The technology giant is seeking to put improved defence measures in place, writes Jamie SmythA recent spate of high-profile virus attacks has highlighted software productswith security flaws
Just a year after promising its customers that it would make its products more secure by setting up a company-wide trustworthy computing initiative, Microsoft faces serious questions over its credibility following a spate of high-profile virus attacks in recent weeks.
Internet security experts estimate that the fast-spreading Blaster worm and Sobig virus have cost businesses and consumers hundreds of millions of euro due to system failures.
Both the worm and the virus exploited security flaws in Microsoft's Windows operating system, which is the standard for almost 95 per cent of the world's personal computers. Other recent worms, such as the Slammer and Welchia, have also successfully targeted other widely used Microsoft packages such as its popular Office and Sequel Server products.
Even some of the most secure systems fell victim to the plague of viruses. In one incident, which occurred in January but which was only reported last month, the computer systems at the Davis-Besse nuclear power plant in Ohio crashed for five hours because of the Slammer worm. The industry group overseeing the US electricity grid has also warned that there are documented cases in which bulk electricity control was impaired by the same worm.
According to Mr John Pescatore, senior researcher at US consultancy Gartner, the level of attacks has reached a peak not seen since 2001, when the Nimda and Code Red worms hit.
These attacks prompted firms to increase their security and pressured Microsoft to begin an initiative to make its software more secure. Gartner suggests companies have not learnt from these earlier security breaches by viruses. Many have subsequently cut headcount and expense in the divisions responsible for keeping their computers secure, leaving their systems vulnerable.
The Gartner report argues that companies need to take greater precautions and, crucially, to continue to pressure Microsoft to improve its processes for managing vulnerabilities, assessing threats and managing the software patches used to guard against viruses exploiting software flaws.
The subtext to the Gartner analysis is that the world's biggest technology firm is not doing enough to protect the interests of its customers. So is it?
"We can always do more and that is really the lesson that we have taken from the recent worm attacks," says Mr Scott Culp, senior security strategist for Microsoft's trustworthy computing team. "It is clear that there is still a lot of work that we need to do."
Mr Culp is one of the key strategists working to deliver Microsoft's "Trustworthy Computing Initiative", which was set up early last year by its co-founder and chief software architect Mr Bill Gates, in response to concerns about security flaws found within its software.
"At the beginning of last year we had a call to action across the company to focus on the four areas of security, privacy, reliability and business integrity. We are pressing ahead on all four fronts," says Mr Culp.
He believes security concerns are the crucial factor preventing people adopting a number of new cutting-edge technologies.
Over the past year, Microsoft has introduced several initiatives to improve the security of its products and better educate users about security issues, Mr Culp says. These include awareness programmes such as Microsoft's "Protect your PC campaign" and a more open approach to sharing its source code with customers and national governments.
Sensitive to criticism that the firm, in the past, has released software with numerous security flaws in its code, Microsoft delayed the introduction of its server 2003 product last year for three months to undertake a "software scrub". It recently did the same with its Office 2003 product, which will now not be on the market until at least October.
We can't be tied to a fixed release date - rather, we are seeking security standards, says Mr Culp. "We've started to evangelise this throughout the company."
But security is an industry-wide problem and not just a Microsoft problem, according to Mr Culp, who believes Microsoft is sometimes unfairly targeted with blame.
"It is one of the costs of being a market leader," he says.
But after the recent attacks on global computer systems, businesses are beginning to view security as a priority issue - a trend that Mr Culp describes as "a buying issue". With Microsoft coming under significant pressure in the business market from the Linux operating system, its performance on security will be scrutinised closely over the next year by firms.
But business is not the only big loser from the recent spate of viruses that exploited security flaws in Microsoft's software. As more and more consumers go online and sign up for high-speed broadband products that are often connected to the Web 24 hours a day, seven days a week, home users are increasingly at risk of being infected by a computer virus or worm.
In fact, most security experts contest that home computer users and small businesses are particularly vulnerable to attack because they are less likely than big firms to regularly update their anti-virus software, download software patches to fix software flaws or set up expensive firewalls to repel attacks.
Acknowledging this weakness, Microsoft is proposing to update consumers' computers with the latest Windows security patches automatically. The software giant could do this by setting the "auto-update" feature in Windows XP as a default mechanism on the software. It is also examining whether it should make the firewall feature in Windows XP a default for consumers.
Customers who had these two features set up on their operating systems experienced few problems from the Blaster worm, according to research by Microsoft.
The company is also co-founder in an industry-wide group called the Trusted Computing Group, which includes software and hardware makers such as Hewlett-Packard, IBM, Intel and AMD.
This group is seeking to develop technology that would prevent users from running any software without a specific cryptographic signature. The technology - code-named the "Next generation secure computer base - is a new concept in computer platforms, which ties security to both hardware and software, says Mr Culp.
Some fear this technology will cede too much control to individual software vendors, such as Microsoft. It also promises to eliminate software piracy, a long-term goal of the industry, when it is introduced over the next few years.
But Microsoft is already boosting security around some of its hardware products.
"One of our big goals is to make the hardware and software interact seamlessly, so that the consumer doesn't have to know whether it is the hardware or software that is offering protection," says Mr Tom Gibbons, head of Microsoft's hardware division.
Like every other division within the company, Mr Gibbons' hardware group spent two months last year reviewing all its products, by decree of Bill Gates.
This has already resulted in better security in some products, according to Mr Gibbons.
He cites the example of Microsoft's new wireless mouse - which has no power cord or leads attached - which was released last week in the US.
This wireless mouse interacts with a smart receiver using a free wireless spectrum based on the 27 megahertz band. The first generation of this product had just 1,000 security codes and led to a few incidents where users of the mouse inadvertently could move the cursor on neighbouring computers.
Potentially, this could enable users to change data inadvertently or enable a malicious hacker to seize control of a person's computer.
"We didn't solve that problem we crushed that problem," says Mr Gibbons. "We went from an industry standard of about 4,000 codes to 65,000 codes."
Microsoft may consider phasing out this particular wireless technology, which is cheap because it is based on free radio spectrum but also less secure than alternative technologies. Instead, the company could move all its products to the alternative Bluetooth platform, which is more secure, says Mr Gibbons.
The weaker security in the first Microsoft wireless mouse illustrates a trend with its software - the first generation of certain products are unlikely to be as secure as later generations.
This is hardly surprising given the sheer volume of code required in new Microsoft products. For example, Windows XP was set up with some 45 million lines of code and the next generation of its operating system will probably incorporate more code.
Mr Culp freely admits a perfect security solution is not feasible.
"Software development is a human process and, therefore, open to human error and never perfect," he says. " But we can try to reduce the number of flaws as close to zero as possible."
Given the recent spate of virus attacks against Microsoft software, the firm will have to convince its customers that it can achieve this. It will also have to prove that it is finally placing security concerns above pure commercial decisions such as product release dates.
After all, with almost $40 billion (€35.8 billion) in the bank, Microsoft can afford to invest more than any other company to find solutions to the security problem.
If not, its rivals may have found a chink in the Microsoft armour that could ultimately undermine its stranglehold on the computer industry.
