Gates Sets Schedule For Security Improvements
Although Microsoft's Trustworthy Computing initiative is a multiyear effort, Gates says bug-weary customers will get relief in months, not years.
"By the middle of next year, I think even our critics would say, 'Wow, they've really turned this patching thing around...This is night-and-day different. This is not a big problem for us,'" Gates said during an interview with InformationWeek on Monday, one day after his annual keynote address at the Comdex trade show in Las Vegas.
Microsoft's security-improvement program involves more rigorous software-development techniques and bug testing, new security products, and changes in the way patches are distributed. In the near term, Gates said, the just-released Systems Management Server 2003 represents the single biggest advance in helping system administrators better cope with Microsoft's steady flow of security bulletins. The product features new vulnerability identification and assessment capabilities, a wizard that simplifies patch distribution, and improved integration with Microsoft's software-update service. As more businesses use SMS 2003 to manage the patch process, Gates predicted, the work involved will become merely "noise-level" activity.
That would be a significant turn of events. In recent months, software patching has been a major undertaking for many IT departments, causing some to re-evaluate their heavy reliance on Microsoft products. The company has issued security bulletins, on average, about once a week this year. In September, one business-technology executive sent Microsoft a letter requesting a $150,000 refund to cover the costs associated with patching his company's Windows systems. When asked whether Microsoft was prepared to share such costs with customers, Gates replied: "We've very focused on doing our best to avoid these problems."
In October, Microsoft began issuing patches once a month as a way of making updates more predictable and manageable, though the company plans to continue issuing urgent patches as soon as possible if it determines customers face immediate risk.
Concern over Windows security caused some businesses to delay signing license agreements in the quarter ended Sept. 30, Microsoft officials disclosed last month. Senior Microsoft executives, including CEO Steve Ballmer and Gates himself, are engaged in a "very rich dialogue" with customers over security-management issues, Gates said.
Another product that promises to help is Microsoft's Internet Security and Acceleration Server 2004, which was demonstrated for the first time at Comdex. An application-layer firewall, ISA Server 2004 is designed to fight the latest types of worms and network attacks and create more secure VPN connections. The product is scheduled to begin testing early next year.
Microsoft's next-generation Longhorn operating system will likely contain more lines of code than Windows XP or Windows Server 2003 do today. Yet, the expanding size of the platform and the growing use of Web services should not make future Windows environments more vulnerable to breakdowns or attacks, Gates said. The modular design of Web services and use of software modeling in the development process, he added, should result in systems that are increasingly secure.
This story courtesy of InformationWeek.