Microsoft attempts to patch its reputation for insecurity

Microsoft has said it will redesign its patch management system and partner with VeriSign on web services authentication, as it aims to improve its reputation on security issues

Microsoft has opened up its drive to improve software security with a redesigned software patch management system and a partnership with VeriSign to authenticate web services.

The company pledged on Tuesday to improve its system for sending out security fixes, or patches, to existing products. Ninety-five percent of attacks happen after a patch for a known software vulnerability has been issued, said Scott Charney, chief trustworthy computing strategist at Microsoft, during a keynote speech at the software maker's TechEd conference in Dallas.

By the end of the year, the company intends to consolidate from eight to two the number of ways that patches are distributed to customers. One of the two new systems will address changes to the Windows operating system, while the other will apply to Microsoft's business applications. Eventually, Microsoft will consolidate its patch management into a single tool that can work across all the company's products, Charney said.

In addition, Microsoft plans to ensure that Windows fixes add themselves automatically to the operating system's internal registry, rather than to different parts of the system. By introducing consistency and by making sure that all patches register as present within the software, there's a better chance that fixes will be implemented correctly, the company expects.

Improved patch installation is one facet of Microsoft's "Trustworthy Computing" initiative, which debuted last year. As part of that initiative, the company delayed the shipment of several high-profile products, including its Windows Server 2003 operating system and Visual Studio.Net development tools, in order to perform audits and code reviews, according to the company.

Charney said that the secure computing effort is ongoing. "We are now doing security audits on all our products as part of development. We have to do that, because the bad guys will innovate just like we do."

As expected, Microsoft also detailed a partnership with VeriSign, which will allow customers to use the security company's digital certificate service to authenticate a person's identity over a network of servers running Windows Server 2003. The service, which should also work over Wi-Fi wireless networks, is set to become available by the end of 2003, according to the allies.

Also at TechEd, Microsoft launched two training and certificate programs specially tailored to security concerns in an effort to reduce vulnerabilities that arise from poor application configuration.

Both programmes are extensions to the software maker's certified credentials for systems administrators and engineers that address the design of secure networks. One of the exams is administered by the Computing Technology Industry Association (CompTIA), a computer industry trade organisation.