Print

Email story

Comment

Letter to the editor

Quest to keep PCs secure is continuous

As users wonder about the safety of computers that are always on, Microsoft tries to balance security with usability in its software programs.

By DAVE GUSSOW
Published July 19, 2004

A computer owner for only five months, Ray Snow does his duty to protect his PC. He has a firewall. He downloads security patches from Microsoft. He uses antivirus software.

Snow, 70, of New Port Richey tried to install other safeguards, such as Spybot and Ad-aware, to handle stealth spyware intrusions, but found it confusing. So the retiree has a question:

"Why do we have to go to foreign sources (for Spybot and Ad-aware) to fix a system from Microsoft that they ought to be able to fix themselves?"

It's a question a lot of people are asking this year, from consumers such as Snow to high-tech security experts. Microsoft, with its dominant Windows operating system and Internet Explorer browser, makes a big target for people who try to break into computers with viruses, worms and other malicious code.

And this year, with electronic attacks coming from almost every direction, Microsoft finds itself in the spotlight - again - for software that many see as too susceptible to attacks and outside intruders.

This month, security groups urged people not to use Microsoft's Internet Explorer browser because of its vulnerabilities and the company's inability to sufficiently patch the problems.

The U.S. Computer Emergency Readiness Team's Web site publishes regular warnings about problems with the browser. A headline over a BusinessWeek magazine column blared "Why I'm Staying Away From Internet Explorer," and ZDNet UK's Web site called it "2004: Internet Explorer's year of shame."

For its part, Microsoft says it is working on security issues. It will release the Windows XP Service Pack 2, possibly next month, a free upgrade that will include enhanced and easier-to-use security features. That by itself wouldn't be a major event, except for this year's epidemic.

Microsoft is aware of its customers' concerns, said Laura DiDio, an analyst with the Yankee Group, a market research company. "But given that they are both the No. 1 desktop, server and Office application vendor and are the No. 1 hackers' target, they will never completely slay the dragon," she said by e-mail. "And of course, it's an ongoing war."

In 2002, Bill Gates, Microsoft's chairman, vowed that the company would make security its top priority and created what he called the trustworthy computing initiative.

Last fall, Scott Charney, Microsoft's chief trustworthy computing strategist, told a congressional hearing on cybersecurity that the effort had produced "a quantifiable decrease in vulnerabilities" in the company's software.

Yet the software giant is having a hard time convincing people whose computers have been infected by viruses and worms, whose Web surfing is tracked by spyware and whose screens are plastered with popup ads that things are better.

But, experts say, the situation today reflects more than software that needs patching.

"You can't put an unprotected computer on the (Internet) for more than 20 or 30 seconds without something attacking it," said Andrew Brandt, senior associate editor at PC World magazine, citing a project that uses unprotected PCs as bait.

Among the factors they cite for the current security crisis:

* Hackers grow up: Instead of teens infiltrating software as a prank, criminals are trying to steal data for financial gain. Many are in foreign countries where there may be no laws, and little law enforcement, pertaining to high-tech crime. And the technology they use is increasingly sophisticated.

* A connected world: The computer may be in the family room, but if it's online, it's part of a worldwide network. And it's a target.

"The best security technology in the world will be of no avail if corporate end users fail to hold up their end," DiDio said. "That means customers must assume 50 percent of the responsibility for keeping their networks and software secure."

* An inviting target: Microsoft's security efforts sometimes invite attacks. For example, the company can announce that security updates are available for download, which tips hackers about vulnerabilities. Because many consumers delay installing the updates or ignore them, it leaves their systems open for attack.

In fact, a yearlong study by Forrester Research found that of nine major malicious code incidents in March 2003, Microsoft had fixes available an average of 305 days before the problems occurred. But customers didn't download the patches.

"It's something that consumers, technology vendors, ISPs and other software providers all need to work together to address," said Gytis Barzdukas, director of product management for Microsoft Security Business and Technology.

* Form vs. function: Microsoft walks a delicate line. Its customers want features that allow the software to do a lot of things, but some of those functions open doors for security problems.

Under particular fire is Microsoft's use of technology called ActiveX, which essentially lets a Web page act like a regular Windows program. One of its uses makes it easy to handle Windows Updates.

But hackers have targeted ActiveX as a route to get into the Windows operating system. Microsoft has tightened ActiveX's reach, and Service Pack 2 will make further security changes to it.

"Is it Microsoft's fault for having those features?" PC World's Brandt asked. "I don't know if you can blame them."

The problems have people at least talking about alternatives, such as the Mozilla and Opera browsers. But this month, Mozilla's developers had to come up with a patch after a vulnerability was found.

And the Forrester report, which asked, "Is Linux More Secure than Windows?" essentially answered the question by saying no. "Both Windows and four key Linux distributions can be deployed securely," the report said.

In fact, Forrester gave Microsoft good grades for responsiveness and thoroughness on security issues, though it said Microsoft needed to work on what it called high-severity vulnerabilities.

Any operating system that has more than 90 percent of the market, as Windows does, would be a target, experts say. Hackers and the criminal element focus their energies on striking the most users.

"Linux is not perfect," PC World's Brandt said. "The Mac (operating system) isn't perfect. There are hacks (possible)."

Microsoft says its efforts go beyond its trustworthy computing initiative. It responds faster when holes are found, though critics say the speed could be improved. It has offered bounties for virus writers. It has set up a Web site with consumer advice (the basics: firewall, automatically download Windows updates and antivirus software). It has held seminars for programmers to develop more secure code.

Steve Ballmer, the company's CEO, has made security a theme, including in a recent e-mail to employees in which he acknowledged customers' perception that "Microsoft is not sufficiently focused on security."

Service Pack 2 and other software has been delayed, including the next version of Windows, code-named Longhorn, while the company worked on security issues.

Service Pack 2 goes a long way toward fixing a lot of problems, such as preventing malicious code from being planted on PCs and some of the recent problems with Internet Explorer.

"Is it the dome that protects you for all eternity? No," Barzdukas said. "There will still be a potential for people to exploit holes. (But) it's a significant step forward for our software."

- Information from Times wires was used in this report. Dave Gussow can be reached at gussow@sptimes.com or 727 771-4328.

Ad-aware: www.lavasoft.de

Microsoft Protect Your PC: www.microsoft.com/protect

Mozilla: www.mozilla.org

Opera: www.opera.com

PC World magazine: www.pcworld.com

Spybot: www.safer-networking.org

U.S. Computer Emergency Readiness Team: www.us-cert.gov/

[Last modified July 16, 2004, 10:43:14]