BBC NEWS Americas Africa Europe Middle East South Asia Asia Pacific Arabic Spanish Russian Chinese Welsh

 You are in: Sci/Tech
Front Page 
UK Politics 
Talking Point 
In Depth 

Commonwealth Games 2002

BBC Sport

BBC Weather

Thursday, 17 January, 2002, 16:57 GMT
Microsoft to tackle security failings
Cover of 2600 magazine, 2600
Microsoft regularly targeted by hacking groups
Bill Gates has declared war on Microsoft's insecure software.

In an e-mail sent to every member of the software giant's staff, Mr Gates said computer security was key to making its future products acceptable to consumers and businesses.

But others have questioned his sudden conversion, saying the change comes too late and ageing Microsoft products will be a problem for years to come.

Others have said the e-mail looks like a PR stunt, and is in stark contrast to Microsoft's attempts to limit the spread of information about the security failings of its products.

Security lessons

Mr Gates dubbed the new initiative outlined in the e-mail as "Trustworthy Computing", and said it had to become "the highest priority for all the work we are doing".

He warned that unless Microsoft products are secure and trustworthy no-one will risk using them for the kinds of web-based services it is betting its future on.

We have seen things getting worse every year

Alex Shipp, MessageLabs

Anyone at Microsoft writing software who has to choose between adding new features or making them more secure, should choose security every time.

"Our products should emphasise security right out of the box, and we must constantly refine and improve that security as threats evolve," wrote Mr Gates.

Many Microsoft watchers have compared the mail to the moment in 1995 when it recognised that importance of the internet, and the announcement in June 2000 of the .Net initiative which updated this web-centred strategy.

Security failings

But others are more sceptical about the substance of the e-mail.

"It's about time, perhaps overdue," said David Smith, an internet strategist at research firm Gartner.

Mr Smith said before now Microsoft products have done much to undermine the security of the internet.

A box of Microsoft software, PA
Windows XP was vulnerable
The biggest virus outbreaks of the last two years can all be traced to vulnerabilities in Microsoft software, especially its popular Outlook e-mail program.

The Code Red worm, which disrupted the lives of tens of thousands of net users, spread by exploiting problems with Microsoft's Internet Information Server.

Even XP, which Microsoft has declared its "most secure operating system ever", is not free of security failings.

In late December, eEye Digital Security discovered a hole in Windows XP which could have been used by malicious hackers to take remote control of a PC.

Even Scott Culp, Microsoft security manager, called it "a very serious vulnerability".

PR problem

The same Mr Culp criticised security researchers recently for their zeal in spreading information about weaknesses in Microsoft software.

He said the swift circulation of vulnerabilities alerted vandals and malicious hackers to their existence, and fostered attempts to exploit the loopholes.

Viruses caught in the last 12 months
Feb 01 - 46,291
Mar 01 - 27,186
Apr 01 - 33,606
May 01 - 95590
Jun 01 - 60,497
Jul 01 - 144,225
Aug 01 - 229,069
Sept 01 - 204,650
Oct 01 - 164,690
Nov 01 - 268,740
Dec 01 - 479,703
Jan 02 - 115,011
Source: MessageLabs
Instead, Microsoft would prefer if the vulnerabilities were kept quiet until patches could be developed.

Many said the desire to limit who gets to know about security problems was simply an attempt by the corporation to stifle bad news.

"Microsoft treats security vulnerabilities as public relations problems" said respected security researcher Bruce Schneier in a recent edition of his widely-read Crypto-Gram newsletter.

He said Microsoft should be more open about its products, especially as most of the loopholes are discovered by independent researchers.

Mr Schneier cited a study by Megan Carney at the University of Minnesota which showed that barely 10% of the software vulnerabilities reported to the Computer Emergency Response Team in 2001 were discovered by the makers of a program.

As an example, a recent article in the self-styled hacker quarterly 2600 declared that compromising Passport, Microsoft's method of identifying .Net users, was "easy to accomplish".

Alex Shipp, senior anti-virus technologist at MessageLabs, said he doubted Microsoft's conversion to the cause of good security would make much difference because so much of its software was already in circulation.

"We have seen things getting worse every year," he said.

Microsoft faced more problems than most because its software was complex, widely used, often poorly administered and was regularly targeted by both malicious hackers and virus makers, said Mr Shipp.

"The virus writers always go for the things that spread their virus best," he said. "They target Microsoft because it is so successful."

See also:

19 Sep 01 | Sci/Tech
Nimda virus loose online
10 Dec 01 | Sci/Tech
Goner virus arrests in Israel
04 May 00 | Sci/Tech
'Love' virus chaos spreads
31 May 00 | Sci/Tech
Beating big bad bugs
21 Dec 01 | Sci/Tech
Fix your Windows, says Microsoft
18 May 00 | Sci/Tech
When paper clips attack
19 Dec 01 | Sci/Tech
Microsoft closes browser holes
Internet links:

The BBC is not responsible for the content of external internet sites

Links to more Sci/Tech stories are at the foot of the page.

E-mail this story to a friend

Links to more Sci/Tech stories