[ISN] Gates says Microsoft security push cost $100 mln

From: InfoSec News (isnat_private)
Date: Fri Jul 19 2002 - 09:02:49 PDT

  • Next message: InfoSec News: "[ISN] Analysis: Symantec rattles security landscape"

    By Elinor Mills Abreu
    SAN FRANCISCO (Reuters) - Microsoft Corp. Chairman Bill Gates Thursday
    said the company's high-profile campaign to improve the security of
    its software had cost at least $100 million this year, but said the
    expense was paying off in better products.
    In the early months of this year, Microsoft interrupted the
    development work of more than 8,500 engineers and sent many on special
    training to improve the security of its Windows operating system. That
    "stand-down" took nearly two months and cost at least $100 million,
    Gates said Thursday.
    "We estimated that the stand-down would take 30 days," Gates wrote in
    an e-mail sent to more than a million customers who subscribe to
    Microsoft newsletters and provided to Reuters. "It took nearly twice
    that long, and cost Microsoft more than $100 million.
    "We've undertaken similar code reviews and security training for
    Microsoft Office and Visual Studio .NET, and will be doing so for
    other products as well," he said in the e-mail, in which he touted the
    progress that has been made since January when he proclaimed security
    as Microsoft's top priority.
    At the time, Gates sent a rare e-mail to Microsoft's 50,000 employees
    that said the future of the company depended on ensuring that its
    products were secure from hackers and viruses.
    Over the past six months, the Redmond, Washington-based software giant
    has changed the way it designs and develops software, and has
    committed to shipping Windows .NET Server 2003 as "secure by default,"  
    with settings in the position of the highest level of safety, the
    e-mail said.
    Microsoft also now offers tools which allow users to quickly install
    updates and patches and analyze systems for incorrectly configured
    software and missing fixes, he said.
    The company has incorporated technology into its Internet Explorer
    browser software in Windows XP that allows people to set privacy
    preferences and easily review Web site privacy policies.
    And most recently, the company released information about a new
    project dubbed "Palladium" in which it will work with microprocessor
    and PC manufacturers to embed security features into the hardware,
    among other actions.
    Despite the efforts, the company still ends up releasing security
    fixes on a weekly, sometimes daily, basis.
    Just this week the company announced a vulnerability in its SQL Server
    2000 software that could allow an attacker to run malicious code on
    the computer.
    In mid-June, a security program manager for the company's Security
    Response Center said officials had released 30 security bulletins
    since the beginning of the year, equal to about half the total sent
    out last year.
    Some of Microsoft's moves to improve the security of its products have
    actually been criticized as being too intrusive.
    For instance, certain automatic update features can pass data from the
    computer back to the company, but Microsoft executives insist they
    aren't collecting information about individual users.
    In addition, Microsoft's new Palladium plan has been criticized by
    privacy advocates who say it poses potential for abuse and by
    cyber-libertarians who say it is designed to allow copyright holders
    more effective ways to prevent piracy through digital copyright
    However, Microsoft executives have insisted that their aim with
    Palladium is to offer customers better security and privacy.
    The e-mail is the first in an "occasional series of mails" that Gates,
    Chief Executive Steve Ballmer and other Microsoft executives will be
    sending to people on technology and public policy issues, Gates wrote.
    "This is part of our commitment to ensuring that Microsoft is more
    open about communicating who we are and what we are doing," he said.  
    "Trustworthy Computing really is a journey rather than a destination."
    Earlier in the day, Microsoft reported a 10 percent rise in
    fourth-quarter sales and higher earnings on strong corporate demand
    for its products.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Jul 19 2002 - 12:07:45 PDT