You are here  IT Management Risk Management

Microsoft: Security comes under scrutiny

Wednesday 08 May 2002 11:08
Jim Allchin, Microsoft's vice-president for platforms, took the stand at the remedy hearing in its antitrust case yesterday to give evidence about the company's focus on providing users with computer security.

Kevin Hodges, an attorney for the states suing Microsoft, asked Allchin whether Microsoft intended to use a clause in the proposed remedies that said the company could withhold its Windows protocols and application programming interfaces (APIs) from third-party developers if it felt the security of the operating system could be compromised.

Hodges wanted to know if that clause was supposed to be interpreted narrowly. Allchin said it would force Microsoft to "fulfil our obligation, we'd have to prove that [disclosing an API or protocol] would compromise security".

When asked if the proposed security exemption was broader than it needed to be in order to protect the security of Windows, Allchin answered no.

Hodges showed the prehearing interview of a Microsoft security expert, who said all that Microsoft would need to withhold are Windows' cryptographic keys and their locations in order to ensure the security of the OS.

Allchin said he disagreed. He gave the example of the Windows message queuing protocol that contains a mistake and, if left unfixed, "would compromise a company using it". He added that if Microsoft were forced to disclose that protocol before a fix is distributed, Windows would be vulnerable to security breaches.

A Microsoft spokesman confirmed that the protocol flaw exists and a fix has not yet been distributed.

Hodges asked Alchin how many APIs and protocols - in addition to those related to cryptographic keys, their locations, and message queuing - that Microsoft would have to withhold to protect Windows' security.

Microsoft is still in the process of determining that number, Allchin said. "I do feel quite strongly that I have to look after our customers," he added.

Allchin did say, however, that Microsoft has already decided it would not invoke the security carve out in the proposed remedies to withhold its extensions to the Kerberos security specification from disclosure.