Microsoft renews security vows

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1012_3-1012689.html

By Martin LaMonica 
Staff Writer, CNET News.com
June 3, 2003

DALLAS -- Microsoft has opened up its drive to improve software
security with a redesigned software patch management system and a
partnership with VeriSign to authenticate Web services.

The company pledged Tuesday to improve its system for sending out
security fixes, or patches, to existing products. Ninety-five percent
of attacks happen after a patch for a known software vulnerability has
been issued, said Scott Charney, chief trustworthy computing
strategist at Microsoft, during a keynote speech at the software
maker's TechEd conference here.

By the end of the year, the company intends to consolidate from eight
to two the number of ways that patches are distributed to customers.  
One of the two new systems will address changes to the Windows
operating system, while the other will apply to Microsoft's business
applications. Eventually, Microsoft will consolidate its patch
management into a single tool that can work across all the company's
products, Charney said.

In addition, Microsoft plans to ensure that Windows fixes add
themselves automatically to the operating system's internal registry,
rather than to different parts of the system. By introducing
consistency and by making sure all patches register as present within
the software, there's a better chance that fixes will be implemented
correctly, the company expects.

Improved patch installation is one facet of Microsoft's "Trustworthy
Computing" initiative, which debuted last year. As part of that
initiative, the company delayed shipment of several high-profile
products, including its Windows Server 2003 operating system and
Visual Studio.Net development tools, in order to perform audits and
code reviews, according to the company.

Charney said that the secure computing effort is ongoing. "We are now
doing security audits on all our products as part of development. We
have to do that, because the bad guys will innovate just like we do."

As expected, Microsoft also detailed Tuesday a partnership with
VeriSign, which will allow customers to use the Mountain View,
Calif.-based security company's digital certificate service to
authenticate a person's identity over a network of servers running
Windows Server 2003. The service, which should also work over Wi-Fi
wireless networks, is set to become available by the end of 2003,
according to the allies.

Also at TechEd, Microsoft launched two training and certificate
programs specially tailored to security concerns in an effort to
reduce vulnerabilities that arise from poor application configuration.

Both programs are extensions to the Redmond, Wash.-based software
maker's certified credentials for systems administrators and engineers
that address the design of secure networks. One of the exams is
administered by the Computing Technology Industry Association
(CompTIA), a computer industry trade organization.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.