Microsoft pushes for security in Longhorn

Microsoft will preview its forthcoming server-stack software at the Professional Developers Conference, in Los Angeles.

Microsoft will preview its forthcoming server-stack software at the Professional Developers Conference in Los Angeles.

Developers will get an in-depth technical review of Longhorn, the next iteration of Windows. Microsoft is also expected to focus attention on Longhorn's underlying graphics and Aero, the new user interface.

At the conference, Microsoft will deliver early beta code of Yukon, its next-generation database, Whidbey, the upcoming version of Visual Studio and a sneak peek at Indigo, a web services development framework.

Longhorn, in particular, appears to be very much a work in progress. Company officials earlier this month dropped hints that the upcoming OS - at least the completed server version - will not be available until 2006.

But the ambitions Microsoft has for its next-generation OS, database and development tools, rely on its equally ambitious security initiative, which was outlined by a number of top company officials earlier this month.

The security initiative will weave "safety technologies" into the company's core set of products and will simplify the company's patching strategy, emphasising collaboration with Windows application developers and business partners.

The severity of Windows' security problems - both existing and future - is enough to make them seriously contemplate other, more secure operating systems.

Even as Microsoft redoubles its efforts to close Windows' holes, just this week four new bugs were discovered in Windows Server 2003. The bugs are associated with buffer overflow, which hackers exploit to unlock doors to corporate networks.

"Microsoft knows they have to fix this. To some extent they have created this issue for themselves through their own success and in the way in which they have managed their previous solutions. The only way out is to deliver on their promises," said Chris LeTocq, an analyst at Guernsey Research.

LeTocq and other analysts have been encouraged by Microsoft's urgency in addressing its security problems but have also expressed concern that fixing these problems will bring about others.

"To [Microsoft's] credit, they have established this update process where they will get high-speed updates out to people who discover bugs, but it is a double-edged sword because you will get an update twice a week that you then have to implement and manage," LeTocq said.

At the company's partner conference in New Orleans earlier this month, Ballmer said one of the keys to making Microsoft's security initiative successful will be working closely with its thousands of developers and partners to create seamless security solutions.

This week the company released its first monthly security update containing five vulnerabilities that were classified as "critical". Three of the flaws pertained to editions of Windows NT, Windows 2000, Windows XP, and Windows Server 2003. The other two concerned only Windows 2000 and Exchange Server 5.5.

Going to a monthly delivery of patch releases is designed to help administrators better deal with an already heavy workload by introducing predictability into the process of fixing security holes.

Ed Scannell writes for Infoworld

Read more on IT risk management