Neowin.net

With the recently released Service Pack 2 for Windows XP we at Neowin wanted to know more about Microsoft's security commitments to their customers.

We recently had the chance to ask Microsoft a few questions on the subject of how successful Windows XP SP2 has been and the future of security improvements.

Here's a snip:

Q: How is NGSCB progressing and will it be a part of Longhorn?

A: We are evolving NGSCB in a direction that we believe will provide broader value to customers and partners. We are still focused on delivering secure computing technologies (that utilize new hardware) in the Longhorn timeframe. Longhorn is the target for NGSCB. That said, Microsoft wants to make absolutely sure that we are delivering a high quality security product. If we are confident that NGSCB meets and exceeds the quality and security standards that Microsoft has set then we will ship it as part of Longhorn.

For more questions and answers read more....

View: Neowin Talks Security With Microsoft

1. How successful has XPSP2 been? What are the precise figures on downloads and distribution efforts?

Four months after becoming available - at least 148 million copies of Windows XP SP 2 have been distributed around the world in 25 languages. Microsoft is very pleased with these results but our work isn't done yet. It is critical that customers who haven't installed SP 2 yet, do so as quickly as possible. Only then can they be assured they have the most secure version of Windows possible.

2. Do you feel the development of XPSP2 was a success? Are there any changes you would make in the future if you had to create such a service pack again?

Microsoft is very pleased with the results. Windows XP SP2 is a significant step toward Microsoft's goal of making PCs more resilient in the face of evolving threats and our goal of making Windows XP more secure by default. It was expressly designed by Microsoft to help provide proactive protection for Windows XP customers and was one of the largest and most ambitious security-related product development efforts in the company's history.

New features like the enhanced Windows Firewall and Data Execution Protection provide a higher level of protection "out-of-the-box," when compared to prior Windows client operating system releases. We think of security as a journey, not a destination, and we believe that it's simply unrealistic to expect a service pack to represent a permanent security solution. SP2 contains a number of significant security technologies and behavior changes that help thwart attacks, but we'll remain diligent in evaluating modern threats and releasing software updates as needed.

3. Looking back, why was .NET framework never included with SP2?

SP2 does include the .NET Framework, though it's not installed by default unless you are running Tablet or MCE where it is required and you need the latest updates.

4. With security continuing to be a major concern of all Windows users and the main area of attack for most competitors, can you tell us any specifics of future plans to further improve the security that was introduced to us in SP2?

Windows XP Service Pack 2 was designed to reduce the number of critical vulnerabilities and at the same time help make the software more resilient to attack. Since the release of Windows XP Service Pack 2, only a single bulletin has been rated critical for that platform, compared to eight that have been released for Windows XP without SP2 installed. We have made tremendous progress; however, software is inherently complex and will never be 100% perfect. While there is no such thing as a state of absolute security, we believe SP2 is the most secure version of Windows that we have shipped.

One of the key features of Windows XP SP2 is the Automatic Update feature which automatically downloads the latest Microsoft security updates and ensures your PC is always up to date. For this reason, users are encouraged, upon installation, to immediately turn on Automatic Updates to receive the latest security updates automatically. Microsoft continually monitors the changing threat environment and takes action to help protect customers as soon as a threat is understood. As soon as Microsoft finds a threat we work quickly to analyze the situation and provide customers with the appropriate solution based on customer need.

5. One of the main areas of concern, in terms of security, has always been IE's extremely tight integration into Windows itself. Does Microsoft have any plans of, perhaps, going towards a more module based environment, with Longhorn, in hopes of further securing the OS?

Internet Explorer remains a viable, valuable, and mature browser that meets the needs of our customers and ISVs who have a great deal invested in it. Major security improvements were made in SP2 and innovating on Internet Explorer in the future and continuing to honor the investment our customers and ISVs have made in Internet Explorer remains the best and smartest option available to us.

The IE team is in the process of designing and developing Internet Explorer for Longhorn. It's too early to provide a list of specific features, but major investments are being made in the areas of end user features, security and privacy, and developer support (for both add-on and website developers).

6. How is NGSCB progressing and will it be a part of Longhorn?

We are evolving NGSCB in a direction that we believe will provide broader value to customers and partners. We are still focused on delivering secure computing technologies (that utilize new hardware) in the Longhorn timeframe. Longhorn is the target for NGSCB. That said, Microsoft wants to make absolutely sure that we are delivering a high quality security product. If we are confident that NGSCB meets and exceeds the quality and security standards that Microsoft has set then we will ship it as part of Longhorn.

