You are here  Software

Microsoft: "Our products aren't engineered for security"

Friday 06 September 2002 03:10
Brian Valentine, senior vice-president in charge of Microsoft's Windows development, has made a grim admission to the Microsoft Windows Server .net developer conference in Seattle, USA.

"I'm not proud," he told delegates yesterday (5 September). "We really haven't done everything we could to protect our customers. Our products just aren't engineered for security," admitted Valentine, who since 1998 has headed Microsoft's Windows division.

In August the company put out eight security bulletins. This month it has released two, so far, with the latest urging users to patch a flaw in its digital certificate technology that could allow attackers to steal a user's credit card details.

Microsoft's regular stream of security bulletins has continued despite Bill Gates company-wide Trustworthy Computing Initiative, announced earlier this year.

The Initiative was launched with a memo from Bill Gates, Microsoft's chairman and chief software architect, and saw the company halt production on new code in all of its products while employees scanned every line of existing code in search of vulnerabilities.

"We realised that we couldn't continue with the way we were building software and expect to deliver secure products," Valentine said.

But the company is dealing with a problem that is not easily resolved. Valentine told developers at the conference that as the company works to shore up its products the security dilemma will evolve as hackers become more sophisticated.

"It's impossible to solve the problem completely," Valentine said. "As we solve these problems there are hackers who are going to come up with new ones. There's no end to this."

Microsoft has also been employing new tools developed by Microsoft Research that are designed to detect errors in code during the development process, Valentine said.

According to Chandra Mugunda, a software consultant with Dell who attended Valentine's presentation, buggy software is "an industry-wide problem, not just a Microsoft problem. But they're the leaders, and they should take the lead to solve them," he said.