Microsoft Security Flaws Threaten Business

By THE ASSOCIATED PRESS - Microsoft Corp.'s offer this week of cash bounties for informants who help it collar virus-writers reflects more than just an escalation of the war on those who would exploit the dominant power in software. The campaign reveals just how much of a threat to Microsoft's bottom line security flaws now represent. When the Blaster worm hobbled hundreds of thousands of computers around the world in August -- only the latest plague to exploit a flaw in Windows operating systems -- it also hurt Microsoft's ability to book new contracts with corporate customers. For the first time, it seemed, flaws in Microsoft's software were translating into flaws in the company's business model. ``It's now starting to move from being a problem that they used to hear anecdotally to a problem they can now measure the impact of,'' said Michael Cherry, an analyst with Directions on Microsoft, an independent research firm. The cost of patching up Windows computers, for instance, is diverting money from tech budgets that might otherwise have been earmarked for new software contracts, he said. In its latest quarterly results, Microsoft said revenue from multiyear contracts dropped $768 million from the previous quarter. The drop in so-called ``deferred revenue'' -- money received for contracts that will be counted toward its earnings over time -- was about $450 million lower than the company anticipated. Some of that was due to overly optimistic projections, said chief financial officer John Connors. But another reason, he said, was that Microsoft's sales people were so busy helping corporate clients shore up their networks that they could not close new deals. Even before the Blaster attack, security was gnawing at Microsoft's stature. It had been cited among the reasons that various government agencies in the United States and abroad have become more serious about adopting alternatives such as the open-source Linux operating system. Security, simply put, is beginning to play a larger role in decisions about what software companies buy. Boscov's department stores are in the process of switching from Microsoft software on many of its servers to Linux-based offerings provided by IBM Corp. Harry Roberts, chief information officer for Boscov's, a regional chain based in Reading, Pa., said cost was by far the biggest reason. But the company also had been hit hard by the Nimda worm in 2001, causing about $50,000 in staff time to repair damage to the network, he said. ``We do have a bad taste in our mouth.'' Analysts say Microsoft's software is targeted most by hackers and virus writers because it is so prevalent. But that's of little consolation to customers angry about the persistent security concerns. ``When enterprises have these big problems, they're very leery,'' said John Pescatore, vice president for Internet security at the Gartner consulting firm. That wariness could prompt companies to delay software upgrades from every third to every fourth year, for example, a threat for Microsoft. ``That's what kills software companies,'' he said. After the Blaster attack, Microsoft issued bulletins for another five critical flaws in versions of Windows. And it was not the only Microsoft-centric Internet plague this year. The Slammer worm severely clogged online traffic in January. Pescatore likened the recent problems to the situation two years ago, when the Code Red and Nimda viruses exploited flaws in Microsoft software. The network pain produced by the twin scourges prompted Microsoft Chairman Bill Gates in January 2002 to identify security as the company's top priority. Among the recent steps Microsoft has taken to improve security is its announcement that it will have a free update to its flagship Windows XP desktop operating system next year. The improvements are to include disabling certain features that can allow hacker break-ins. The upgrade, or service pack, will also include an improved firewall. As it adjusts, the challenge for Microsoft has been to alter its mind-set -- from an emphasis on winning new customers to the need to satisfy its now-huge existing customer base, said Joe Wilcox, an analyst with Jupiter Research. ``Microsoft needs to sit back and kind of rethink how to operate in more of a maintenance market,'' Wilcox said. ``And what that really means is that customer satisfaction has to be the number one priority.''