Security Watch

Microsoft Brings the November Pain

November just gets patchier and patchier. Plus: Exchange 2010 gets a security component; vendors tackle absentee security; more.

• By Jabulani Leffall
• 11/10/2009

On top of preparing for today's patch rollout, security pros have another Microsoft security issue to contend with: Last week, Redmond issued an update to an Internet Explorer patch it released in October.

The update is a response to customer complaints that IE 8 was performing slowly or sluggishly or crashing outright after installation of the October security patch.

If that's not enough to consider, the six patches Microsoft rolled out today address 15 vulnerabilities -- no small number. Also, the number of patches continues to grow for an otherwise "light" month, considering the Veterans Day and Thanksgiving holidays: The November 2008 and 2007 rollouts only had a combined four patches.

Exchange 2010 Gets Security Component
Microsoft started off the week by launching Forefront Protection 2010 for Exchange at Tech-Ed Europe.

"It's a built-in versus bolted-on approach," said J.G. Chirapurath, Microsoft's senior director for identity and security, in a phone interview discussing the product launch. "Of course, it's a free world and you have free choice. If a customer has a basic built-in, you can choose Microsoft or you can use a competitor to protect the Exchange service."

Either way, Chirapurath said there's tremendous pressure on IT orgs to harness a secure messaging experience with so many different messaging components (e-mail, instant messaging, Internet protocol and telephony, and so on).

"People within an organization have the expectation that IT is there to protect you," he said. "But the IT department knows that there are a lot of areas to cover. We think this is a step in the right direction."

Absentee Security?
Mobile offices and remote access are slowly becoming more and more pervasive in many enterprise environments where cost-cutting and lower overhead have become necessity.

Much has also been made of potential large-scale office absences due to H1N1 scares, sudden layoffs and -- with the holidays coming up -- vacation time for key personnel whose automatic response messages usually read, "Limited access to voicemail and e-mail."

Translation: They're gone and with them, sometimes, is access to key information.

Microsoft and other third-party security firms such as ActivIdentity are looking at ways to ensure business continuity while maintaining security in a Windows enterprise environment. (And by "business continuity," they mean as it relates to missing cogs that are hard to find outside of a centralized location, not as it relates to disaster response.)

"Lighter-weight [and] strong authentication methods...can provide the appropriate level of security for temporary remote access while keeping costs in check," said David Berman, senior solutions marketing manager for ActivIdentity.

Microsoft Pushes Agile
According to a recent Microsoft report, worms and trojans remain omnipresent threats. So why not embed security commands into software as it's being developed?

At least, that's what the folks at Redmond have been thinking. They've been fervently pushing the Security Development Lifecycle (SDL) framework to channel partners, developers, and Windows IT generalists and enthusiasts.

The latest component to the strategy is agile security guidelines, which deal with Web-based applications and address potential browser threats. Agile mostly focuses on code development called "sprints," which are for more temporary Web applications but can nonetheless protect against worms and malicious software.

Microsoft contends that while agile is mostly for one-time tasks, with each sprint it can also be applied to so-called "bucket" tasks, which are also one-off development projects that may need to be repeated over a period of time.