'

Microsoft defends security track record

Software designed by humans will always have flaws, says Microsoft, but the company argues that its security record is improving

Microsoft has admitted it does not expect to ever release completely secure, flawless code, but denied that its software was any less secure than any other complex code.

The company was responding to criticism of its security efforts following a recent spate of bugs in its products. In just over a week, Microsoft has had to fix security problems in Passport, Windows 2000, Internet Explorer and Media Player 9. According to Microsoft's top security officer in the UK, however, the incidents are not due to poor code design, but are a sign that "the Trustworthy Computing initiative is working".

Stuart Okin, chief security officer at Microsoft UK, told ZDNet UK that the Trustworthy Computing initiative by Microsoft is one of chairman Bill Gates' main priorities. "Trustworthy computing is a goal that Bill has set for the company to improve the quality of our code and to take security over feature seriously," said Okin, who admitted that Microsoft needs to "improve the way our coders write code".

But Okin insisted that ongoing security problems are not unique to Microsoft. "I do not think (these problems) have got to do with bad design at all," he said. "Whatever is humanly designed, you have got to recognize that there will be flaws and problems."

Okin said that some of the problems are due to the flawed design of fundamental Internet protocols. "There are flaws within the basic protocols on which much of this technology is based. We are taking a good long look at all of the different protocols--the message protocol and TCP/IP are examples--to see how we can make this a more trusted environment," Okin said.

An example that Okin gave was the problem of spam, which he said is difficult to fight because the protocols that handle email were never designed to stop senders from using fake, or "spoofed", headings that conceal the sender's real address.

Okin believes that the high number of patches are a sign that Microsoft is quickly addressing its problems: "If you were to see no patches after we announced Trustworthy Computing, would you take that seriously? What we are seeing here is the result of the Trustworthy Computing initiative."

No matter how successful Trustworthy Computing is, however, the nature of complex software means Microsoft will never have completely secure code, Okin argued. "We are moving in the right direction, but there are going to be things that will be missed. Will we ever get to the stage where we have zero vulnerabilities, the answer is going to be no, because we are never going to get there with complex code," he said.

The two most recent vulnerabilities in Passport--Microsoft's central repository for personal information and credit card details--were discovered by third parties who repeatedly tried to warn Microsoft about the problems, but said they did not receive a reply. Okin could not comment on exactly why the researchers were ignored, but he confirmed that this is not standard policy.

"We accept that there are situations where finders--people that discover vulnerabilities--may find it difficult to make contact. When we do receive these emails--and we do receive quite a few--a great proportion of them are not new vulnerabilities. We take them all very seriously and investigate them as quickly as we possibly can," he said.

Many patches
Microsoft's customers have had their work cut out for them for the past month where it comes to keeping up with software bugs.

Since the start of May, Microsoft has created and released patches for Windows Server 2003, Windows 2000 Server, Media Player 9, Internet Explorer and Passport (twice). It also released Windows 2000 SP4, but many users had to apply a patch to correct a flaw in the service pack.

During the same month, Microsoft managed to annoy its Australian customers because the Windows XP activation servers fell over, leaving then with a voicemail message announcing that the service was unavailable. Windows XP is unusable without centralised product activation, although some business editions of the operating system do not require customers to activate them.

In the UK, there was chaos at many ports where staff had to revert to paper-based systems because their migration from a mainframe to Windows went wrong.

While Microsoft customers were applying these patches and fixes, the software giant launched updated versions of its Messenger client--which now includes multimedia features--and gave handheld operating system a facelift and name change, from Pocket PC to Windows Mobile 2003 Software for Pocket PC.