Microsoft's chief security strategist has admitted that the
company has not yet shown it can reach its own security goals and
he slammed its handling of patch management and bug fixes.Scott Charney made the admission at a US user
conference this week and warned that it could be a year before
users were offered a consistent patch management approach from the
software giant.
The importance of patch management and the
problems it poses to corporate IT departments were highlighted last
month when the Slammer worm hit businesses hard around the world,
even though a patch for the security flaw it exploited had been
available for months.
Charney said Microsoft's patch management
procedures were "not good today at all".
The Microsoft's decentralised management
approach, while "wonderful" in many respects, becomes an impediment
to effective patch management, said the chief security strategist.
For example, the company had eight different patch installers and
some tools cannot determine whether a patch has been installed
properly or not, he said.
Frustrated users will have to wait for the
release of Longhorn, the next release of the Windows operating
system, which is not expected before mid-2004 for the deployment of
a single patch installer.
According to Charney, Microsoft's Trustworthy
Computing initiative has seen the introduction of two added layers
of security verification outside of the product groups.
Allowing developers in the product groups to
be responsible for security "was like having the fox guarding the
henhouse", Charney said.