SCN: hmmm

Steve steve at advocate.net
Thu Apr 12 08:42:35 PDT 2001 

x-no-archive: yes

=======================


Microsoft declares war on hostile code

(Robert Lemos, ZDNet News)---Can Microsoft beat the security 
bugs? That's the intent of a multipronged strategy that the software 
giant unveiled Tuesday at the RSA Data Security Conference. If 
successful, the strategy will allow users to have the customizability 
they crave, while eliminating the security holes that have been a 
chronic black eye, said representatives of the Redmond, 
Washington company on Tuesday.  

"The idea is, if you are a normal home user, to be able to turn on 
your PC, not do anything else, and you will be safe and secure," 
said Steve Lipner, manager of Microsoft's security response center.  

The project is aimed at waging what Microsoft is calling a "war on 
hostile code." Dave Thompson, vice president of Windows 
development for Microsoft, outlined the initiative during a Tuesday 
afternoon keynote at the conference here.  

The goal: Secure Windows XP. The newest version of Windows is 
due out in this fall and will come in several flavors: one for home 
users, another for business users and a later version able to run on 
64-bit processors.  

"It's an unending war, I'm sure," Thompson said during his speech.  

Retiring the old Windows code--upon which Windows 95, 98 and Me 
are based--is the first step toward securing the PC. Or, as Lipner put 
it, "Windows XP is based on the Windows NT code base--it's a real 
operating system."  

With the ability to limit access permissions to particular users--a 
feature common in Unix and other "real" operating systems--
Windows XP will have more security right off the mark.  

Yet, Microsoft doesn't intend to stop there, Lipner said.  

Through a series of moves--including "spot the bug" e-mails, 
classes on writing secure code, and messages from higher-ups in 
the company supporting secure code--Microsoft hopes to focus its 
programmers on delivering bug-free and reliable code.  

"We are imbuing security into the company's culture, we really are," 
he said.  

On the Web site, the company has started posting update 
information in XML so other software companies can make update 
agents that can automatically check which updates the user needs. 
Without frequent patching, any operating system can quickly 
become insecure.  

The software giant also intends to start rating its updates on how 
critical they are for the computer user to install.  

Finally, Microsoft intends to add a number of applications and 
utilities to add security to Windows XP.  

System administrators will be able configure systems' security 
using tools that will turn company policies--such as no personal 
Web surfing and no sending executables in e-mail--into specific 
settings.  

A personal firewall, or Internet-connection firewall, will give users a 
higher level of security right off the bat, Lipner said. And a 
"credential manager" will enable user to securely store their 
passwords for Internet sites on their computer in a digital vault. The 
manager will automatically give the passwords to the originating 
site, effectively letting people access all their accounts with a single 
sign-on.  

Yet will the move to security earn Microsoft praise or curses from its 
customers?  

Microsoft's customers showed how fickle they can be when many 
vocally panned the giant's decision last week to block, in the next 
version of Outlook, several types of e-mail attachments that could 
be used to spread viruses.  

However, Lipner said it can improve security without turning off its 
customers.  

"When we get to some of the new things that we have done--in 
particular the software-restriction policies and the components of the 
.Net. We have the ability to tune things so you can have your cake 
and eat it too."  

Copyright 2001 ZDNet Inc.






* * * * * * * * * * * * * *  From the Listowner  * * * * * * * * * * * *
.	To unsubscribe from this list, send a message to:
majordomo at scn.org		In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * *     http://www.scn.org/volunteers/scn-l/     * * * * * * *

More information about the scn mailing list