Microsoft unveils fundamental security shift

Microsoft has changed its policy on disclosing security alerts as part of a range of measures designed to boost its Trustworthy...

Microsoft has changed its policy on disclosing security alerts as part of a range of measures designed to boost its Trustworthy Computing initiative.

During his keynote presentation at the Microsoft worldwide partner conference in New Orleans, on 9 October, chief executive Steve Ballmer outlined how Microsoft would reengineer the Windows operating system to prevent buffer overflow errors, the common form of internet attack. He also spelled out the company's plans on improving patch management and user education

"Our commitment is to protect our customers from the growing wave of criminal attacks," he said.

Microsoft chief security officer Stuart Okin said Microsoft would now only release security notices once a month, instead updating users every Wednesday evening as it does at present.

 As a result he said, "We have developed a relationship with security researchers to avoid public disclosure of security holes."

Okin said the monthly update would give users of Microsoft software more time to apply a patch, adding that hackers used to reverse engineer a patch to create exploit code. By moving to monthly updates, this risk is reduced Okin said.

In a bold move, Microsoft also plans to make radical changes to the way the Windows operating system handles memory management, to reduce the damage caused by buffer overflow errors.

The third aspect of the strategy relates to Firewall software. While Windows XP offers users the Internet Connection Firewall software to protect the desktop system, Okin said many corporate users avoided it, as the MS firewall software could not be controlled centrally.

This limitation has now been removed, allowing businesses to protect each XP desktop on their corporate network using Microsoft's Internet Connection Firewall, where the firewall configuration is controlled centrally.

Butler Group analyst Mark Blower welcomed the latest Trustworthy developments from Microsoft. He said, "Anything Microsoft can do is progress." His big concern was that the new memory management features in the Windows OS had the potential to break existing applications.

What do you think?

Is Microsoft's change in security policy a much-needed improvement? Tell us in an e-mail >>

Read more on IT risk management