WASHINGTON (AP) -- Stung by criticism over lax software security, Microsoft
Corp. disclosed plans Thursday to update its flagship Windows operating systems
early in 2004 to make consumers less vulnerable to hackers.
Microsoft said the changes, announced by chief executive Steve Ballmer during
a trade conference in New Orleans, will be offered free in the next "service
pack" update to users of Windows XP and Windows Server 2003 software, the
company's latest versions for consumers and businesses.
The announcement was aimed at calming Microsoft customers increasingly
irritated by the ease with which hackers and others have broken into Windows
computers. Adequately protecting an average personal computer can take far more
time than many customers are willing to spend.
Better memory protection
Microsoft promised to improve the way in which Windows manages computer
memory to protect users against commonly exploited software flaws known as
buffer overruns, which can trick Windows into accepting dangerous commands. Some
of the most damaging attacks in recent months fall under this category.
The company promised to improve its built-in firewall feature, which has
drawn criticism in the past because it was not especially strong and was
routinely turned off in new copies of Windows. The update will automatically
turn on the updated firewall and enable companies to centrally manage each
computer's protective settings.
"Our goal is simple," Ballmer said. "Get our customers secure and keep them
secure. Our commitment is to protect our customers from the growing wave of
criminal attacks."
Keeping up with the patches
The changes were designed to improve security even for customers who fail to
diligently apply the dozens of repairing software "patches" Microsoft offers
each year.
For example, even computer users who did not install a protective patch for
the "Blaster" virus this summer would have been protected if they had known to
turn on Windows' built-in firewall, said Mike Nash, a vice president for
Microsoft's security business unit.
"We can have a shield in place where we can make sure the customer is
immune," Nash said.
Critics have said Microsoft releases far too many patches, which frustrate
employees responsible for installing them on hundreds of computers throughout
companies and which can interfere with other programs already installed.
"Microsoft treats security problems like public-relations problems," said
Bruce Schneier, the chief technology officer for Counterpane Internet Security
Inc. and a frequent critic of the company.
Microsoft promised to begin distributing these repairing patches monthly,
rather than weekly, and making the patches easier to install and to remove when
they conflict with existing software. The company said it still would rush out
an emergency patch midmonth if it determines hackers were actively breaking into
computers using a software flaw it could repair immediately.
It also promised a new Web site for consumers that will determine when
patches need to be installed for all other Microsoft products.
