Microsoft to shift focus to security, experts say 'about time'
18th January 2002 (The Star)

SAN FRANCISCO: Computer security experts, who have long complained about holes in Microsoft Corp software, said on Thursday they were pleased to see chairman Bill Gates proclaim security as the highest priority after years of lip service.

In an e-mail sent to Microsoft's 47,000 employees on Tuesday and released to the press on Wednesday, Gates said focusing on the security of products, instead of new features, was vital to the success of the company's new .NET Web-based services strategy.

"It's about time," said Marc Maiffret, "chief hacking officer" at security firm eEye Digital Security, who discovered two security holes last month in Microsoft's new XP operating system, touted by Microsoft as its most secure ever.

"Because of Microsoft's dominant position in software, they have the ability to singularly affect the security of the Internet," said Bruce Schneier, chief technology of Counterpane Internet Security. "To have Microsoft as a company focusing on security will make the Internet a safer place."

In the past, Microsoft dismissed criticism, arguing that customers demanded functionality and convenience over security.

But an increase in the number of Microsoft-specific security problems over the past year have raised concerns just as the company begins rolling out its .NET platform.

The new software will not only make applications available over the Internet, but will increase the exposure of computer users to malicious hackers and viruses, experts say.

"They bet their whole company on the .NET strategy and if you can't trust Microsoft to sell you software on a CD-ROM you're certainly not going to trust them to provide you software online," said John Pescatore, research director at market research firm Gartner Inc.

As part of its new strategy, the Redmond, Washington-based software giant will provide security training to all 7,000 Windows developers over the next two to three weeks and examine all its Windows .NET server code, said Steve Lipner, Microsoft director of security assurance.

"Well actually, for over a year now we have really increased our focus and investment on security and privacy," Rick Belluzzo, Microsoft chief operating officer, told Reuters Television. "In fact we've introduced a number of new services for customers to be updated with the latest security releases."

Earlier, Microsoft announced that a US$660mil (RM2.5bil) legal charge from a proposed class-action settlement pulled its second-quarter net profit down 6 cents (23 sen) to 41 cents (RM1.56) per share from a year ago.

Cultural changeMicrosoft executives acknowledge that the security directive will require a huge cultural shift at the company.

"What we're doing is a mindset change," said Pierre De Vries, director of advanced product development at Microsoft, who added that protecting the privacy of customer data would also be a priority.

Gates conceded in his memo that .NET could not succeed without the confidence of customers and an improvement in the company's reputation.

"Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers' view of us as a company," Gates said.

"If I were in his position I'd be kind of embarrassed about all the problems they've been having," said Richard M. Smith, a Boston-based Internet security and privacy consultant. "The security and privacy problems have been getting worse, not better."

.NET server to benefitAlthough Lipner said customers would notice changes in .NET server, experts said it would be a few years before the proof is in the products.

"It will be a lot of work, there's a lot of code there," said Gary McGraw, chief technology officer at Cigital, a Dulles, Virginia company that does software risk management.

While most viruses and security exploits affect Windows, last year two high-profile viruses, Code Red and Nimda, proved nasty for Microsoft Internet Information Server (IIS) users.

Pescatore urged people to switch from IIS, while British-based insurance underwriter J.S.Wurzler previously had raised its rates for IIS users.

While generally lauding Gates' action, Pescatore said he hopes Microsoft will do more to make it difficult for computer users to get themselves in trouble.

For example, they should ship Windows XP with the personal firewall turned on, instead of the default off setting.

"We'll truly have seen proof of change when they start proactively releasing advisories on security holes they've discovered themselves," Maiffret said, somewhat sceptically, of Microsoft. - Reuters