Windows security update not so simple
By Allison Linn
Associated Press
SEATTLE — As a vice president at security software leader Symantec Corp., Matthew Moynahan applauds Microsoft Corp.'s effort to make its Windows operating system less vulnerable to attack.
But Moynahan is not so excited about the flood of help-desk calls almost certain to come when Microsoft releases a comprehensive security overhaul of Windows XP next month. His company's Norton antivirus software runs on about 100 million desktop computers.
To make the new Microsoft system work smoothly with Norton, customers will need to download a Norton update. The company is already bracing for the change, working with its customer support staff and making plans to increase phone support.
"We don't want consumers to panic," Moynahan said.
He's not alone. As Microsoft prepares to launch its biggest security upgrade ever to Windows, dubbed Service Pack 2, the company is trying to strike a difficult balance between making things safe and making things work.
It's a tough job that is eliciting grumbling from companies whose applications could require major changes — and glee from security experts who say any software product that doesn't work wasn't secure enough in the first place and needs to be fixed.
"I hope it breaks more things than it's already broken," said Russ Cooper, senior scientist at TruSecure Corp.
That's because Cooper believes the free SP2 update is badly needed in the ever-rowdier world of Internet-connected computing — and a good wake-up call for other companies that also need to improve security functions.
"The applications that will break with SP2 were essentially doing things wrong from a security perspective," said John Pescatore, vice president of Net security at Gartner Research.
SP2 comes in response to a series of attacks that have plagued the software giant's products, taking advantage of vulnerabilities to spread viruses, steal personal information and otherwise wreak havoc.
Some companies rushing to make their applications compatible — or trying to negotiate last-minute Microsoft changes — complain that SP2 is creating headaches.
The new system bolsters security on Windows, its built-in Internet Explorer browser and Outlook Express e-mail. Among the changes, a Windows Firewall will automatically be turned on, helping to guard against attack. The browser has been fortified, and a new attachment manager will offer tougher policing against e-mail-borne attacks.
The changes in the way Windows polices itself — particularly the newly strengthened firewall — could cause troubles for applications that are used to working with Windows' old ways. Some say that's particularly true of applications that regularly interact online, such as music services.
Security experts say it's tough to know how many companies may have to change their products to be compatible.
The company has delayed SP2's release, originally scheduled for June, amid efforts to improve compatibility.
Microsoft group product manager Barry Goffe says the "vast majority of applications" should function properly when SP2 comes out.
In the end, analysts believe most consumers will avoid major problems because most companies that have problems will fix them by the time SP2 is released. Gartner Research estimates that a mere 3 percent of applications that run on Windows won't work once SP2 is out.
But Microsoft's Goffe says corporations running customized applications could have more complex problems, requiring them to specially configure SP2.
