Microsoft Spent $100M on Trustworthy Computing

Microsoft’s push to make its Windows operating system more secure cost the company more than $100 million so far this year, Chairman
and Chief Software Architect Bill Gates said in an e-mail newsletter to customers Thursday.

In January 2001, Gates told employees that the company must
focus all its energies on security, even if it meant temporarily halting work on new features and functionality. The company did
just that; more than 8,500 Microsoft engineers put their work on hold for two months in order to conduct an intensive security
analysis of millions of lines of Windows code.


“Every Windows engineer and several thousand engineers in other parts of the company were also given special training in writing
secure software,” Gates said. “We estimated that the stand-down would take 30 days. It took nearly twice that long, and cost
Microsoft more than $100 million. We’ve undertaken similar code reviews and security training for Microsoft Office and Visual Studio
.NET, and will be doing so for other products as well.”

The “Trustworthy Computing” initiative is part of an aggressive effort on Microsoft’s part to patch a stained reputation when it
comes to security. Over the past several years, numerous security flaws in its Outlook e-mail client, IIS Web server software, SQL
server software, and high-profile penetrations of its network have plagued the company. As the company continues to unfold its .NET
strategy, which depends upon the availability and security of services, security becomes ever more important.

Gates acknowledged that fact in a January memo to employees that unveiled the Trustworthy Computing initiative: “Over the last year
it has become clear that ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work,”
Gates told Microsoft employees in the memo. “If we don’t do this, people simply won’t be willing — or able — to take advantage of
all the other great work we do. Trustworthy Computing is the highest priority for all the work we are doing.”

As part of that effort, Gates said Thursday that Microsoft has altered the way it develops software, making security improvements
its highest priority. For instance, it has made changes to its Outlook client so that it blocks e-mail attachment associated with
“unsafe files” prevents access to a user’s address book and gives administrators the ability to manage e-mail security settings for
their organizations.


Gates said that Microsoft’s efforts over the past six months have made a significant difference: “As a result of these changes, the
number of e-mail virus incidents has dropped dramatically,” he wrote in the newsletter Thursday. “In fact, e-mail viruses like the
recent “Frethem” virus propagate only to systems that have not been updated — underscoring the importance of updating them
regularly.”

Microsoft said other steps toward more trustworthy computing include:

  • Software Update Services (SUS), a security management tool for businesses which gives IT administrators the ability to deploy
    critical updates from inside corporate firewalls to Windows 2000-based servers and workstations running Windows 2000 Professional
    and Windows XP Professional

  • Baseline Security Analyzer, a new tool which checks for common security misconfigurations in Windows 2000 and Windows XP
    systems, and can scan for missing security hot fixes and vulnerabilities on products like IIS, SQL Server and Office

  • A commitment to shipping Windows .NET Server 2003 as “secure by default,” with all security settings at the highest levels by
    default

  • The controversial upcoming Palladium technology, a digital rights management tool that is also intended to allow users to store
    encrypted information in a “virtual vault” where only certain entities would be authorized to access it

  • The incorporation of P3P , or Platform for Privacy Preferences, into Internet Explorer for Windows XP, giving users
    the ability to set privacy levels and decide which cookies to accept and which to refuse.

“Given the complexity of the computing ecosystem, and the dynamic nature of the technology industry, Trustworthy Computing is really
a journey rather than a destination,” Gates said in the newsletter, pledging to continue the journey.

News Around the Web