; and buffer overruns. Ballmer said Microsoft is working on technologies that will solve these problems, and most of these technologies will be delivered in Windows XP Service Pack 2 (SP2), due in the first half of 2004, and in a Microsoft Internet Explorer (IE) update. (These technologies from XP SP2 and IE will also be rolled into Windows Server 2003 SP1.) To handle the other cases, Microsoft simply advises users to adopt a third-party antivirus package.
XP SP2 will enable an improved Internet Connection Firewall (ICF); this new ICF version will include better management tools and, I hear, outbound scanning in addition to the inbound scanning offered in the current version. XP SP2 will also include an improved memory-protection feature that will "essentially lock that memory so that worms and exploits can't write into bad pieces of memory after a buffer-overrun problem," Ballmer said. The IE update will bolster the program with new code that prevents the execution of ActiveX controls from Web sites that you don't explicitly trust.
On the server side, Microsoft is adding perimeter-inspection technologies that will debut in Windows 2003 SP1. This release, which will include a new security configuration wizard for role-based security configurations, will debut by mid-2004, Microsoft says. The company is also working on a crucial new update to its enterprise firewall, Microsoft Internet Security and Acceleration (ISA) Server 2004, which will provide application-level firewalling features.
Part of Microsoft's message here sounds a bit marketing heavy: The company believes that all laptop and VPN users should be running XP and all outbound-facing servers should be running Windows 2003. Microsoft's rationale is that these systems are more secure and more securable than previous versions. The cynics might point out that adoption of these systems will help Microsoft's financial picture. Both points are equally valid, I believe.
Feedback on Microsoft and Financial Liability for Bugs
At the risk of deflating expectations, I'm probably not going to be able to provide anything earth-shattering here: In more than 100 responses to this editorial, the opinions were split almost evenly, with those believing that Microsoft should indeed be held liable winning a small majority. Equally unsurprising, many respondents felt quite strongly about their opinions. I'm still on the fence about this matter, but the one overwhelming factor for me is that software, especially the crucial systems infrastructure software that Microsoft supplies, is an economic necessity for many businesses, markets, and governments. If Microsoft wants to continue to set the standard and be the dominant player, its products must meet the security challenge. Whether this happens in an open market or through some sort of government oversight is unclear: Most readers thought government involvement is a bad idea, and I tend to agree. But something has to change. If Microsoft can't make more reliable software, maybe we need to stop relying on it for our most crucial systems.