Microsoft faces up to security obligations

Microsoft chief executive Steve Ballmer says the technology industry has reached a 'defining moment' in its approach to tackling IT security.

The software giant is often identified as a major contributor to the problem, because the number of patches it releases are frequently used by hackers to create new viruses.

But Ballmer told delegates at Microsoft's worldwide partner event in New Orleans last week that the supplier has recognised its own responsibilities and said the whole industry needs to do more.

'There come times in an industry's and in a company's existence when you have to step back and listen to what people say and take that as a defining moment,' he said.

'Our whole industry is threatened, in my opinion, by people's fears to do new things because of security issues.'

Ballmer says Microsoft realises that poor IT security has much wider implications for users and suppliers.

'If we suck all of our customers' confidence down because of security problems in the industry, if we consume all of our customers' resources simply managing security for the long run, the great and wonderful and innovative future that I anticipate, isn't going to happen the way I think it should,' he said.

Ballmer accepted that the number of patches issued by Microsoft has grown, but says hackers are becoming more adept at developing viruses to take advantage.

The Nimda virus emerged 331 days after a patch was released, but it took just 25 days to create Blaster, which caused problems worldwide in August.

'The hacker community uses our patches as blueprints to our vulnerabilities,' said Ballmer.

He called on authorities to crack down on cybercrime.

'These people are criminals. They aren't cute hackers and we are working with law enforcement to make sure they are found and brought to justice. The threat of jail must be a deterrent and we are working with law enforcement to push for prosecution.'

Graham Titterington, principal analyst at Ovum, says Microsoft has recognised that security is not just about users spending lots of money on fancy products.

'Just as in the nineteenth century when civil engineers working on providing clean drinking water and effective sewers did far more for longevity and health than the medical professionals, Microsoft is showing that the key movers in IT security are not the security vendors,' he said.

Beatrice Rogers, ebusiness programme manager at supplier trade body Intellect, says security is a problem for everyone involved in IT.

'Security is one of the key issues facing take-up of services, but it goes deeper than just security - it's about trust and confidence as well. That's the main focus. You can have something that isn't 100 per cent, but it's still trusted. Government, citizens and industry must work together to increase trust and confidence,' she said.

Ballmer also announced unveiled new security technologies that will feature in the next upgrades of Microsoft's desktop and server operating systems, including automated patching for business customers, and more secure default internet settings.

Early next year, the supplier will ship version 2 of its free Software Update Server patch deployment automation system, which automatically downloads bug fixes according to policies set by the customer.

Windows XP service pack 2 will feature additions such as a firewall switched on as standard, more secure default email settings and better protection from malicious code on web sites, as well as technology to reduce buffer overruns that are often exploited by virus writers.

Microsoft is also working on a service pack for Windows Server 2003. It will include inspection technologies to scan a machine in a remote location, such as a laptop or home PC, and stop connections to the corporate network if it is carrying a virus.

Both service packs will go into beta testing early next year, and are expected to ship in the second half of 2004.

Additional reporting by Iain Thomson and Emma Nash