Microsoft Gives Some Customers Early Bug Fixes
The U.S. government will get a head start on fixing security holes in Windows and other software under an arrangement with Microsoft Corp. that isn't available to most other customers.
Under the plan, to take effect later this year, Microsoft will give the Air Force versions of the software updates it regularly issues to "patch" serious security vulnerabilities as many as 30 days before the fixes are generally available to other customers. The Department of Homeland Security will give advance notice of the new vulnerabilities to other government agencies and distribute the patches to them, after they have been tested by the Air Force, say officials at Microsoft and the White House's Office of Management and Budget .
The advance testing will make it possible for government agencies to install the patches as soon as Microsoft releases the final version of them. That is aimed at having the agencies stay ahead of hackers, who often are able to develop attacks that exploit a software hole less than a week after Microsoft discloses the vulnerability.
The initiative is one of the best examples of how large technology customers -- and there are few larger than the U.S. government -- are using their buying power to press suppliers to improve the reliability and lower the costs of securing their information systems. Testing and installing the dozens of software patches released each month by various vendors has become a major hassle and expense for public and private organizations.
The early-access program -- which also is available to select corporate customers -- is an example of how Microsoft is attempting to turn computer security, a major weak spot for the software giant in recent years, into a competitive asset. Speeding the patching process was a "key driver" for the Air Force in reaching a six-year, $500 million software deal with Microsoft last year, says Curt Kolcun, who heads Microsoft's effort to sell to the federal government. (Separately, Microsoft hired former Lotus Development executive Ray Ozzie as chief technical officer. See related article.)
"This is a good deal," says Karen Evans, head of the Office of Electronic Government and Information Technology at the OMB, who is spearheading the initiative. When a new patch is released, "I know the Air Force has tested this, so it cuts down my testing time," she says.
Key to the OMB's deal with Microsoft was the inclusion of the Air Force in the company's "security update validation program," under which a limited number of customers get software patches in advance. Microsoft declined to identify other customers in the invitation-only program, except to say they include financial services and manufacturing companies, along with other technology companies. "The number of participants is strictly limited," a spokesman said.
The ability to get patches up to a month before they are widely released is "a big jump start for us," says Kenneth Heitkamp, assistant chief information officer for the Air Force. Previously, it took the Air Force an average of 89 days to insure it had properly installed patches across its more than 700,000 desktop and laptop computers; Mr. Heitkamp says the long-term goal under the new program is to reduce patch installation to as little as 10 minutes after the fix is released publicly.
Microsoft says it has taken precautions to prevent news of the patches in the advance-release program from leaking. For example, these patches are distributed only through a "private channel," which the company declines to describe, and no information is given about the underlying vulnerabilities being fixed or even the area of code being updated.
The extraordinary security measures are evidence of the risks involved in providing differential access about flaws that in some cases could allow hackers to take control of computer systems. If information about a new vulnerability leaks before a patch is generally available, unpatched customers could be at even greater risk of attacks by virus-writers or malicious hackers.
"If somebody gives the early patches to the bad guys before the bulk of the good guys get them, that could help the bad guys reverse-engineer their exploits," says John Pescatore, vice president for Internet security at Gartner Inc., a technology consulting firm.
One purpose of the program is to expand Microsoft's testing of the patches to ensure the updates aren't incompatible with other software or end up creating new vulnerabilities themselves. But the early-access program is also a response to complaints from large corporate and government customers about both the patching burden and the risks of not patching properly.
The early-access program helps General Motors Corp. speed its testing of patches on its more than 2,000 "mission-critical" computer systems. "You're in a race to beat the bad people from being able to exploit before you can plug" the holes, says Eric Litt, GM's chief information security officer. "You might win 99% of the time, but when you lose, it's going to hurt. That is not a robust enough strategy to protect an enterprise."
John Gilligan, the Air Force's chief information officer, has said the service spends more money patching software than on buying it in the first place. That helped prompt Microsoft Chief Executive Steve Ballmer to take a personal interest in the Air Force deal and participate in several key meetings.
The major accomplishment was the Air Force's ability to settle on a handful of standardized configurations for Windows, Office and other Microsoft software, rather than the hundreds of different setups installed today. Agreement on approximately 500 specific settings was hammered out over the past year by the National Security Agency, other federal agencies and the nonprofit Center for Internet Security in Hershey, Pa. The Air Force is still considering a handful of modifications. Dell Inc. will deliver computers configured to these Air Force specifications.
The Air Force, along with about 10 Microsoft technicians, will test the early versions of new patches on PCs configured to the Air Force standards at a lab at Gunter Air Force Base near Montgomery, Ala. Under the OMB plan the test results will be shared with the Department of Homeland Security, which will distribute patches to other agencies that have adopted the Air Force's software configurations.
Microsoft's Mr. Kolcun stressed that the company is delivering its standard products, configured to the Air Force's specifications, and not a special "secure" version of Windows. The distinction could help Microsoft avoid legal liability in the event the Air Force configuration is penetrated by hackers.
Computer-security experts hope the commitment of a customer with the clout of the U.S. government will spur the adoption of more-secure configurations of Windows and other Microsoft products. That, in turn, should encourage other software providers to make sure their products work well with the approved configuration.
And that could shift at least some responsibility for security from users back to software providers, which are better able to tackle the challenges, says Alan Paller, director of research at the SANS Institute, a computer security research and training organization in Bethesda, Md.
"There isn't anything with bigger leverage than this," Mr. Paller says. "It's not a silver bullet, but it solves more of the pain in security than anything else I've seen."
