UPDATE: SAN FRANCISCO — Microsoft has diverted significant resources from development of its next version of Windows to the creation of an interim service pack for XP that will address security problems in current software releases, the company’s chief software architect said Tuesday.
During a keynote address to RSA security conference attendees here, Bill Gates, the chairman of Microsoft, promised even more measures the world’s largest software company is undertaking in order to make software less vulnerable.
With the zeal of the newly-converted on security religion, Gates explained to the audience of security specialists that, as more devices connect to networks, hackers are getting more sophisticated with their intrusion techniques.
Gates outlined his company’s efforts to bolster security along its product lines — for the coming year and beyond, while calling for major changes in how network architectures are built and deployed. “We haven’t been able to keep the systems up to date in a very broad-scale way,” he said of current infrastructure.
Gates briefly acknowledged the recent news that parts of Windows 2000 and NT operating system code had leaked been illegally leaked to the Internet. He reminded the audience that the leak was not the result of a breach in Microsoft’s network, nor was it related to the company’s shared source programs.
He pointed to a huge reduction in the number and type of security bulletins released for Windows 2003 Server, as opposed to the previous version. For example, he said Windows 2000 Server had 36 critical or important bulletins in its first 300 days after release, while Windows 2003 Server needed just six. “We’re not saying that’s a job done,” Gates said. “But even in the face of increased sophistication of hackers, this represents substantial progress.”
He said automatic updates are the key to maintaining security of Microsoft products, while admitting that the company hadn’t done a good enough job of educating customers about turning on the update feature in Windows. Now, the goal is 100 percent use of the feature.
Microsoft will add tools in Whidbey, the next version of its Visual Studio development tool, which will enable developers to create applications that do not need to run in administration mode, officials said.
Whidbey will also include an automatic scanning function to discover areas of code that might have security vulnerabilities, a feature that Microsoft acquired when it bought Intrinsa, which makes bug finder tools. The original plan, Gates said, was to offer the tool as a low-volume, high-priced specialty item. Now, after using it internally, Microsoft plans to incorporate it in every copy of Whidbey.
Zachary Utt, a Microsoft technical product manager, also demonstrated three new security features that are planned for Longhorn, the next-generation version of the Windows operating system. They included a Windows firewall, enhancements to the IE browser, and Windows Security Center.
Desktops will be shipped with the firewall on by default. Since some applications may not function properly through a firewall, Windows will prompt users at the time of an application’s launch, asking if they want to let the application acess the Internet. The software will automatically create an exception for the application, which could later be modified by the user.
Officials said the firewall dynamically closes ports when applications are finished using them. The software will include a group policy console for IT administrators and the ability to set two separate profiles, for when the PC is inside and outside a corporate firewall.
Utt also demonstrated IE enhancements, which included a new “gold bar” in the browser header that will let users look at pop-ups or ActiveX controls that have been blocked. Users can set policies for individual sites, allowing them to always install, never install, or ask every time.
The security center displays the status of essential security settings and can recommend guidance for administrators when action needs to be taken. Available through XP Service Pack 2, it will alert users when antivirus software is off. It includes centralized security controls for the Internet, system settings and Windows firewall, and all can be managed thru active group policy or scripts.
Gates’ address came on a security-themed day for Microsoft, which has just released a built-in virus scanner for its Windows XP Service Pack 2 (SP2) beta that will be included in the final product when it ships in mid-2004. Microsoft will also provide free online training to help developers make the most of SP2’s security features, Gates said.
“The key thing is getting SP2 out and updating systems with that,” Gates said. “There’s an immense amount of work here,” Gates acknowledged, and more to be invested.