MICROSOFT CHIEF executive Steven A. Ballmer said yesterday that there is "much, much, much" left to do to protect computer users from viruses, worms and other malicious software.
He outlined new steps the company plans to take to address this problem -- while acknow-ledging that these changes cannot solve it.
"There is no silver bullet," Ballmer said in a speech at the company's Worldwide Partner Conference in New Orleans. "Even if all the vulnerabilities were fixed tomorrow morning in all of the products, there's still 600 million computers... that would not have all of these vulnerabilities patched."
NOT DOING ENOUGH
Recent devastating software worms and viruses have earned Microsoft intense criticism, as well as a class-action lawsuit filed in Los Angeles Superior Court last week that accuses the company of not doing enough to guard the personal information of Windows users.
Ballmer described several changes to Microsoft's security strategy. He said the Redmond, Washington, company will issue security updates on a monthly schedule, except in "emergency" situations, to make it easier for users to keep their personal computers up to date. It will ship Windows with security precautions activated that are now left off will also said the company will release security-focused updates to Microsoft Windows XP and Windows Server 2003 in the first half of next year.
Computer security "is without question the number one priority for the company," Mike Nash, vice president of Microsoft's security business unit, said in a phone interview after Ballmer's speech. He added that employees from across the company had been pulled to work on security efforts.
Ballmer said that, since most virus and worm attacks come only after vulnerabilities have been disclosed by the company or by security researchers, Microsoft is working with computer-security firms to make sure that they do not announce vulnerabilities before Microsoft has designed a fix.
"I wish those people just would be quiet," he said of computer researchers who publish vulnerabilities in Microsoft's products. "It would be best for the world. That's not going to happen, so we have to work in the right fashion with these security researchers."
But no matter how fast Microsoft pushes out patches, users still have to install them - something Microsoft is trying to address with a new educational campaign that Ballmer also announced yesterday.
"I think people are taking computer security a bit more seriously; some of our clients are still cleaning up from the Blaster virus," said Josh Pennell, chief executive and founder of computer security firm IOActive Inc. "Computer security is almost like car insurance. Nobody wants it until their car gets totalled."
Jeff Jones, senior director of trustworthy computing at Microsoft, said earlier this week that his company had seen an increase in the numbers of users downloading security patches after an outbreak of viruses that began in August. "I hesitate to speculate on whether there is long-term learning going on there," he added.
Ken Dunham, director of malicious code at iDefence Inc., a computer security firm based in Reston, said Microsoft's plan to release only monthly updates "may give hackers extended time to exploit a vulnerability before a patch is released."
Other security professionals noted the lack of specifics in Ballmer's speech.
"There wasn't any detail to what kind of tools they will provide," said Richard Ku, product manager at Trend Micro Inc., a developer of anti-virus software. "Announcements never secured anything," said Bruce Schneier, founder and chief technology office of Counterpane Internet Security Inc. "The fact that some guy gets on stage and says a bunch of words does not make your computer secure."
Michael Frodyma, president of BooNet Inc., an Internet service provider based in Bethesda, said he worries about the unintended consequence of Microsoft's security patches. Some have disabled the computers of his customers - who have then blamed his firm for the problem. "One is frightened of what's around the next corner with Microsoft," he said. "You wake up the next day and suddenly something isn't working."
