Microsoft launches new Aust security effort

Microsoft is gearing up to hold another series of security summits around Australia mid-year following the success of the first round of events held from 1-18 March.Microsoft Australia security team leader, Ben English, told ZDNet Australia   the software heavyweight planned to cover "slightly more advanced" topics at the second round of summits, due to be run during the first three weeks of June.

Microsoft is gearing up to hold another series of security summits around Australia mid-year following the success of the first round of events held from 1-18 March.

Microsoft Australia security team leader, Ben English, told ZDNet Australia   the software heavyweight planned to cover "slightly more advanced" topics at the second round of summits, due to be run during the first three weeks of June. Whereas the first summits scoped out the security issues facing corporates, the second series will focus more on specific areas, such as perimeter defence. The events -- to be dubbed the Security and Management Summits -- will be split into streams covering security and management, with the latter stream focusing in part on the company's dynamic systems initiative. Under that initiative, launched on 18 March last year, Microsoft and partner companies are looking to deliver hardware, software and services products to customers which ease the management of information technology infrastructure, with particular emphasis on the dynamic allocation of resources to tasks on an as-needs basis.

English said he had invited George Stathakopolous, Microsoft's director of product security, to return to Australia to present at the next round of seminars. Stathakopoulos told ZDNet Australia   via e-mail he hoped to make it, describing the sessions as "a good metric of our progress".

The first round of seminars, held in capital cities around Australia, attracted around 4,500 information technology professionals and developers.

English said the seminars would be "at least as big as the first", with the management focus allowing the company to "hit the enterprise a little bit more".

Dates and locations for the second round of summits are:

  • Canberra National Convention Centre Monday 7th June
  • Melbourne Grand Hyatt Wednesday 9th June
  • Brisbane Brisbane Convention Centre Friday 11th June
  • Perth Sheraton Perth Tuesday 15th June
  • Adelaide Hilton Adelaide Thursday 17th June
  • Sydney Sydney Convention and Exhibition Centre Tuesday 22nd June
Mobile text security alerts for US

English also revealed a mobile phone service allowing subscribers to receive text messages warning of critical security alerts, presently only available in Australia, was likely to be extended to Microsoft customers in the US.

The service -- for which around 3,000 customers have signed up Australia-wide -- is activated when a critical security alert is issued. The software heavyweight's support services post the alert to the mobile texting service, who deliver to the subscriber's mobile phone a generic description of the alert and a URL at which they can discover more, including patching and mitigation strategies. Stathakopoulos told ZDNet Australia   that Microsoft in the US was "still working on this" and hoped "to have something rolling out soon".

English also told ZDNet Australia   that Microsoft Consulting Services was now undertaking three audit engagements at client companies to establish their risk profile and test the effectiveness of a new packaged security services offering.

Internet Explorer flaw
Security remains an ongoing problem for Microsoft, highlighted recently when experts based at AusCERT in Queensland warned on 5 April of a phishing scam which exploited a flaw in Internet Explorer to trick users into downloading malicious software which would e-mail back to fraudsters any username and passwords used in Internet banking.

The AusCERT advisory, which remains available on its Web site, features the warning: "AusCERT recommends that users of Internet Explorer avoid visiting Web sites of untrusted origin, or avoid completely the use of Internet Explorer, until a patch is available from Microsoft."

The vulnerability, in the handling of "Windows Help" files by Internet Explorer, allows the remote execution of arbitrary code on a local computer by a malicious Web site, according to AusCERT.

Microsoft, which originally distributed an e-mail through its public relations company indicating the flaw had previously been identified and patched in December, conceded on Wednesday evening the flaw may be a new one.

English said the matter had "been escalated and it's under investigation ... it looks like a new vulnerability".

"If it requires a patch, rest assured [we're] working on it as quickly as possible".

Security outlook
However, Microsoft is undertaking a raft of initiatives designed to boost security, with major improvements pending in Windows XP with the release of Service Pack 2. These include default use of Window's built-in firewall and memory management technology to limit exploitation of buffer overruns.

It has also improved the delivery of software patches with the new Windows Update Services and System Management Server 2003, a collection of tools designed to allow information technology managers quickly test and deploy updates.

The initiatives have generally been lauded by the security community, with the editor of NTBugtraq and chief scientist at security specialist TruSecure, Russ Cooper, describing some of the features of Windows XP SP 2 as "representing a huge step forward for Microsoft".

Cooper nominated in particular

  • enhancements to Outlook Express 6 enabling it to turn off HTML-based e-mail and dramatic attachment restrictions and
  • the blocking of Server Message Block and NetBIOS by default breaking the legacy connection between XP and prior versions of Windows.

However, he was less complimentary about areas being researched by Microsoft, which include "active protection technologies" designed to allow computers to react intelligently to potential threats.

"As far as ... Gates' statement about forward-thinking technologies, they sound wonderful, but it remains to be seen whether or not Microsoft can deliver such technologies and whether or not such techniques will be effective against the threat they intend to thwart.

"Spammers and attackers have shown themselves to be very versatile, to be able to shift with technology changes."

Cooper delivered a quick jab at Microsoft for the time taken to deliver security features to its massive user base. "In general, I would say it has taken (Microsoft corporate vice-president, security business unit) Mike Nash two years now to build product ideas to fill in the slots he had in the Security Business Unit.

"It's a shame it's taken so long, as the needs haven't changed much in that time.

"What they say they're working on we needed as much two years ago as we need today.

"Let's hope it doesn't take another two years".

However Stathakopoulos, while conceding the issue, defended Microsoft's position.

"It takes time to build software," he wrote in his e-mail to ZDNet Australia  

"When it comes to security products we have be even more diligent.

"We need to make sure we provide the increased level of protection with great quality and at the same time minimise the attack surface that gets introduced with new code.

"Also, as you innovate, at times you have to go back to the drawing board and ensure that you provide the right solution for a given problem.

"You can see in XP SP2 we are approaching security solutions from many different angles, so getting everything to work correctly and with high quality does require some time."