Gates Issues Security Progress Report

Microsoft

Gates, in a customer newsletter e-mailed Thursday, said he, CEO Steve Ballmer and other Microsoft executives plan to occasionally pen messages on industry topics.

"This is part of our commitment to ensuring that Microsoft is more open about communicating who we are and what we are doing," he said.

Since he issued his order six months ago to Microsoft's 50,000 employees to focus on security over features in product development, Gates said the company has altered the way it develops software, scrubbed code to reduce vulnerabilities, and put engineers through security training.

"Earlier this year, the development work of more than 8,500 Microsoft engineers was put on hold while we conducted an intensive security analysis of millions of lines of Windows source code. We estimated that the stand-down would take 30 days. It took nearly twice that long, and cost Microsoft more than $100 million," he said.

Similar code reviews and security training are under way for Microsoft Office and Visual Studio .Net, he said.

Changes the company made to Outlook, such as blocking unsafe e-mail attachments, has made the number of e-mail virus incidents drop dramatically, he said.

Gates listed other steps the company has taken to boost security, including its new Baseline Security Analyzer to analyze Windows 2000 and Windows XP systems for common security misconfigurations, and development of a new hardware/software architecture for the Windows PC platform, code-named Palladium.

He also offered tips on what customers, integrators and other vendors can do to help improve computer security.

"Given the complexity of the computing ecosystem and the dynamic nature of the technology industry, Trustworthy Computing really is a journey rather than a destination. Microsoft is fully committed to this path, but it is not something we can do alone," Gates wrote.

The full text of his letter is available at http://www.microsoft.com/mscorp/execmail/2002/07-18twc.asp