Microsoft battles against security failures

Security experts are warning that Microsoft's Internet Explorer (IE) browser is not safe to use.

Security experts are warning that Microsoft's Internet Explorer (IE) browser is not safe to use.

Two and a half years after launching its Trustworthy Computing initiative, Microsoft is finding its products the target of escalating attacks.

The company is claiming that it is doing everything in its power to defend itself, however users are looking for reassurance that Trustworthy Computing will pay off, and quickly.

"They've launched this Trustworthy Computing campaign and they are still issuing all these patches. They shouldn't make things so complex. When is it going to get better?" asked software developer Michael Kranawetter at last week's Tech Ed conference in Amsterdam.

Microsoft has been working hard to streamline its patching process, by releasing combined fixes when possible and delivering them on a monthly release schedule.

The comany is also providing a free patching service and a centralised place for users to find fixes.

Microsoft is also moving to bolster the security of its desktop software, by turning off potential ports of attack and adding security features such as a firewall enabled by default, to help users protect their PCs.

Many new security improvements are due to be delivered with the much anticipated Windows XP Service Pack 2 (SP2), an update to the Windows XP operating system (OS), which is said to be like a installing a whole new OS.

Microsoft executives have promised to deliver SP2 by "the end of summer." However, Microsoft senior director of Trustworthy Computing for Europe, EMEA, Detlef Eckert, said that "summer ends in September this year".

"We have now realised, to some extent painfully, that the security atmosphere has changed, which is why we are putting so much effort into Service Pack 2," Eckert said.

"Most of these new features would have blocked against recent attacks."

The company learned a great deal from threats such as the Sasser internet worm, which wreaked havoc earlier this year by exploiting a disclosed hole in a component in Windows.

"We know we need to move ahead of the attack cycle and mitigate against specific attacks against applications," Eckert said.

But while the company has been working to address users' security woes, it continues to come under attack from virus writers.

One of the latest attacks used websites running Internet Information Server (IIS) to launch malicious computer code, and prompted the company to release updates to its Windows 2000, XP and Windows Server 2003 software.

The company is also planning to release updates to improve the security of IE.

Microsoft's IE browser has become the primary target for virus writers. In one of the latest attacks, hackers took advantage of a browser extension functionality to steal log-in information from banking sites.

Numerous vulnerabilities in IE, which holds over 95% of the browser market, have prompted some security experts to warn against using the product altogether, suggesting alternatives such as Opera, Netscape or Mozilla.

"It's safe to say that IE is not safe to use," said Mikko Hyppönen, director of anti-virus research at anti-virus company F-Secure. "I don't use it and I know of companies that have banned it altogether."

"There are two nightmares a systems administrator can have," said Hyppönen. "One is having security vulnerabilities and the other is having to support users who are all using different applications."

Many internet applications are tied to IE, so switching may not be a practical option.

Microsoft does not seem too concerned about a mass exodus from its products. The company claims that if enough people moved to another brand of browser, that would also come under attack.

Scarlet Pruitt wrties for IDG

Read more on Operating systems software