Microsoft tries to cage security gremlins

Microsoft's security response centre must be feeling a little punch-drunk these days.

After the one-two combination of the Code Red and Nimda worms that targeted the company's server and PC software this past summer, the titan announced an initiative in early October to promote security-savvy administration among its partners.

However, almost every week since it announced its "Strategic Technology Protection Program," a new security flaw has cropped up. In the past few weeks, holes have been found in Excel and PowerPoint and a new system for protecting music content. A major security patch was issued for Windows XP, and the company had to shut down part of its Passport service to fix a set of flaws in the technology that Microsoft hopes will become the foundation of its .Net initiative.

The company will have to do some fancy footwork to quell concerns of its .Net partners and current customers, said John Pescatore, an analyst with research firm Garner.

"Microsoft realises that they have to be perceived as a more secure company if .Net is ever going to be a success," Pescatore said. In a column following the outbreaks of the Code Red and Nimda worms, the analyst urged companies hit by both attacks to consider alternatives to Microsoft's Internet Information Server (IIS) software.

This week, Microsoft will meet with security experts, privacy advocates and policy-makers at its Trusted Computing Conference in Mountain View, California.

The meeting of the minds in the security world will let the software giant renew its push to rewrite the ground rules for disclosing information about vulnerabilities. Moreover, reducing details in the independent advisories that illuminate the holes in the company's products could give Microsoft a bit of breathing room to respond to the flaws before malicious hackers target its customers.

That could also help the company regain some of the credibility lost in the recent security compromises.

In a recent essay, Scott Culp, program manager for Microsoft's security response center, lambasted researchers and hackers who provide snippets of program code to illustrate how a particular vulnerability can be exploited. Known as exploit code, the partial programs usually make it easier to develop hacking tools and worms that attack computers using a specific vulnerability.

"It's high time the security community stopped providing blueprints for building these weapons," he wrote in the essay.

Many believe that is what happened in July, when more than 360,000 computers running Microsoft's Web server software fell prey to the Code Red worm, a program that took advantage of a vulnerability known as the printing ISAPI flaw. While the company that found the flaw, eEye Digital Security, worked with Microsoft to create a fix, it also discussed details about the exploitation of the vulnerability in its advisory.

It's Microsoft's aim to curtail hackers' access to such details.

"For its part, Microsoft will be working with other industry leaders over the course of the coming months to build an industrywide consensus on this issue," Culp wrote.

Yet others worry that Microsoft's main motive is to dial down its own public-relations disasters.

"This conference is an ambush to push through Microsoft's beliefs on limited disclosure to make it seem to be endorsed, when the larger community hasn't even seen any details," said Russ Cooper, research director with security firm TruSecure.

In the latest security faux pas, Microsoft released an update for Windows XP that included, by Cooper's count, five security fixes, but the company has issued advisories on only two.

"They promised more information to people about how to become secure and stay secure, but what do we get? They keep ignoring the consumer," he said.

Electronic rights activists, worried what Microsoft's overarching plan for ubiquitous online services -- known as .Net -- may mean for privacy, aren't comforted by the fact that the giant has yet to prove it can secure its systems.

Last week, a software engineer demonstrated a way to use several flaws in the company's Passport authentication system--the key to security for .Net.

"The security lapses further support our claims that Microsoft's guarantees of privacy and security are deceptive and unfair to consumers," Marc Rotenberg, director of the Electronic Privacy Information Center, wrote in a letter to the Federal Trade Commission. "Further, Microsoft's failure to disclose the actual risks associated with the collection and use of personal information in the Passport service constitutes an unfair and deceptive trade practice."

See the Windows XP Resource Centre for the latest news on Microsoft's new operating system.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Microsoft forum.

Let the editors know what you think in the Mailroom. And read other letters.