7. XPSP2 was a great step to protecting users against Spy ware. How will future versions of Windows follow these first steps to protecting users from future Spyware threats?

As part of our ongoing work to build trust in computing for our customers, Microsoft is providing new solutions that help protect PCs on a regularly updated basis. In January, Microsoft announced the availability of two new solutions that will help protect customers against spyware and viruses.

- The first beta version of Microsoft Windows AntiSpyware-a new spyware prevention, detection, and removal solution, which was made available on January 6.

Customers have made it clear that Spyware and other deceptive software represent a major problem and they want Microsoft to deliver effective solutions. We're offering this solution because we think it's the best way for us to get great technology into our customers' hands in the very near term. The tools will be available to users of Windows 2000, Windows XP, and Windows Server 2003. We'll invite our customers to install the tool, and the feedback we get will help us decide our next steps.

- The first monthly installment of Microsoft Windows malicious software removal tool-a solution for removing worms and viruses from customers' PCs- this was made available January 11, as part of the existing monthly software security update process.

8. Do you feel Microsoft has been speedy enough in addressing issues with Internet Explorer, even those found in XPSP2?

Malicious content and attacks coming from the Internet are growing at an alarming rate. Enterprise customers are concerned about the integrity of their computer systems and the protection of their intellectual property.

With the recent security improvements introduced by Windows XP Service Pack 2 (SP2) and its advanced security technologies, Internet Explorer is a much improved browsing option for business customers who need to access the Internet. Windows XP SP2 includes a major new upgrade to Internet Explorer focused solely on security enhancements. It is designed to help protect against malicious attacks and reduce unwanted content and downloads, including spyware. Windows XP SP2 also provides interface enhancements that make configuring security settings easier for administrators and end users.

Key security-related features enabled in Internet Explorer in Windows XP SP2 include these:

New security zone settings. Architectural enhancements mitigate entire classes of security vulnerabilities and help protect against zone elevation and local machine zone attacks.

Information Bar. A new toolbar provides better information about Internet Explorer settings and alerts users to unsigned and unintended downloads.

Pop-up Blocker. This feature helps eliminate a common path for spyware attacks and reduces unwanted ads and content.

Download monitoring. Download monitoring warns users about potentially harmful downloads and helps them block unwanted and unauthorized programs before they reach the PC.

Add-on Manager. This tool helps users manage add-on components, and detects and provides mitigations if problems occur.

Technologies introduced in Internet Explorer by Windows XP SP2 are described in detail at: http://www.microsoft.com/resources/documen...s/appendix.mspx.

Microsoft is also bolstering its defense against Internet security threats through the Microsoft Security Response Center (MSRC), a world-class service and support organization. The MSRC has a dedicated team, and a large network of ISP and anti-virus partners, to respond quickly to security issues and better protect customers. MSRC evaluates and analyzes security issues, creates and tests updates, and distributes security bulletins and associated updates. The MSRC also works with law enforcement agencies worldwide to shut down malicious attacks and prosecute the criminals behind them.

The next version of the Windows operating system, code-named Windows "Longhorn," will further advance Internet Explorer security with additional capabilities focused on evolving Internet security and privacy threats.

9. What is the current plan for the future of hot fixes for current and future operating systems? Will we find Office and other Microsoft product updates on Windows Update soon?

Our number one goal is to make it as easy as possible for Windows users to keep their PCs secure. Windows Update V5 has been enhanced through Windows XP Service Pack 2 to improve ease of use and discoverability of the most important security updates for Windows customers. It also highlights the opt-in information for Automatic Updates which will help users keep their PC as secure as possible by automatically downloading and installing critical updates

Within Windows XP SP2, users will be provided with information about the Automatic Updates service at set up and given the choice to opt in or out. Also, a new feature called, "Update at shutdown" is only available with XP SP2. This allows a user to install updates during the shutdown process. This way instead of the updates themselves causing a reboot at a time not desired by the user, the installation occurs when the users decide to shutdown their computers. WUv5 is also required for customers to download SP2.

Windows Update includes updates for components that ship in Windows only.

10. Although we're in the early stages on XPSP3 development, what are we likely to expect from Microsoft?

It is too early to discuss plans for SP3.