Major computer security breaches and big Internet attacks like the ones in recent weeks typically target software made by one company: Microsoft Corp.Microsoft's Windows operating systems are a favorite target of hackers for one simple reason — they run about 95 percent of all personal computers in the world. Hackers also say the software is riddled with security holes and therefore easier to exploit than other operating systems, such as Macintosh or Linux.
Microsoft has a system to fix flaws that can allow viruses and worms to attack customers' machines. But it is a cumbersome one that requires customers to voluntarily download and install software "patches" from its Web site. The patches are often hard to install and are issued so frequently — about 70 last year alone — that they're easy to ignore.
With the lessons of recent Internet attacks behind it, Microsoft is now contemplating significant changes, including making patches and Internet "firewalls" more automatic and adding anti-virus software directly to its next major operating system release.
"Clearly there's room for improvement . . . or we wouldn't be looking at changing," acknowledged Steve Lipner, Microsoft's director of security assurance.Microsoft and even the Department of Homeland Security warned computer users for weeks to download a patch to prevent the recent Blaster worm, for instance. Yet an estimated 200,000 or so computer users failed to do so, exposing not only their computers but everyone connected to them through the Internet to Blaster's wrath."Patches aren't working because the strategy is a poor one," Fred Cohen, a computer security consultant and teacher widely known as the inventor of the first computer virus, said in an e-mail interview. "The alternative is to engineer systems well."Users of the newest Windows operating systems can activate a program to automatically download patches. But Lipner said Microsoft is considering making this a "default" or pre-installed setting in future releases.Likewise, Windows XP users can activate a built-in Internet "firewall" to restrict unwanted Web traffic that might contain viruses or worms, but many apparently don't do that either. Making the firewall a default setting may be standard in the next Windows release too, Lipner said.Microsoft also is considering integrating virus protection software directly into its operating systems. It recently purchased an anti-virus company to help do so.Just taking those relatively simple steps could significantly cut down on the number of e-mail infections worldwide, other security experts say."Microsoft has already tried to make things easier for the end user . . . but over time it's really apparent that some steps are still a little too much to put on the end user," said Craig Seamugar, virus research engineer with Network Associates Technology Inc., which owns the McAfee line of anti-virus software. Other companies, however, are planning changes that could help. Atlanta-based Internet service provider Earthlink Inc., for instance, plans to add anti-virus software on its e-mail servers sometime in the next six months to catch viruses before they are even sent to customers.Such server-based software is somewhat controversial — it could filter out e-mails that customers want by mistake — but Earthlink executive vice president Linda Beck said it's needed, given the constantly growing number of computer viruses."It's just an extension of our current product strategy of blocking the bad things that affect customers on the Internet," she said. "It's a never-ending battle."