Speaking at the Microsoft IT Forum in Copenhagen today, Klaus Holse Andersen, Microsoft vice president for Northern Europe, admitted that the software company's security performance had been less than stellar: "It's been a fairly painful year... from a security standpoint, there have been more patches than we would have liked but we're starting to clear that."
There's no doubt that Microsoft is keen to be seen to be making some effort on the virus front, particularly in terms of patch management. Its patch-management security push--including company-wide patch-management features turning up in Microsoft's newly launched Systems Management Server, patch-management guidance being distributed on its website and the streamlining of the number, outlets and size of patches for users--serves to demonstrate the software giant's commitment to pulling itself out of the security mire.
However, it could be that Microsoft's landmark move towards monthly, rather than as-and-when, patching is a further weakness--giving virus writers a 'heads up' on the optimum time to target systems.
Not so, according to Steven Adler, senior security specialist at Microsoft.
The Microsoft argument is that previously, when patches were announced amid a general noise of confused security warnings, it was far more likely the message would be missed by all but the hackers and virus writers. Now IT managers know which one day of the month they need to tune in to get all their updates.
Where next for Microsoft security? A mix of software, hardware and education, it seems. One of the next areas to get the Redmond treatment is behavior blocking--meaning mechanisms to detect and stop computers behaving in a suspicious way, such as sending a message to every e-mail address on a network, a technique often characteristic of a spreading virus.
As well as making hardware and software more secure, another idea being bandied around in the run up to Christmas is security education--launching a campaign to give the less technologically aware a better idea of how to detect and protect themselves from security threats.
Despite a potential focus on consumers, it seems Microsoft isn't blaming tech-ignorant users for its security woes. Adler said: "If it's a customer's fault, they're our customer, so therefore it’s our fault. We have to get them up to speed and make sure they know the risks."
However, when it comes to consumers' requests for the software company to just write better software, Adler says that Microsoft has no competition--saying that the software behemoth’s products have no more vulnerabilities than other platforms and less than some, citing SuSE Linux’s greater number of patches since April this year compared to the Microsoft equivalent.
So will Microsoft products ever be patch-free? Adler thinks not, saying that as long as the motivation is out there, new types of attacks will be developed.
"I don’t think we will ever reach that Utopia," he told silicon.com.