July 19, 2004
SEATTLE - As Microsoft Corp. prepares to launch its biggest security upgrade ever to Windows, dubbed Service Pack 2, the company is trying to strike a difficult balance between making things safe and making things work.
It's a tough job that is eliciting grumbling from companies whose applications could require major changes - and glee from security experts who say any software product that doesn't work wasn't secure enough in the first place and needs to be fixed.
"I hope it breaks more things than it's already broken," said Russ Cooper, senior scientist at TruSecure Corp.
That's because Cooper believes the free SP2 update, which will be released next month, is badly needed in the ever-rowdier world of Internet-connected computing - and a good wake-up call for other companies that also need to improve security functions.
"The applications that will break with SP2 were essentially doing things wrong from a security perspective," said John Pescatore, vice president of Internet security at Gartner Research.
SP2 comes in response to a series of attacks that have plagued the software giant's products, taking advantage of vulnerabilities to spread viruses, steal personal information and otherwise wreak havoc.
Some companies rushing to make their applications compatible - or trying to negotiate last-minute Microsoft changes - complain that SP2 is creating headaches.
"The changes Microsoft is proposing for SP2 will have serious negative consequences on the consumer experience of many applications and Web sites," RealNetworks spokeswoman Erika Shaffer said. The Microsoft rival makes a digital music and video player and sells subscription download services.
The new system bolsters security on Windows, its built-in Internet Explorer browser and Outlook Express e-mail. Among the changes, a Windows Firewall will automatically be turned on, helping to guard against attack. The browser has been fortified, and a new attachment manager will offer tougher policing against e-mail-borne attacks.
As a vice president at security software leader Symantec Corp., Matthew Moynahan applauds Microsoft's effort to make Windows safer from attack. But Moynahan is not so excited about the flood of help-desk calls almost certain to come when Microsoft releases a comprehensive security overhaul of Windows XP next month.
To make the new Microsoft system work smoothly with Norton, customers will need to download a Norton update. The company is already bracing for the change, working with its customer support staff and making plans to increase phone support.
Symantec's Norton antivirus software runs on about 100 million desktop computers.
"We don't want consumers to panic," Moynahan said.
The changes in the way Windows polices itself - particularly the newly strengthened firewall - could cause troubles for applications that are used to working with Windows' old ways. Some say that's particularly true of applications that regularly interact online, such as gaming programs or music services.
Security experts say it's tough to know how many companies may have to change their products to be compatible.
The company has delayed SP2's release, originally scheduled for June, amid efforts to improve compatibility. Microsoft group product manager Barry Goffe says the "vast majority of applications" should function properly when SP2 comes out.
In the end, analysts believe most consumers will avoid major problems because most companies that have problems will fix them by the time SP2 is released. Gartner Research estimates that a mere 3 percent of applications that run on Windows won't work once SP2 is out.
But Microsoft's Goffe says corporations running customized applications could have more complex problems, requiring them to specially configure SP2. Many legitimate corporate programs depend on just the type of interactions that would also alarm the security system.
It could take months for businesses to adopt the upgrade.
In the end, Cooper expects most corporations will run a very scaled-down version of SP2, both because they want to avoid compatibility problems and because it could be a nightmare to manage things like personal firewalls on thousands of desktops.
Still, many big businesses are likely running separate security applications as well.
Perhaps the biggest change with SP2 will be a host of new alerts the user will suddenly get, offering more detailed information about what programs are trying to contact the computer and giving the user more chances to accept or decline.
Macromedia Inc.'s Flash technology required only minor technical changes to make it compatible with SP2. But the company was more concerned about early language in these warnings that could make even legitimate interactions seem scary and unwise.
David Mendels, Macromedia's senior vice president in charge of developer products, said Microsoft was very responsive to its concerns. Now, he said the prompts are less dire and more specific.
Microsoft's own products are not immune. Joe Wilcox, a senior Jupiter Research analyst who is testing an early version of SP2, recently was blocked from using Microsoft's Office Live Meeting conferencing product. Although he could have overridden that, Wilcox instead skipped the online option and called on a regular phone.
Wilcox sees this as a victory for Microsoft, because it changed his behavior and kept him from exposing his computer to potential risk.
To Pescatore, such inconveniences are worth it.
"From a security perspective, the problems we've been having - these worms and such - we can often blame on thing that need to be fixed in Windows," Pescatore said. "So when Microsoft finally gets around to fixing them, it's going to take some pain to get past that point."