Beyond Security Patching

By Jeffrey R. Jones, Senior Director, Microsoft Security Business Unit
December 2003
Since Bill Gates launched the Trustworthy Computing initiative almost two years ago, Microsoft has worked hard to be more open and transparent in communicating security issues. We are also continually looking for ways to improve on our ability to talk with customers about security issues. Recently, in reviewing our written communications, it became clear to us that while we had made great strides in communicating about security risks and issues with Security Bulletins through the efforts of the Microsoft Security Response Center, we have not necessarily done as well in communicating other types of security activities.
So, it pleases me very much to introduce our new monthly Microsoft security newsletter. We hope that you find the information useful and will share your opinions with us. I encourage you to send your thoughts, questions and feedback. Each month, I’ll try to respond to several of the letters that we receive, giving voice to your issues and letting you know how your feedback is helping Microsoft prioritize and focus on security issues.
In this first newsletter, among other things, we highlight some great prescriptive guidance that we have developed and provided on our websites. The theme for this month’s guidance is “Network Defense,” where we share our thoughts regarding ways to safeguard your corporate networks.
I want to use the rest of this column discussing what customers have told us is their number one security issue: software vulnerabilities and patching.
I spend a lot of my time talking with customers about security issues, and guess what tops the wish list: “Why doesn’t Microsoft invest more time and effort to ship products that are more secure when they are released?” Great question, but not the only good one I get. Have you ever thought, “Other companies are making add-on security technology for Microsoft products – why isn’t Microsoft adding that sort of protective software?” If so, you share that thought with a lot of other customers.
Finally, I get a lot of feedback on the whole patch-management process. In addition to wanting less need for patches, our customers have said they want improved quality, consistent behavior, better guidance and information, and improved tools for reporting and deployment.
Taking all of the customer feedback together, Microsoft has begun implementing three strategies in order to deliver upon the vision of systems that are easy for customers to deploy securely and also are easily kept secure.
The first strategy is to continue the Trustworthy Computing (TWC) effort to improve how Microsoft designs, builds, releases and supports products. These efforts should result in a reduction in the number of necessary security patches and also a reduction in the severity of the remaining patches.
The key mechanism for driving these changes in all product groups is the TWC release process that is required for all new releases of Microsoft products.Microsoft applied this process to the release of SQL Server 2000 Service Pack 3 and Exchange 2000 Server Service Pack 3 and saw a significant reduction in the number of Security Bulletins in the period since the release as compared with the same period prior to release.
Similarly, analyzing the number of security bulletins in the first 180 days since the release of Windows Server 2003, the process has resulted in a reduction in patches of all severities by 56 percent.
Even better, the process has reduced the severity of several patches so that comparing the number of ‘critical’ plus ‘important’ vulnerabilities patched in the first 180 days, the need to patch severe issues has been reduced by 77%over the predecessor product. As Microsoft applies the TWC release process to all newly shipped products over time, we will make progress on our goal of shipping products that are more secure.
The second strategy is to release interim Windows service packs aimed at incorporating security technologies that can mitigate the need to deploy many security patches. While security technologies may not reduce the number of patches released, they would remove the urgent need to patch for security protection purposes and allow customers more flexibility in determining how and when to update products.
Concretely, Microsoft will be shipping improved technology in upcoming Windows client and server service packs with the goal of providing protection from certain malicious exploit attempts -- thus removing the need to patch in order to be protected, as Steve Ballmer recently announced at the Worldwide Parter Conference (see everything Steve announced here).
In the Windows XP service pack, Microsoft has announced certain key features:

  • Memory protection against certain types of buffer overflows

  • Improved ICF features, including central management via group policy and ICF turned on by default.

  • Improved attachment blocking for Outlook Express

  • Improved controls to prevent malicious ActiveX controls and spyware

    The first two strategies together are intended to significantly reduce the number of patches that customers need to deploy in order to protect their systems and networks, perhaps by as much as 70 to 80 percent.
    The third strategy -- improving the patching experience -- is an effort to improve patch quality, behavior, information and deployment tools so patching can be accomplished in a consistent, manageable, and efficient manner. See “Understanding Patch and Update Management: Microsoft's Software Update Strategy,” detailing Microsoft’s commitment to improving the patching experience
    If Microsoft has learned one big lesson as part of its continuing efforts to improve security for customers, it is that security and protection must be about more than patching to fix security vulnerabilities. We’ve learned and adapted our strategy to attack the issue from three angles: reduce the need to patch new releases, reduce the need to patch via protective technology, and,finally, to make it easier to update products. Those are our top priorities and we are committed to making progress on all of them, but even more, we are committed to listening to our customers and focusing our energies, investment and efforts based upon your feedback. So, if you have feedback to share on this or other security topics, don’t hold back. We've set up a special form where you can send us your feedback.