Microsoft Addresses Security

Key on the agenda is the forthcoming release of Windows XP Service Pack 2, which will feature a brand new "one-stop shop" security center built in as well as a vastly improved firewall. Bill Tomlinson, technology specialist, Microsoft National Technology Team, demonstrated the key new patch to Windows XP. In addition, Windows XP Service Pack 2 will continue to offer scheduled patch releases.

Service Pack 2 will also include a control that blocks pop-ups and will offer automatic updates to be called into action whenever the user wants. "We want to make sure you have the avenues to conduct your business in the most efficient manner," Tomlinson said, noting that the new offering will provide all users the ability to block which pop-ups they don't want.

Later this year, Microsoft also plans to introduce Software Update Services 2.0, a free tool from the company that expedites patch management and automates the process of patch management, he added.

Microsoft also plans to release this year its application-layer firewall, called ISA Server 2004. Tomlinson is looking to underscore the progress Microsoft has made in its Trusted Computing Initiative and made it clear to partners that the company is committed to making its software more secure. He said Microsoft has come a long way, noting 38 vulnerabilities were discovered in the first 292 days after Windows 2000 came out, but only nine security holes were found during the same time period when Windows Server 2003 was released.

Joe Balsarotti, president of Software to Go, Clayton, Mo., said the security updates will help fix current problems, but Microsoft still isn't addressing the needs of small businesses. "It all stems from their underlying vision that they want Microsoft to be everything," Balsarotti said. "If they didn't want to be everything, these problems wouldn't exist."

Microsoft is constantly trying to fix Windows for business that is not realistic for SMB, he added. For example, Software to Go has end users such as small law firms that only recently upgraded from dial-up and do not need many features of Windows that create security concerns, he said.

"If Microsoft wants to solve the problem, they should come out with a 'Windows Light' that doesn't have Media Player, doesn't have desktop themes. If you could get rid of those, you'd get rid or more vulnerabilities," he said.

However, Jennifer Wright, a vice president at Houston-based Wright Business Technologies, believes Microsoft has made progress and that a careful approach is critical. "I appreciate the fact that they didn't throw out a bunch of patches that don't work," she said.

Indeed, Tomlinson said opportunities to penetrate the SMB market with security initiatives abound. He estimated that there are 2.8 million potential customers in the SMB space that do not employ any security, including antivirus protections. Tomlinson reeled off statistics that indicated there still are roughly 58 million Windows '98 users. He said 86 percent of the SMB market is still running NT and that 48 percent still run Windows '98. Perhaps surprisingly, less than half of the market is hooked up to broadband, he said.

"We, as an industry, are not achieving what we need to do," Tomlinson told XChange Daily. "There are many reasons for that and they're variable. It involves communication between vendors, with partners and with the customer itself." Microsoft, he said, is committed to ameliorating security problems. "We have over 50,000 people who think nothing but security," he said.

The specialist stated that most security attacks occur during the point in time from which a patch is released until the time the patch is deployed by the user. The reason: "Reverse engineering," shouted out an attendee, an answer with which Tomlinson agreed. He said that it now takes an average nine days for a patch to be reverse-engineered.

Tomlinson said there are four types of hackers: curiosity seekers, those who want personal fame, those who want personal gain such as credit card numbers, and those who threaten national interest,possibly the most onerous. He said hackers have extraordinary resources. "There are more hacker sites than security sites," he told the crowd. There are more than 80,000 hacker sites as well as underground sites, where the Web address changes on a daily basis, Tomlinson said. "We need ongoing vigilance, which includes continued internal training and a focus on building secure code," he said.

Scott Campbell and Jeffrey Schwartz contributed to this report.