Microsoft security executives on Wednesday provided new information about tools to battle recent software vulnerabilities and offered a status report on security technologies that are being developed.
During a monthly online security briefing, Mike Nash, corporate vice president of Microsoft's security business unit, said customers can expect an updated patch to plug the Download.Ject vulnerability sometime next week, as well as an updated "cleaner" tool this week for the Mydoom-O worm. This variant of the widespread Mydoom worm was discovered earlier in the week.
Responding to a question on the overall security of Microsoft's Internet Explorer browser, Dean Hachamovich, a product
Customers should be confident as long as they are running the latest version of Microsoft's Web browser with all the updates, he said. Hachamovich said that when Windows XP Service Pack 2 is released, users will be protected from attacks such as Scob, or Download.Ject, which targeted IE earlier this month. That vulnerability was a cross-domain vulnerability, and as such, could not run code, he said.
XP SP2 download notification
On the release of XP SP2 in August, Nash said customers can expect notification that it will be coming just before it is ready to download. It will be available shortly after the release of Windows Update V 5.0, the online hosted service that provides automatic updates to customers.
Customers also received news on some of the company's software-updating technologies. For those who download XP SP2, one big improvement will be the ability to download only the security fix that they need.
Microsoft is evaluating the feasibility of bringing some of the improvements in XP SP2 to Windows 2000, but Hachamovich said, "Bringing XP SP2 features to Windows 2000 would require the same level of testing as with XP, and it is unclear how many organizations would be willing to do that."
"The most critical thing users can do on Windows 2000 is run IE 6.0 with all the critical updates," he added.
Installer consolidation nears completion
Required reboots have already been reduced by 10%, and further improvements are expected. Microsoft is working on a hot patching system that can deliver patches while a system is running. This will arrive with the delivery of Windows Server 2003 Service Pack 1, which has been pushed back to the first half of 2005. The company is also developing smart installer technology that can detect whether files will be impacted by an update, Nash said.
The next release of Windows, code named Longhorn, will also bring some new reboot technologies, although he didn't elaborate.
Nash also reminded customers that the general beta test for Windows Update Services will begin later this year. WUS, the next generation of the Software Update Services utility, is due out in the first half of 2005. Another security-focused product, the enterprise edition of the ISA Server 2004 firewall, will be available at the end of the year.