phoenix22 writes "Microsoft security holes widenCEO Gates orders that testing for flaws be priority before products hit marketBy Byron Acohido / Gannett News Service Despite Microsoft's five-month push to exterminate security flaws, the software giant's operating system and Internet products continue to turn up riddled with security holes. Microsoft has recently issued a flurry of security bulletins, keeping it on track to match or exceed 60 such advisories issued last year. This year, Microsoft has issued 30 advisories outlining fixes for 40 vulnerabilities -- gaps in code that hackers can exploit to steal data, shut down computer networks or launch rogue programs. The latest discoveries: more holes in Windows XP and MSN Messenger, which are popular with consumers, and in Internet Information Server, Windows NT and Windows 2000, popular Microsoft business products. In January, Microsoft Chairman Bill Gates issued a memo calling for an end to Microsoft's longstanding practice of rushing feature-rich software to market without adequate testing for security flaws, so the spurt of discoveries since Gates' proclamation is not surprising given the intensified scrutiny, analysts said.

I'd be surprised if the numbers hadn't gone up a little, said Michael Cherry of research firm Directions on Microsoft. Microsoft is staking its future on selling products and services via the Internet. It wants consumers to feel secure enough to use its online services. But while it tries to increase security, it also takes action that increases risks, such as: * Adding features. Windows XP Service Pack 1, or SP1, compiles all the fixes for Microsoft's popular home operating system software on a single CD. But SP1, scheduled for fall release, will also include new programming so that XP can send information wirelessly to a monitor-style device, code-named Mira, that's expected to be on store shelves this Christmas. Critics said piggybacking new features on a CD of security fixes shows Microsoft is not ready to abandon its feature-driven heritage. When they add a capability and turn it on for everybody, then the day a vulnerability is found, suddenly everyone is vulnerable, said Alan Paller, research director of security research firm Sans Institute. * Sending fixes via the Internet. Auto Update, a free service available on Windows XP computers, checks for new security patches anytime a user goes online. But hackers have hundreds of ways to break Internet security via Web browsers, Web servers, e-mail and instant-messaging systems. And patches aren't widely deployed, especially on home computers. "