Microsoft to offer important, free updates to improve Windows security

Thursday, October 9th 2003, 12:00 am

By: News On 6

WASHINGTON (AP) _ Stung by criticism over lax software security, Microsoft Corp. disclosed plans Thursday to update its flagship Windows operating systems early in 2004 to make consumers less vulnerable to hackers.

Microsoft said the changes, announced by chief executive Steve Ballmer during a trade conference in New Orleans, will be offered free in the next ``service pack'' update to users of Windows XP and Windows Server 2003 software, the company's latest versions for consumers and businesses.

The announcement was aimed at calming Microsoft customers increasingly irritated by the ease with which hackers and others have broken into Windows computers. Adequately protecting an average personal computer can take far more time than many customers are willing to spend.

Microsoft promised to improve the way in which Windows manages computer memory to protect users against commonly exploited software flaws known as buffer overruns, which can trick Windows into accepting dangerous commands. Some of the most damaging attacks in recent months fall under this category.

The company promised to improve its built-in firewall feature, which has drawn criticism in the past because it was not especially strong and was routinely turned off in new copies of Windows. The update will automatically turn on the updated firewall and enable companies to centrally manage each computer's protective settings.

``Our goal is simple,'' Ballmer said. ``Get our customers secure and keep them secure. Our commitment is to protect our customers from the growing wave of criminal attacks.''

The changes were designed to improve security even for customers who fail to diligently apply the dozens of repairing software ``patches'' Microsoft offers each year.

For example, even computer users who did not install a protective patch for the ``Blaster'' virus this summer would have been protected if they had known to turn on Windows' built-in firewall, said Mike Nash, a vice president for Microsoft's security business unit.

``We can have a shield in place where we can make sure the customer is immune,'' Nash said.

Critics have said Microsoft releases far too many patches, which frustrate employees responsible for installing them on hundreds of computers throughout companies and which can interfere with other programs already installed.

``Microsoft treats security problems like public-relations problems,'' said Bruce Schneier, the chief technology officer for Counterpane Internet Security Inc. and a frequent critic of the company. ``I hate to be cynical about this but every time Microsoft announces these things, it never gets better.''

Microsoft promised to begin distributing these repairing patches monthly, rather than weekly, and making the patches easier to install and to remove when they conflict with existing software. The company said it still would rush out an emergency patch midmonth if it determines hackers were actively breaking into computers using a software flaw it could repair immediately.

It also promised a new Web site for consumers that will determine when patches need to be installed for all other Microsoft products.