"Given human nature, evolving threat models and the increasing interconnectedness of computers, the number of security exploits will never reach zero," Gates wrote in a Microsoft Progress Report, the latest in a periodic series of letters on major technology issues e-mailed to Microsoft customers. "But we can dramatically blunt the impact of cyber-criminals and are dedicating a major portion of our R&D investments to security advances."
Gates said the effectiveness of new security measures adopted as part of Microsoft's "trustworthy computing" initiative is borne out by numbers. The number of "critical" and "important" security bulletins issued in the first 320 days of availability for Windows Server 2003 was nine, he wrote, compared with 40 in the same period for Windows 2000 Server, the previous version of the server operating system. SQL 2000 generated three such bulletins in the 15 months after the release of Service Pack 3, a collection of bug fixes and updates, compared with 13 in the 15 months before the Service Pack release.
On the desktop, major security improvements will be made to Windows XP with the upcoming release of Service Pack 2, including default use of Windows' built-in firewall and memory management technology to limit exploitation of "buffer overruns," a common avenue for virus attacks.
Microsoft has also improved the delivery of software patches with the new Windows Update Services and System Management Server 2003, a collection of tools designed to let information technology managers quickly test and deploy updates.
Areas Microsoft is researching, Gates wrote, include "active protection technologies" that would let computers respond more intelligently to potential threats. A laptop could automatically employ stronger security settings when connected to a home Internet connection than a corporate network, for example, or when software hasn't been updated for a long time.
Microsoft is also working on "client inspection" tools that would automatically examine remote PCs for viruses and worms before allowing them to connect to a corporate network, plus improved user authentication systems based on smart cards and biometrics.
"Security is as big and important a challenge as any our industry has ever tackled," Gates wrote. "It is not a case of simply fixing a few vulnerabilities and moving on. Reducing the impact of viruses and worms to an acceptable level requires fundamentally new thinking about software quality, continuous improvement in tools and processes, and ongoing investments in resilient new security technologies designed to block malicious or destructive software code before it can wreak havoc."
Gates also touted the company's efforts to educate customers on security issues, including a series of free "Security Summits" being launched in April to train developers and IT professionals and the formation of the Virus Information Alliance to share data on computing threats. "We are committed to major investments in customer education and partnerships that will help make the computing environment safer and more secure," Gates wrote.