"Given human nature, evolving threat models and the increasing interconnectedness of computers, the number of security exploits will never reach zero," Gates wrote in a Microsoft Progress Report, the latest
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
Gates said the effectiveness ofadopted as part of Microsoft's " " initiative is borne out by numbers. The number of "critical" and "important" security bulletins issued in the first 320 days of availability for was nine, he wrote, compared with 40 in the same period for Windows 2000 Server, the previous version of the server operating system. SQL 2000 generated three such bulletins in the 15 months after the release of Service Pack 3, a collection of bug fixes and updates, compared with 13 in the 15 months before the Service Pack release.
On the desktop, major security improvements will be made to Windows XP with the upcoming release of, including default use of Windows' built-in firewall and memory management technology to limit exploitation of "buffer overruns," a common avenue for virus attacks.
Microsoft has also improved the delivery of software patches with the newand System Management Server 2003, a collection of tools designed to let information technology managers quickly test and deploy updates.
Areas Microsoft is researching, Gates wrote, include "active protection technologies" that would let computers respond more intelligently to potential threats. A laptop could automatically employ stronger security settings when connected to a home Internet connection than a corporate network, for example, or when software hasn't been updated for a long time.
Microsoft is also working on "client inspection" tools that would automatically examine remote PCs for viruses and worms before allowing them to connect to a corporate network, plus improved user authentication systems based on smart cards and.
"Security is as big and important a challenge as any our industry has ever tackled," Gates wrote. "It is not a case of simply fixing a few vulnerabilities and moving on. Reducing the impact of viruses and worms to an acceptable level requires fundamentally new thinking about software quality, continuous improvement in tools and processes, and ongoing investments in resilient new security technologies designed to block malicious or destructive software code before it can wreak havoc."
Gates also touted the company's efforts to educate customers on security issues, including a series of free "Security Summits" being launched in April to train developers and IT professionals and the formation of theto share data on computing threats. "We are committed to major investments in customer education and partnerships that will help make the computing environment safer and more secure," Gates wrote.