Microsoft, RSA Working on Windows Lock

SAN FRANCISCO (AP) _ Microsoft Corp. Chairman Bill Gates, whose company's software is often derided for being buggy and vulnerable to hackers, showed off planned features for shoring up its programs

Wednesday, February 25th 2004, 12:00 am

By: News On 6

SAN FRANCISCO (AP) _ Microsoft Corp. Chairman Bill Gates, whose company's software is often derided for being buggy and vulnerable to hackers, showed off planned features for shoring up its programs and heading off cyberattacks.

Progress is being made against viruses, network attacks and sloppy code that make systems vulnerable, said Gates. But, he added, a lot more work remains.

``The people who attack these systems are getting more and more sophisticated,'' Gates said Tuesday. ``For every time we take a type of attack and eliminate that as an opportunity, they move up to a whole new level. That's not an unending process _ we can make it dramatically difficult.''

Speaking to thousands of security experts at the RSA Conference, Gates said Microsoft's Trustworthy Computing Initiative _ unveiled two years ago after several embarrassing Windows flaws were exploited by viruses and hackers _ is paying off.

In the first 300 days after the launch of the Windows 2000 Server operating system, 38 security bulletins listed as critical or important were issued. The first major product released after the initiative, Windows Server 2003, has had just nine such bulletins in the first 300 days.

``Everything we're doing has been impacted (by the initiative),'' Gates said. ``Over the past two years, we have made a lot of progress.''

Gates showed off an upcoming Windows XP update that focuses on security improvements. Service Pack 2, which will be available later this year, includes a centralized control center where users can automatically check their computer's security status, such as whether all critical updates have been applied or whether antivirus software is running.

Unlike earlier Windows releases, Microsoft's firewall software will be turned on as part of the default installation. A firewall blocks intruders from entering a system.

In the new service pack, the Internet Explorer browser will now have a pop-up ad blocker as well as more user control over small programs embedded in some Web sites.

Beyond the Windows service release, Gates also showed off ``active protection technologies'' that will gird Windows computers against attacks by sensing system or network changes that indicate virus activity. If a problem is detected, the computer's firewall will dynamically ratchet up defenses.

A number of companies at the conference were showing products similarly geared toward detecting unusual activity in networks.

Gates also said e-mail spam _ which often contains viruses or is sent from infected computers _ is being targeted on several fronts. Besides today's antispam filters, Microsoft and other companies are developing e-mail programs that allow users to create ``white lists'' of people with whom they wish to communicate.

Messages that originate from outside the white list could be judged on several factors, including the content's appearance and any proof that could be offered by the sender. Such proof could be the sending computer's completion of a puzzle for each message.

``By having a system send one of those along, that allows the e-mail client to say, `OK, that was a fair piece of work to solve that ... I'll move that into the inbox automatically to the user,''' Gates said.

For regular use, such computational challenge would not be noticed. But for bulk e-mailers, it would tax a computer's resources.

Ultimately, e-mail systems must be able to determine whether the sender of a message is authentic. Microsoft has proposed a technology, dubbed ``Caller ID for E-Mail,'' that uses the Internet's existing infrastructure to determine that a message originated from a real address.

Gates said Microsoft is working with governments and companies by sharing its software source code, or blueprint. Thirty governments and thousands of companies now have access to Windows code to better incorporate their programs _ and look for problems.

This month's leak of a portion of the code to a previous version of Windows was not the result of the Shared Source program, Gates said.

Microsoft's trustworthy computing plans are important, but they are a piece of a much larger puzzle, said Robert Holleyman, president of the Business Software Alliance. A broader understanding among users is necessary to ensure security.

``There's not a single solution to the problem of cybersecurity,'' he said. ``It's a range of solutions that need to be deployed collectively to raise the overall security.''