Microsoft declares a 'war on hostile code'

Secure Windows XP is the goal of MS's war on security bugs
Written by Robert Lemos, Contributor

Can Microsoft beat the security bugs? That's the intent of a multi-pronged strategy that the software giant unveiled Tuesday at the RSA Data Security Conference.

If successful, the strategy will allow users to have the customisability they crave, while eliminating the security holes that have been a chronic black eye, said representatives of the company on Tuesday.

"The idea is, if you are a normal home user, to be able to turn on your PC, not do anything else, and you will be safe and secure," said Steve Lipner, manager of Microsoft's security response centre.

The project is aimed at waging what Microsoft is calling a "war on hostile code", according to Dave Thompson, vice president of Windows development for Microsoft.

The goal: secure Windows XP. The newest version of Windows is due out in this fall, and will come in several flavours: one for home users, another for business users and a later version able to run on 64-bit processors.

Retiring the old Windows code -- upon which Windows 95, 98 and Me are based -- is the first step toward securing the PC. Or, as Lipner put it, "[Windows XP] is based on the Windows NT codebase -- it's a real operating system."

With the ability to limit access permissions to particular users -- a feature common in Unix and other "real" operating systems -- Windows XP will have more security right off the mark.

Yet, Microsoft doesn't intend to stop there, Lipner said.

Through a series of moves -- including "spot the bug" emails, classes on writing secure code, and messages from higher-ups in the company supporting secure code -- Microsoft hopes to focus its programmers on delivering bug-free and reliable code.

"We are imbuing security into the company's culture, we really are," he said.

On the Web site, the company has started posting update information in XML so other software companies can make update agents that can automatically check which updates the user needs. Without frequent patching, any operating system can quickly become insecure.

The software giant also intends to start rating its updates on how critical they are for the computer user to install.

Finally, Microsoft intends to add a number of applications and utilities to add security to Windows XP.

System administrators will be able configure systems' security using tools that will turn company policies -- such as no personal Web surfing and no sending executables in email -- into specific settings.

A personal firewall, or Internet-connection firewall, will give users a higher level of security right off the bat, Lipner said. And a "credential manager" will enable user to securely store their passwords for Internet sites on their computer in a digital vault. The manager will automatically give the passwords to the originating site, effectively letting people access all their accounts with a single sign-on.

Yet will the move to security earn Microsoft praise or curses from its customers?

Microsoft's customers showed how fickle they can be when many vocally panned the giant's decision last week to delete, in the next version of Outlook, several types of email attachments that could be used to spread viruses.

However, Lipner said it can improve security without turning off its customers.

"When we get to some of the new things that we have done -- in particular the software-restriction policies and the components of the .Net. We have the ability to tune things so you can have your cake and eat it too."

Take me to the Windows XP Special

Take me to ZDNet Enterprise

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read what others have said.

Editorial standards