CodeRed, Nimda and Blaster. These high-profile worms, which exploited flaws in Microsoft\u2019s Windows operating system and other applications, made Microsoft the butt of security jokes and forced the company to reexamine its approach to developing secure software."Throughout Microsoft, we thought Windows 2000 was a very solid, reliable operating system, perfect for deployment in the enterprise," said Ian Hellen, a security program manager at Microsoft\u2019s Windows Security Engineering Team. "Those tiny pieces of code were real wake-up calls, saying Windows 2000 isn\u2019t there yet. It\u2019s just not designed to cope with these kinds of threats."That was then. With the commercial release of Vista just months away, Microsoft\u2019s efforts to improve security are now showing results, though much remains to be done by the company, said security experts attending the Hack In The Box Security Conference (HITB) in Kuala Lumpur, Malaysia, this week."Microsoft has done a left-hand turn in its business and said, \u2019Right, we\u2019ve got to start building secure applications,\u2019" said Mark Curphey, vice president of professional services at McAfee\u2019s Foundstone division. "They\u2019ve implemented a very rigorous process across their organization and now they\u2019re starting to see the benefits of that."The progress that Microsoft has made can be seen in recent versions of software, such as Microsoft Internet Information Services (IIS) 6, which has had one high-risk vulnerability uncovered, Curphey said."They\u2019ve done a lot better," said Bruce Schneier, the chief technology officer of Counterpane Internet Security.Curphey and others credit Microsoft\u2019s Security Development Lifecycle (SDL) software-development process with reducing the number of design and coding errors that lead to security vulnerabilities. "We spent a long time trying to reorganize our whole development process so that all of Microsoft\u2019s products, particularly the Windows operating system, is reoriented to have security engineering at its core," Hellen said.To some degree, Windows XP Service Pack 2 and Windows Server 2003 demonstrate how SDL has helped Microsoft improve the security of its products. "But it\u2019s really only in Windows Vista that we\u2019ve been able to implement this in a comprehensive way," Hellen said, adding there is room for further improvement.One security improvement that has yet to be made to Windows Vista is a defense against Blue Pill, a prototype technology that uses hardware virtualization to install undetectable malware on a computer running the OS.Blue Pill, developed by Polish researcher Joanna Rutkowska, was first demonstrated using the second beta release of Vista. However, the latest pre-production release of Vista, called RC1, does not include defenses against Blue Pill, Rutkowska said, adding she was "surprised" by the omission.Blue Pill does not exploit any bugs in Vista, but Rutkowska recommended Microsoft disable paging of kernel memory in Vista, which would prevent Blue Pill from accessing the operating-system kernel and executing code. In response, Microsoft executives attending HITB said the company continues work on improving security in Vista, while making no specific promise that changes will be made to prevent Blue Pill attacks in the production version of Vista.Microsoft gets credit for improving the overall security of its products, but more can be done. However, users must first decide if the company\u2019s progress in this area is sufficient. "If we think it\u2019s enough, we\u2019re done. If we don\u2019t, than we have to do more," Schneier said. "They\u2019re going to fix the problem to the limit of their economic losses."One option is to make vendors like Microsoft liable for the economic risks of the security vulnerablilities that users face -- something that is unlikely to happen given the current political environment, Schneier said. "If we want more security, we have to raise the cost of not having it," he said.-Sumner Lemon, IDG News Service (Singapore Bureau)Related Links:\n\nSymantec Up in Arms Over Microsoft Vista Security FeaturesThis article is posted on our Microsoft Informer page. For more news on the Redmond, Wash.-based powerhouse, keep checking in.Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.