Microsoft answers AusCERT security criticism

Responding to criticism levelled at its software developers by Australia's lead computer security authority, Microsoft Australia said it would attempt to make its products more "resilient" to virus attacks.The company's response came after Graham Ingram, AusCERT general manager, said software security holes were being discovered too quickly for organisations to maintain adequate patching regimes.

Responding to criticism levelled at its software developers by Australia's lead computer security authority, Microsoft Australia said it would attempt to make its products more "resilient" to virus attacks.

The company's response came after Graham Ingram, AusCERT general manager, said software security holes were being discovered too quickly for organisations to maintain adequate patching regimes. Ingram was commenting on the results of AusCERT's most recent computer security survey.

The survey found that inadequate patching was a contributing factor to the success of recent high profile attacks on networked computer systems.

"Software developers must take greater care to ensure the software they release is more secure before it is released. Organisations simply cannot keep up with the rate at which vulnerabilities are now being discovered and disclosed and respond accordingly," said Ingram.

However, Microsoft Australia security lead Ben English said it was unrealistic to expect any major software product or platform to be vulnerability free.

"If you accept that in any complex engineering project like a software engineering project there are always going to be the odd mistake creeping into that process".

The company is instead aiming to make its products hardier inhabitants of the current threat environment. English didn't elaborate on how the systems might be made more resilient but described its initiatives as providing a "barrier" that would allow organisations to patch "at a more leisurely pace than at the moment.

"This nine day cycle isn't sustainable for organisations," English said.

English conceded it was becoming more difficult for organisations to undertake effective system patching, but not because Microsoft was failing to address the problem -- he said it was because malicious hackers are getting better at what they do.

"The tools that are available now and the expertise that's out there in the hacker community mean that the time-line for a patch's deployment in the organisation is being decreased rapidly," said English.

According to Microsoft, malicious hackers can release a sophisticated exploit within nine days of the vulnerabilities' disclosure.

AusCERT's computer survey revealed that infections from viruses, worms or Trojans accounted for nearly half (45 percent) of all financial losses experienced by organisations with 60 percent of all surveyed organisations reporting un-patched systems contributing to attacks.

English said security had become the organisation's number one priority in the last two years. Microsoft's security trained developers are now more highly valued than their non-security trained counterparts within the company. Non-security trained staff sit on a lower pay scale coders and are ineligible for bonuses.