News

Opinion: Ballmer Speech Short on New Approaches

In a major speech last week, Microsoft CEO Steve Ballmer gave the company's response to the current security furor instigated by the Blaster and Sobig.F outbreaks of August and September.

When you list all of Ballmer's proposals and promises, it looks like Microsoft is firing back at the problem with a barrage of initiatives. There's a new patch-release process, better patch quality control, extended security support for older operating systems, improvements coming to Software Update Services, consolidated patch technologies, training programs and changes to security defaults in Windows XP and Windows Server 2003. Pick these proposals apart one by one, and you see one significant change in approach surrounded by a lot of hoopla about pre- existing efforts.

First the significant change. Microsoft is now on record as acknowledging that it's not enough to use security as a carrot and a stick to drag users to a new release -- Trustworthy Computing's first focus was to review and fix code in development for future releases. Microsoft is accepting more responsibility for the massive user base out there. This came out in Ballmer's speech in two ways. First, he announced changes to security defaults and functionality coming in the next, free service packs for Windows XP and Windows Server 2003. Second, Ballmer announced that the period when Microsoft supports security hotfixes for Windows NT 4.0 Service Pack 6a and Windows 2000 Service Pack 2 is extended to June 2004. These are important and welcome changes.

The rest of the speech consisted of either previously announced initiatives or predictable changes to products or processes. Rather than showing a company turning on a dime, it is evidence of a huge bureaucracy churning through the process of supporting and incrementally improving its dozens of security products, tools and procedures.

Ballmer reiterated that Microsoft will consolidate its eight patching technologies down to two sometime next year. This is a good step that was first discussed by Microsoft executives in early summer. The free Software Update Services (SUS) will come out in a version 2.0 in the first half of next year. It's no secret that Microsoft has been working on improving this toolset, which has not been widely used in its 1.0 iteration and is typical of a 1.0 release in several (negative) respects.

Another area where Ballmer announced some obvious and much needed improvements came in the patch process. Microsoft now is committed to providing rollbacks for every patch, something that has been a glaring deficiency since well before the Blaster/Sobig.F problems. Microsoft also plans to reduce the reboot requirements for patches by 30 percent. Another welcome change, but again it didn't take a security catastrophe to see that this was a problem.

Microsoft disclosed a number of ho-hum training commitments such as online seminars and sessions for developers at the Professional Developers Conference. If Microsoft wasn't already offering some of this kind of training, that would be surprising.

There were some announcements of improvements to come to Windows XP in Service Pack 2 (first half of 2004) and in Windows Server 2003 Service Pack 1 (sometime later). More detail is needed on those improvements, which appear for now to be a default activation of XP's Internet Connection Firewall announced previously and an easier-to-deploy implementation of the quarantining technology already present in Windows Server 2003.

Major news out of the Ballmer speech was that Microsoft will now release security patches on a monthly schedule, except in cases of extremely serious vulnerabilities. The idea is to make the process more predictable and manageable for users. Although much of the IT community seems to think that Microsoft releases patches all the time, the company has actually been on a weekly schedule of Wednesday evening releases for a long time. Often, Microsoft goes several weeks at a time without issuing a new patch, making the monthly schedule a minor tweak from a timing perspective. Hopefully, the schedule will encourage Redmond to put better quality control measures in place, which would be a major improvement.

Those were the announcements of Ballmer's big speech. Hopefully this will be the opening salvo of a major rethink of security in Redmond that will be continually redefined into next year. If this is the "big" response to Blaster and Sobig.F, we're in trouble.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Report: Cost, Sustainability Drive DaaS Adoption Beyond Remote Work

    Gartner's 2025 Magic Quadrant for Desktop as a Service reveals that while secure remote access remains a key driver of DaaS adoption, a growing number of deployments now focus on broader efficiency goals.

  • Windows 365 Reserve, Microsoft's Cloud PC Rental Service, Hits Preview

    Microsoft has launched a limited public preview of its new "Windows 365 Reserve" service, which lets organizations rent cloud PC instances in the event their Windows devices are stolen, lost or damaged.

  • Hands-On AI Skills Now Outshine Certs in Salary Stakes

    For AI-related roles, employers are prioritizing verifiable, hands-on abilities over framed certificates -- and they're paying a premium for it.

  • Roadblocks in Enterprise AI: Data and Skills Shortfalls Could Cost Millions

    Businesses risk losing up to $87 million a year if they fail to catch up with AI innovation, according to the Couchbase FY 2026 CIO AI Survey released this month.