The company pledged on Tuesday to improve its system for sending out security fixes, or patches, to existing products. Ninety-five percent of attacks happen after a patch for a known software vulnerability has been issued, said Scott Charney, chief trustworthy computing strategist at Microsoft, during a keynote speech at the software maker's TechEd conference here.
By the end of the year, the company intends to consolidate from eight to two the number of ways that patches are distributed to customers. One of the two new systems will address changes to the Windows operating system, while the other will apply to Microsoft's business applications. Eventually, Microsoft will consolidate its patch management into a single tool that can work across all the company's products, Charney said.
In addition, Microsoft plans to ensure that Windows fixes add themselves automatically to the operating system's internal registry, rather than to different parts of the system. By introducing consistency and by making sure that all patches register as present within the software, there's a better chance that fixes will be implemented correctly, the company expects.
Improved patch installation is one facet of Microsoft's "Trustworthy Computing" initiative, which debuted last year. As part of that initiative, the company delayed the shipment of several high-profile products, including its Windows Server 2003 operating system and Visual Studio.Net development tools, in order to perform audits and code reviews, according to the company.
Charney said that the secure computing effort is ongoing. "We are now doing security audits on all our products as part of development. We have to do that, because the bad guys will innovate just like we do."
As expected, Microsoft also detailed on Tuesday a partnership with VeriSign, which will allow customers to use the Mountain View, California-based security company's digital certificate service to authenticate a person's identity over a network of servers running Windows Server 2003. The service, which should also work over Wi-Fi wireless networks, is set to become available by the end of 2003, according to the allies.
Also at TechEd, Microsoft launched two training and certificate programs specially tailored to security concerns in an effort to reduce vulnerabilities that arise from poor application configuration.
Both programs are extensions to the Redmond, Washington-based software maker's certified credentials for systems administrators and engineers that address the design of secure networks. One of the exams is administered by the Computing Technology Industry Association (CompTIA), a computer industry trade organisation.
Microsoft's Trustworthy Computing initiative is an all-or-nothing move to take control of the computer market and internet. It is Microsoft their developers and the tech-hardware friends that believe that by a well planned sneak of the (TCPA) technology ( as DRM DMI )into software and hardware, they will have in the future an upper hand to dictate. The personal computer will be under complete lock-&-key of Microsoft and their developers and tech-hardware friends and could have Washington back them up to hold the buyer "consumer" under the heavyhand of litigation from the liability they would hold from just want and use the equipment and software. Bad idea, security from Microsoft: Seems i should hand the keys to my house now.