Microsoft makes security pledge

Tough new security testing methods are in place at Microsoft, and customers should start to see the benefits some time next year

Microsoft has pledged to improve security testing on its products by next year.

Speaking at the Information Systems Security Association conference in London on Thursday, Ed Gibson, chief security advisor for Microsoft UK, said the company's products are undergoing tougher testing than ever before but customers would not see the results until next year.

Gibson said: "The whole concept of trustworthy computing is taking a different approach. The lifecycle from origin to the product hitting the shelf is going through security testing like no other product that's gone out. But that's not where we're at yet.

"Microsoft is dealing with it. We're going through the lifecycle but we won't see the products through this until 2006."

Gibson, a former FBI agent recently appointed by the software giant, said there would always be a need for 'critical updates' — formally referred to as patches by Microsoft. "When a critical update is released, there are people out there intent on compromising every product. As soon as the update goes out there is something else to follow it. I ask you, will there ever be a time when we don't have to do updates?"

Microsoft currently issues patches on a monthly basis. From April to August this year, vulnerability monitoring firm Secunia has warned of 21 flaws in Windows XP Professional, 24 per cent of which are, according to Secunia, still unpatched by Microsoft.

Gibson said the 'exploit and update' cycle is not unique to Microsoft.

"It's for every product and an industry issue," he said. "[Exploits] are written by organised crime for extorting money. I don't know how you deal with that in an open source world. Worms and viruses don't start by themselves and we know there have to be more viruses for spammers to operate."