RealTime IT News

Microsoft Security Fightback Includes SUS Overhaul

As part of its all out offensive to deal with what company officials now describe as a security "crisis," Microsoft has announced a major revamp of Software Update Services (SUS), a little-known tool that automates the deployment of security patches.

Burned by a significant increase in malicious worms targeting its software products, Microsoft chief executive Steve Ballmer announced SUS 2.0 would ship in the first half of 2004 with major feature changes to appeal to enterprise customers.

The Software Update Services tool is available -- for free -- to allow sysadmins to deploy critical security updates and service packs to Windows 2000 and Windows Server 2003-based servers, as well as to desktop PCs running Windows 2000 Professional or Windows XP Professional.

During a presentation at the inaugural Microsoft Worldwide Partner Conference in New Orleans, Ballmer asked for a show of hands of attendees who had heard of, or deployed, the free SUS tool. Based on the less-than enthusiastic response, Ballmer said the SUS 2.0 upgrade was "almost like announcing" something new.

"Customers and you have been pounding us, pounding us, pounding us, for better patch automation solutions. We put something in the market. It's free, it's a downloadable thing, but we call it the Software Update Services. You can think about it as a server that a customer can install that talks to Microsoft Update and allows you to apply local policy for automatic distribution of patches the way Windows Update today can provide automated distribution of patches to consumer machines," he declared.

"It's a patch-deployment automation system. We are bringing out an update to that patch-deployment automation solution, Software Update Services 2.0," the Microsoft CEO added.

"Remember, the thing talks to Microsoft Updates. It sees all the patches. It will bring them down to a corporation, and then it will apply those patches to the systems in that a corporation, with policy and with group machine management specified by you on behalf of our customers," he added.

Ballmer said the Systems Management Server (SMS) 2003 product, which launches on October 22, would be a superset of the new SUS 2.0.

The Microsoft boss said the SUS 2.0 tool would be heavily promoted by Microsoft to ensure enterprise clients are aware of its availability. "When I am back at this conference next year, I am going to ask people whether they've deployed Software Update Services 2.0. And if as few hands go up as went up today, I'm going to have a real issue with our product development people or with our marketing people, because, believe me, this is targeted at one of the key pain points that you and our customers have identified," Ballmer declared.

Getting down to the nitty-gritty of how the revamped SUS 2.0 will work, Ballmer said the tool can be used to scan machines, figure out what needs to be patched, apply the enterprise admin's policy and deploy the fixes.

"It adds no cost, at least of acquisition. It is something that we provide to you that you can provide with only your service costs involved to your customers, and the new version will be available in half one of 2004. We have got to help get the word out if we are really going to do the right job on behalf of our customers. This is the corporate equivalent of Windows Update for the consumer market," he declared.

Ballmer also announced Microsoft would extend security support for old software releases. For Windows 2000 Service Pack 2 and for Windows NT Workstations, Service Pack 6A, he said Microsoft would extend security support to June of next year.

The major strategy shift at the world's largest software firm includes a new plan to stop issuing weekly software patches for security vulnerabilities as part of a major plan to avoid issuing updates on a "very unpredictable schedule."

Instead of software patches issued every Wednesday, Microsoft chief executive Steve Ballmer said the company would release monthly security patches except for emergency situations. "We have been putting out our patches on a very unpredictable schedule. We will now go to monthly patches -- no more than monthly. If we don't need monthly, we won't have them. But no more than once a month, except for emergency patches which will be made available essentially immediately," Ballmer explained.

Microsoft has also instructed OEM partners to turn on the Internet Connection Firewall (ICF) by default on all new Windows XP-based system. The ICF, which is built into the XP platform, is not enabled by default on existing client systems.

The announcements from Microsoft comes on the heels of two hard-hitting reports that argue that the U.S. government's increasing reliance on Microsoft software makes federal systems "susceptible to massive, cascading failures."

The reports, which suggested that the 'monoculture computing' reliance on only Microsoft operating systems and applications increases the risk associated with security vulnerabilities and computer viruses, have sparked industrywide discussion.