Gates promotes isolation

Keeping systems separate is the most important security technique, says Microsoft's chairman

Microsoft chairman Bill Gates has outlined some of the "obvious solutions" to the security issues that have forced the software giant into the spotlight in recent years.

At a media conference in Sydney this morning, Gates said "preventing malicious security attacks and making sure that the systems are essentially available with the same or greater reliability as society's other infrastructures -- the electrical infrastructure, water infrastructure -- that absolutely has to be done".

Gates cited isolation as the most important solution, making sure that people with malicious intent can't arbitrarily send code to all the different systems.

Speaking about the importance of isolation, Gates said: "The Internet in a way says, hey, these systems are connected. It's not like the mainframe that was kept secure not because the code was secure but rather because only the people there in that glasshouse were actually connecting software up to it. Here we need to build the firewalls."

Gates said that a third of its customers had never had any problems with security attacks, because they had those firewalls in place. But he said for the other 70 percent of the customers the process of protecting themselves had been "clearly not automatic enough."

"There wasn't a tool you could go in and really check to make sure you were only open to the things that you needed to be open, and those tend to be actually quite few -- the mail server for mail, the Web server for http -- but most of the systems actually can be isolated," he said.

Gates said the people with bad intent are not the people who've discovered the vulnerabilities, but "rather it is the security firms or our own patches that point the way and then somebody packages those up in a way that they spread around".

Gates said Microsoft wants to reduce the time number of times any update needs to be made. "This involves very advanced tools, techniques that have been in academia for a long time but never used against large scale software," he said. "We are the first company that's actually using software proved techniques to go through and show that only a tiny piece of code has to be right for the security to work well and that's part of this quality push," he added.

Gates cited Windows Server 2000 as an example of a product that within the first year of launch had twenty four security bulletins, things that the company asked people to patch. "With the most recent release we've now had four of those and that's a pretty dramatic reduction," said Gates. "However, we should get that to be either one or zero during that time frame, and that's where software proven techniques will come in".

Gates claimed that the average time to fix on an operating system other than Windows is "typically ninety to a hundred days. You know, today we have to down to less than forty-eight hours".

Gates added that people with malicious intent are not just focusing on Microsoft. "We've seen it recently with a firewall product, we've seen it with Cisco, and we see it at a fairly significant level against Linux and other systems as well," he said.

According to Gates, a new "weak link" is emerging and that is the way people are using passwords. "Those are often easy to guess with computer systems or you'll use the same password on a very insecure system that is used on a secure system. And so [we are] moving more and more into smart cards, biometrics, that'll be a necessary step".

Spam was described by Gates as a "gigantic problem" and one that can not only waste time but can "spread bad software". In an outline of the techniques that Microsoft is putting into place to eliminate spam, Gates said the first approach of filtering are ridding users of "something like ninety percent of the spam, but that's still a lot of spam left over. In fact, they've increased their volume to try and get around that, and so we need new techniques," said Gates.

In the last few weeks Gates said Microsoft has announced a technique where it can guarantee that mail really is from who it appears to come from. "And [that] lets us say that if you're getting mail that's not from a stranger, we can always pass it through, and mail that appears to come from a stranger we can be very stringent [with] and require more proof that that's a legitimate piece of email," said Gates. "And there's some very clever ideas there about having the computer that does the sending do some extra work or bouncing back something where the human verifies that this really is a legitimate piece of email," he added.

Gates said that security moves by the industry, Microsoft and anti-fraudulent laws all need to be more "impactful".

"We need to let them drive productivity. We need to get rid of all those different boundaries. We need to make software development more productive than it is today. We think about that as overall what we'd call seamless computing," he said.

When questioned about whether Microsoft could guarantee a certain turnaround time for security patches, Gates response was a little less robust. "We can't say that for everything that comes up in some big form that we'll understand what's vaguely being said and have it fixed in an exact period of time. We will guarantee that the average time to fix will continue to come down," he said. "We have several hundred people who are on twenty-four hour availability to do this work. It is a phenomenal thing. And if you track how we have improved over this last twenty-four months, you'll see that we are absolutely doing our best on this".

In response to a question claiming that there are Web sites which have lists of Internet Explorer vulnerabilities six months old and asking him to respond to a claim by a prominent researcher that the vulnerability used by Russian criminal syndicates last week was based on a vulnerability reported to Microsoft in August 2003, Gates was more confident.

"The Russian exploit that just came this weekend, that's IE-041, was not reported in... honestly, otherwise somebody would have exploited six months ago," said Gates. "The time to exploit about a year and a half ago was typically sixty to ninety days. Time to exploit now we've seen anywhere from three to 21 days. We haven't seen a single case where there has been a six month time to exploit of a known security vulnerability. I wish people were waiting six months to do the exploits," he said.

Gates went on to say that a year ago the percentage of consumer Windows that were connected to auto-update was about 4 per cent. "Recently there was episode called Sasser, where within twenty-four hours, we updated 80 million systems that were on auto-update and 30 million additional systems that were not on auto-update," said Gates.

"And so, the thing we have to do is not only get these patches done very quickly, we also have to convince people to turn on auto-update. And the next version of update, which is an update of Windows, which is called SP2, defaults both auto-update and the firewall to be turned on, and so you actually have to go out of your way to turn auto-update off," said Gates. "And so, the issue is how quickly we get those thing spread out there".

For more coverage on ZDNet Australia, click here.