Microsoft plans to simplify the way it issues security
patches over the next 12 months as one of the key steps in its
$100m (£63m) drive to improve the security of its software and
Windows operating system.
The supplier, in an acknowledgement that security patches are a
source of frustration for IT departments, said it is working on
plans to create a single, automatic patch-update system for all
Microsoft products.
The move follows complaints from IT departments that staff have to
use three different update mechanisms to keep desktop PCs patched
with the latest Microsoft security releases - a problem that is
multiplied when organisations use software from a range of
suppliers.
The issue came to the fore in January, when the Slammer virus
infected an estimated 75,000 unpatched machines within 10
minutes.
"Each of our product groups are working to put all of the patch
processes into a single mechanism. There are a lot of engineering
problems to resolve but our hope is that over the next year we will
get down to two installment technologies," said Stuart Okin, chief
security officer at Microsoft.
Microsoft is also creating common standards for patches across its
development groups to ensure that they install into systems in a
similar, predictable way. They will enable IT departments to test
the patches before deciding whether to install them into their
desktop infrastructure.
In parallel, Microsoft said it is working with application
developers to improve the stability of applications when IT
departments apply new patches. Developers will be able to use the
security library in Microsoft's .net framework to make applications
safer.
The next version of Windows, due to be released this year, will be
the first in which features are locked down by default to improve
security, Okin said. IT managers will have to turn on the functions
they need to use, rather than spending time trying to lock down the
system to make it secure.
"Many of our customers were exposed to Code Red and Nimda because
Internet Information Server was loaded and installed by default in
the background," said Okin. "But because people did not need it,
they did not manage it, and they were not downloading the
patches."
Microsoft plans to "institutionalise" its security training drive
over the next 12 months and will focus on improving its
security-related documentation, including improved security guides
for its programmers, said Okin.