RealTime IT News

Has Microsoft Made Security Strides?

Two years after Microsoft CEO Steve Ballmer announced a corporate-wide focus on security, Microsoft claimed that the company is fulfilling its promise.

At Microsoft's Worldwide Partner Conference held July 8-10 in Minneapolis, Mike Nash, corporate vice president of Microsoft's Security Business and Technology unit, told attendees how security has improved over the last two years in Microsoft products.

According to Microsoft, Windows XP SP2 users are "13 to 15 times less likely to be infected by some of the most prevalent malicious software relative to customers using earlier versions of Windows XP."

In comparison with Windows XP Service Pack 1 and Windows 2000 Professional, Nash said, SP2 had half the number of critical vulnerabilities during the first nine months of its release. Over 218 million copies of SP2 have been distributed to date.

Nash also highlighted Microsoft's security applications, including the Windows Malicious Software Removal Tool (MSRT), which has been executed 831 million times since its introduction in January.

Microsoft's Security Development Lifecycle (SDL) initiative, which was announced in 2003, has resulted in more secure Windows applications according to Microsoft's data. Over 15,000 Microsoft developers have received SDL-related training to date.

SDL gives Microsoft a security advantage over open source competitors in Nash's view. Open source server and database applications have had a greater number of security vulnerabilities than SDL-developed products like Windows Server 2003 and SQL Server 2000, according to a Microsoft-sponsored study cited by Nash.

Over a 12 month period SQL Server 2000 running on Windows Server 2003 had 27 High severity security issues and 36 other security issues. In comparison, MySQL running on Red Hat Enterprise 3 had 41 High severity issue and 75 other security issues.

"Customers should evaluate the disciplined development process that comes with Microsoft products against open source, which has no similar process," said Nash in a statement. "That, coupled with our clearly defined commitment to managing security issues, is a compelling differentiator for Microsoft against other platforms on security."

Microsoft's open source competitors, though, have their own research showing that their product's code is superior. Back in February, MySQL was shown in a study by Coverity to have fewer software defects than its commercial competitors, which includes Microsoft's SQL Server.

Though Nash highlighted Microsoft's security successes, Microsoft still has its share of security issues. In early July, a security firm revealed a flaw in Internet Explorer that potentially left users at risk from hackers over the July 4 weekend.

Microsoft issued a registry key update four days later and is expected to issue an update through its monthly patch cycle tomorrow.