News
Opinion: Ballmer Speech Short on New Approaches
- By Scott Bekker
- 10/14/2003
In a major speech last week, Microsoft CEO Steve Ballmer gave the
company's response to the current security furor instigated by
the Blaster and Sobig.F outbreaks of August and September.
When you list all of Ballmer's proposals and promises, it looks
like Microsoft is firing back at the problem with a barrage of
initiatives. There's a new patch-release process, better patch
quality control, extended security support for older operating
systems, improvements coming to Software Update Services,
consolidated patch technologies, training programs and changes
to security defaults in Windows XP and Windows Server 2003. Pick
these proposals apart one by one, and you see one significant
change in approach surrounded by a lot of hoopla about pre-
existing efforts.
First the significant change. Microsoft is now on record as
acknowledging that it's not enough to use security as a carrot
and a stick to drag users to a new release -- Trustworthy
Computing's first focus was to review and fix code in development
for future releases. Microsoft is accepting more responsibility
for the massive user base out there. This came out in Ballmer's
speech in two ways. First, he announced changes to security
defaults and functionality coming in the next, free service packs
for Windows XP and Windows Server 2003. Second, Ballmer announced
that the period when Microsoft supports security hotfixes for
Windows NT 4.0 Service Pack 6a and Windows 2000 Service Pack 2
is extended to June 2004. These are important and welcome changes.
The rest of the speech consisted of either previously announced
initiatives or predictable changes to products or processes.
Rather than showing a company turning on a dime, it is evidence
of a huge bureaucracy churning through the process of supporting
and incrementally improving its dozens of security products,
tools and procedures.
Ballmer reiterated that Microsoft will consolidate its eight
patching technologies down to two sometime next year. This is
a good step that was first discussed by Microsoft executives in
early summer. The free Software Update Services (SUS) will come
out in a version 2.0 in the first half of next year. It's no
secret that Microsoft has been working on improving this toolset,
which has not been widely used in its 1.0 iteration and is typical
of a 1.0 release in several (negative) respects.
Another area where Ballmer announced some obvious and much needed
improvements came in the patch process. Microsoft now is committed
to providing rollbacks for every patch, something that has been a
glaring deficiency since well before the Blaster/Sobig.F problems.
Microsoft also plans to reduce the reboot requirements for patches
by 30 percent. Another welcome change, but again it didn't take
a security catastrophe to see that this was a problem.
Microsoft disclosed a number of ho-hum training commitments such
as online seminars and sessions for developers at the Professional
Developers Conference. If Microsoft wasn't already offering some
of this kind of training, that would be surprising.
There were some announcements of improvements to come to Windows XP
in Service Pack 2 (first half of 2004) and in Windows Server 2003
Service Pack 1 (sometime later). More detail is needed on those
improvements, which appear for now to be a default activation of
XP's Internet Connection Firewall announced previously and an
easier-to-deploy implementation of the quarantining technology
already present in Windows Server 2003.
Major news out of the Ballmer speech was that Microsoft will now
release security patches on a monthly schedule, except in cases
of extremely serious vulnerabilities. The idea is to make the
process more predictable and manageable for users. Although much
of the IT community seems to think that Microsoft releases patches
all the time, the company has actually been on a weekly schedule
of Wednesday evening releases for a long time. Often, Microsoft
goes several weeks at a time without issuing a new patch, making
the monthly schedule a minor tweak from a timing perspective.
Hopefully, the schedule will encourage Redmond to put better
quality control measures in place, which would be a
major improvement.
Those were the announcements of Ballmer's big speech. Hopefully
this will be the opening salvo of a major rethink of security in
Redmond that will be continually redefined into next year. If
this is the "big" response to Blaster and Sobig.F, we're in trouble.
About the Author
Scott Bekker is editor in chief of Redmond Channel Partner magazine.