News

Opinion: Ballmer Speech Short on New Approaches

• By Scott Bekker
• October 14, 2003

When you list all of Ballmer's proposals and promises, it looks like Microsoft is firing back at the problem with a barrage of initiatives. There's a new patch-release process, better patch quality control, extended security support for older operating systems, improvements coming to Software Update Services, consolidated patch technologies, training programs and changes to security defaults in Windows XP and Windows Server 2003. Pick these proposals apart one by one, and you see one significant change in approach surrounded by a lot of hoopla about pre- existing efforts.

First the significant change. Microsoft is now on record as acknowledging that it's not enough to use security as a carrot and a stick to drag users to a new release -- Trustworthy Computing's first focus was to review and fix code in development for future releases. Microsoft is accepting more responsibility for the massive user base out there. This came out in Ballmer's speech in two ways. First, he announced changes to security defaults and functionality coming in the next, free service packs for Windows XP and Windows Server 2003. Second, Ballmer announced that the period when Microsoft supports security hotfixes for Windows NT 4.0 Service Pack 6a and Windows 2000 Service Pack 2 is extended to June 2004. These are important and welcome changes.

The rest of the speech consisted of either previously announced initiatives or predictable changes to products or processes. Rather than showing a company turning on a dime, it is evidence of a huge bureaucracy churning through the process of supporting and incrementally improving its dozens of security products, tools and procedures.

Ballmer reiterated that Microsoft will consolidate its eight patching technologies down to two sometime next year. This is a good step that was first discussed by Microsoft executives in early summer. The free Software Update Services (SUS) will come out in a version 2.0 in the first half of next year. It's no secret that Microsoft has been working on improving this toolset, which has not been widely used in its 1.0 iteration and is typical of a 1.0 release in several (negative) respects.

Another area where Ballmer announced some obvious and much needed improvements came in the patch process. Microsoft now is committed to providing rollbacks for every patch, something that has been a glaring deficiency since well before the Blaster/Sobig.F problems. Microsoft also plans to reduce the reboot requirements for patches by 30 percent. Another welcome change, but again it didn't take a security catastrophe to see that this was a problem.

Microsoft disclosed a number of ho-hum training commitments such as online seminars and sessions for developers at the Professional Developers Conference. If Microsoft wasn't already offering some of this kind of training, that would be surprising.

There were some announcements of improvements to come to Windows XP in Service Pack 2 (first half of 2004) and in Windows Server 2003 Service Pack 1 (sometime later). More detail is needed on those improvements, which appear for now to be a default activation of XP's Internet Connection Firewall announced previously and an easier-to-deploy implementation of the quarantining technology already present in Windows Server 2003.

Major news out of the Ballmer speech was that Microsoft will now release security patches on a monthly schedule, except in cases of extremely serious vulnerabilities. The idea is to make the process more predictable and manageable for users. Although much of the IT community seems to think that Microsoft releases patches all the time, the company has actually been on a weekly schedule of Wednesday evening releases for a long time. Often, Microsoft goes several weeks at a time without issuing a new patch, making the monthly schedule a minor tweak from a timing perspective. Hopefully, the schedule will encourage Redmond to put better quality control measures in place, which would be a major improvement.

Those were the announcements of Ballmer's big speech. Hopefully this will be the opening salvo of a major rethink of security in Redmond that will be continually redefined into next year. If this is the "big" response to Blaster and Sobig.F, we're in trouble.