In-Depth

Microsoft "Humbled" by Recent Security Problems

Microsoft CEO Steve Ballmer acknowledged last week that his company has been "humbled" by the effects of the Blaster and Sobig.F worms, and outlined his company's "comprehensive approach for better se

• By Stephen Swoyer
• 09/23/2003

Ballmer’s concession came during a speech before the Churchill Club, a Silicon Valley business and technology forum, in which he touted the unlimited potential for technology innovation—a recurring theme in his speeches and communications this year, especially since a controversial article in the Harvard Business Review suggested that technology no longer offers businesses competitive advantage.

"We are in many ways humbled by the developments of the last few weeks. Windows is the most popular platform in the world, so every security incident with it is just magnified and magnified and magnified across so many more systems than with any other platform," Ballmer said.

Ballmer was similarly contrite after the SQL Slammer worm ravaged Microsoft systems earlier this year. In a memo to Microsoft employees distributed this spring, he acknowledged that the software giant had “spent a lot of time learning from Slammer what we need to do better” and promised that “we are improving our approach to fixes."

In his speech to the Churchill Club, Ballmer acknowledged that Microsoft customers are frustrated with a seemingly endless stream of blockbuster worms. "Many of our customers are feeling the pain. They are frustrated by vulnerabilities. They are frustrated by patches. They are concerned about the threat that hackers pose to their systems. And businesses are taking a hit at the bottom line level," he said.

The original Blaster worm, which exploited an RPC vulnerability on Microsoft’s business-class Windows platforms, struck in August. Unfortunately, the patch the software giant released to fix this vulnerability didn’t address a much larger problem with its RPC implementation. As a result, additional code to exploit this vulnerability was posted to the Internet and Microsoft was forced to release another patch to fix the problem.

With this recent history in mind, Ballmer sounded much like a chief executive with his tail between his legs: "We recognize the concerns of our customer base—boy, do we—and we are further redoubling our efforts to ensure we have a comprehensive approach for better security for all of our customers."

He outlined several approaches, including increased cooperation with law enforcement, improved collaboration between IT vendors, and—last but not least—improved security bug patching at Microsoft. While these approaches will help, Ballmer said that technological innovation is the best way to fight security problems. He cited innovations in safety made by the automobile industry, along with innovations in anti-robbery protections by banks, and said that Microsoft is investing in new technologies—such as post-processing of source code to ferret out vulnerabilities—to stop potential attacks.

Ballmer also referred to something he called shield technology. "I think perhaps the most important technical area that we're focused on, is the area of what we are calling shield technology. We know that the bad guys are going to keep writing viruses; we know that. Our goal has to be to block them before they can ever get onto those PCs. And regardless of the cost and level of investment required by us, by Microsoft, we are absolutely committed to try to accomplish this notion of shielding."

ENT Magazine’s Scott Bekker contributed to this report.