RealTime IT News

Microsoft Spent $100M on Trustworthy Computing

Microsoft's push to make its Windows operating system more secure cost the company more than $100 million so far this year, Chairman and Chief Software Architect Bill Gates said in an e-mail newsletter to customers Thursday.

In January 2001, Gates told employees that the company must focus all its energies on security, even if it meant temporarily halting work on new features and functionality. The company did just that; more than 8,500 Microsoft engineers put their work on hold for two months in order to conduct an intensive security analysis of millions of lines of Windows code.

"Every Windows engineer and several thousand engineers in other parts of the company were also given special training in writing secure software," Gates said. "We estimated that the stand-down would take 30 days. It took nearly twice that long, and cost Microsoft more than $100 million. We've undertaken similar code reviews and security training for Microsoft Office and Visual Studio .NET, and will be doing so for other products as well."

The "Trustworthy Computing" initiative is part of an aggressive effort on Microsoft's part to patch a stained reputation when it comes to security. Over the past several years, numerous security flaws in its Outlook e-mail client, IIS Web server software, SQL server software, and high-profile penetrations of its network have plagued the company. As the company continues to unfold its .NET strategy, which depends upon the availability and security of services, security becomes ever more important.

Gates acknowledged that fact in a January memo to employees that unveiled the Trustworthy Computing initiative: "Over the last year it has become clear that ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work," Gates told Microsoft employees in the memo. "If we don't do this, people simply won't be willing -- or able -- to take advantage of all the other great work we do. Trustworthy Computing is the highest priority for all the work we are doing."

As part of that effort, Gates said Thursday that Microsoft has altered the way it develops software, making security improvements its highest priority. For instance, it has made changes to its Outlook client so that it blocks e-mail attachment associated with "unsafe files" prevents access to a user's address book and gives administrators the ability to manage e-mail security settings for their organizations.

Gates said that Microsoft's efforts over the past six months have made a significant difference: "As a result of these changes, the number of e-mail virus incidents has dropped dramatically," he wrote in the newsletter Thursday. "In fact, e-mail viruses like the recent "Frethem" virus propagate only to systems that have not been updated -- underscoring the importance of updating them regularly."

Microsoft said other steps toward more trustworthy computing include:

  • Software Update Services (SUS), a security management tool for businesses which gives IT administrators the ability to deploy critical updates from inside corporate firewalls to Windows 2000-based servers and workstations running Windows 2000 Professional and Windows XP Professional
  • Baseline Security Analyzer, a new tool which checks for common security misconfigurations in Windows 2000 and Windows XP systems, and can scan for missing security hot fixes and vulnerabilities on products like IIS, SQL Server and Office
  • A commitment to shipping Windows .NET Server 2003 as "secure by default," with all security settings at the highest levels by default
  • The controversial upcoming Palladium technology, a digital rights management tool that is also intended to allow users to store encrypted information in a "virtual vault" where only certain entities would be authorized to access it
  • The incorporation of P3P , or Platform for Privacy Preferences, into Internet Explorer for Windows XP, giving users the ability to set privacy levels and decide which cookies to accept and which to refuse.

"Given the complexity of the computing ecosystem, and the dynamic nature of the technology industry, Trustworthy Computing is really a journey rather than a destination," Gates said in the newsletter, pledging to continue the journey.