Longhorn hinges on security

Previews of Microsoft’s forthcoming server-stack software reveal a company brooding over improving its security.

At the company’s Professional Developers Conference next week in Los Angeles, developers will get an in-depth technical review of the next iteration of Windows, Longhorn. Microsoft is expected to focus attention on Longhorn’s underlying graphics and Aero, the new user interface.

At the conference, Microsoft will also deliver early beta code of Yukon, its next-generation database; Whidbey, the upcoming version of Visual Studio; and a sneak peek at Indigo, a Web services development framework under construction.

Longhorn, in particular, appears to be very much a work in progress. Company officials earlier this month dropped hints that the upcoming OS -- at least the completed server version -- will not see the light of day until sometime in 2006.

But the lofty ambitions Microsoft has for its next-generation OS, database, and development tools hinge on its equally ambitious security initiative, which was outlined by a number of top company officials earlier this month.
The new security initiative, described by Microsoft CEO Steve Ballmer as one

of the top three or four “defining moments” in the company’s history, will weave “safety technologies” into the company’s core set of products and will simplify the company’s patching strategy, emphasizing collaboration with Windows application developers and business partners in an effort to deliver bulletproof solutions.
“Many of our customers view the security problems in Microsoft’s products as the single biggest stumbling block to adopting these technologies for their mission-critical applications. Unless these problems are solved, it will be very difficult for [Microsoft] to gain wide acceptance of their enterprise applications,” said Vijay Lal, director of product marketing at NetManage.

Many developers and corporate users agree. The severity of Windows’ security problems -- both current and future -- is enough to make them seriously contemplate other, more secure OSes.

“[Microsoft] appears pretty serious about curing the security ills they have, but I don’t know if I want to wait until we are well into 2004. We have been looking at some Linux-based things lately to see if they can give us what we need to run things more securely,” said Tom Gianetti, a systems analyst at a large financial services company in Boston.

Even as Microsoft redoubles its efforts to close Windows’ holes, just last week four new bugs were discovered in Windows Server 2003. The bugs are associated with buffer overflow, the chief technical means that hackers exploit to unlock doors to corporate networks.

Some analysts agree that the more time Microsoft takes in delivering ironclad solutions, the more incentive customers have to consider other OSes. But given the sheer mass of Microsoft’s installed base and its ongoing responsibility to deliver to this base dozens of competitive products, the company will always be constrained in its ability to build solutions quickly.

“Microsoft knows they have to fix this. To some extent they have created this issue for themselves through their own success and in the way in which they have managed their previous solutions. The only way out is to deliver on their promises,” said Chris LeTocq, an analyst at Guernsey Research.

LeTocq and other analysts have been encouraged by Microsoft’s urgency in addressing its security problems but have also expressed concern that fixing these problems will bring about others.

“To [Microsoft’s] credit, they have established this update process where they will get high-speed updates out to people who discover bugs, but it is a double-edged sword because you will get an update twice a week that you then have to implement and manage,” LeTocq said.

At the company’s partner conference in New Orleans earlier this month, Ballmer said one of the keys to making Microsoft’s security initiative successful will be working closely with its thousands of developers and partners to create seamless security solutions. Many developers are hopeful but have expressed healthy skepticism as to Microsoft’s following through with this suggestion of openness.

“Working with Microsoft collaboratively on development things, even as important as this, can be a double-edged sword. If they select you and your technology as strategically important, that’s always great news. But history suggests that what can also happen is they can buy you out or otherwise run you out of the business,” said an executive at a leading security software company who wished to remain anonymous.

But Microsoft appears eager to back up its promises. Last week, for instance, the company released its first monthly security update containing five vulnerabilities that were classified as “critical,” meaning they were “wormable.” Three of the flaws pertained to editions of Windows NT, Windows 2000, Windows XP, and Windows Server 2003. The other two concerned only Widows 2000 and Exchange Server 5.5.
Going to a monthly delivery of patch releases is designed to help administrators better deal with an already heavy workload by introducing predictability into the process of fixing security holes.

Microsoft certainly has its obstacles to overcome along the road to rock-solid security. The company, in fact, has two really big problems, said Al Gillen, a system software analyst at IDC.

“First, users have this perception of Windows products and their level of security, and have given them low grades compared to other operating systems. Second, users do not have much confidence that Microsoft can get it right,” Gillen said.