Microsoft and Computer Security in 2005

In the ongoing challenge to deliver a safer, more secure computing experience for PC users, Microsoft and its industry partners in 2005 made considerable progress on the security front with achievements such as greater customer awareness of the existence of spam, viruses, spyware and other security threats, as well as the availability of more effective and powerful software protections against software attacks and security breaches, which has resulted in improved security for Microsoft customers.

Microsoft’s security efforts are focused on three areas: technology investments; prescriptive guidance and education; and industry partnerships.

Technology Investments Progress

Microsoft is making investments to achieve the highest level of quality in Microsoft software, and to deliver security technology innovations in the platform, security products and hosted security services. Over the past 12 months, Microsoft has made significant progress in delivering technologies across three key areas: fundamentals, threat and vulnerability mitigation, and identity and access control.

• Fundamentals: Microsoft’s Security Development Lifecycle (SDL)—an approach to the entire software development process that incorporates security holistically and comprehensively—expanded on the successful security improvements made in Microsoft Windows XP SP2, with another year of improved security fundamentals in a variety of products across the company. By utilizing the SDL process during product development, vulnerabilities in Microsoft Windows Server 2003 were reduced from 84 to 49 compared to the previous version of the product during the first two-and-a-half years after shipping. This year also marked a new wave of shipping products developed under the SDL process. These included Visual Studio 2005, SQL Server 2005, and BizTalk Server 2006 Beta 2. Microsoft introduced a series of improved software updating tools throughout the year, and implemented a Software Update Validation program that provides rigorous testing of updates before releasing them to customers. Additionally, it was recently announced that Microsoft Windows XP Service Pack (SP) 2 and Microsoft Windows Server 2003 Service Pack (SP)1 received Common Criteria Certification, which includes an evaluation of the broadest set of real-world scenarios of any operating system platform today, and underscores the company’s ongoing commitment to improving the security of its software.
  
  
• Threat and Vulnerability Mitigation: Microsoft began development of several technology tools designed specifically to defend and mitigate against a broad range of threats. These included the acquisition of Sybari Software for enhanced protection against malicious software for enterprise customers; the announcement of Microsoft Client Protection, which will combine strong anti-spyware tools, comprehensive virus protection and centralized management capabilities for laptops, desktops and servers in business systems; and the acquisition of FrontBridge Technologies to enhance management and security capabilities for enterprise e-mail environments. For consumers, Microsoft also delivered a beta version of Microsoft Windows OneCare Live, a subscription service that takes much of the work out of online protection, by automatically helping guard against spyware, phishing attacks and other threats. Also released was the first beta of Windows AntiSpyware—the most popular download in Microsoft’s history, which is already helping to protect the computers of more than 18 million customers. The Microsoft Windows Malicious Software Removal Tool has been executed by customers 1.8 billion times—an average of 200 million times per month—to help remove the most prevalent forms of malware from PCs.
  
  
• Identity and Access Control: Microsoft’s goal in this area is to help ensure that computing is trustworthy, that corporate policy can be managed to dictate what resources users can access, and personal and corporate information is protected throughout its lifetime—wherever it resides. In 2005, Microsoft acquired Alacris, a leading provider of strong authentication solutions for digital certificates and smart card applications. Microsoft also shipped enhanced identity control capabilities in Active Directory, as well as Microsoft Windows Rights Management Services (RMS) Service Pack 1, which offers customers further improvements in how they protect their sensitive information, no matter where it travels to, and even in the face of loss.

Prescriptive Guidance Progress

Another area of activity for Microsoft security is educational outreach and improved security guidance for consumers, IT professionals, software developers and industry partners. For developers, Microsoft provided intensive training for third-party developers on secure coding practices and the SDL at the annual Microsoft Professional Developers Conference. The company also continued to build on its 35,000 unique pages of security guidance for developers and IT professionals by launching a new online security curriculum called Learning Paths for Security, organized around four key learning paths: Threats & Vulnerabilities; Identity & Access Control; Regulatory Compliance; and System Integrity. Microsoft also provided valuable guidance to more than 30,000 IT professionals and technical decision makers through Security360, a monthly webcast series focused on security topics that includes commentary and guidance from security industry experts inside and outside of Microsoft.

Based on customer feedback, Microsoft made some major improvements in 2005 to its security communications to help customers protect their PCs, including providing additional guidance for customers through 15 security advisories as well as 96 entries on the Microsoft Security Response Center blog. Other new tools in 2005 include advance notification for monthly bulletins, notifications through RSS feeds and MSN Messenger Alerts and monthly technical webcasts. These new offerings have helped address the need for customers to have timely and prescriptive guidance from Microsoft on security issues.

For consumers, Microsoft partnered with the U.S. Federal Trade Commission (FTC) and the National Consumers League to promote awareness of phishing scams, and with the National Cyber Security Alliance to increase consumer awareness about security through National Cyber Security Awareness Month in October 2005. Microsoft continues to provide additional outreach and educational programs on a global basis to consumers and to enterprise customers.

Industry Partnership Progress In 2005, Microsoft continued to expand upon its partnerships with governments and industry leaders to address the important challenges of IT, including security, privacy, children’s online safety, phishing and spam.

In terms of partnerships, one key announcement during 2005 was the creation of the SecureIT Alliance, a group of security partners that are working together to develop innovative security solutions for the Microsoft platform for the benefit of common customers. This announcement was the latest in a number of partnerships Microsoft has formed with the public and private sectors, including the Virus Information Alliance, the Global Infrastructure Alliance for Internet Safety and the Security Cooperation Program for governments. Additionally, Microsoft is an active member of the Anti-Phishing Working Group and the National Cyber Security Alliance.

On the issue of spyware, Microsoft is a founding member of the AntiSpyware Coalition, which includes some of the country’s largest technology companies and public interest groups. Microsoft is also working with the FTC and other agencies using current law to find purveyors of fraudulent and destructive software.

In 2005, Microsoft participated in Black Hat briefings and hosted two Blue Hat events, with the goal of enhancing communications and relationships with the security researcher community, learning how researchers attempt to find vulnerabilities, and applying those learnings to developing more secure software.

Microsoft continued its support of law enforcement efforts worldwide to deter cyber crime. Major law enforcement activity during the year included arrests in August by Turkish and Moroccan law enforcement authorities of the alleged authors of the Zotob and Mytob worms, less than two weeks after the worms were unleashed. Microsoft helped law-enforcement agencies by providing technical support in the investigation. In July, Microsoft announced an award of US$250,000 to two individuals who helped identify the creator of the notorious Sasser worm in 2004. The author of the worm, arrested in May 2004, was found guilty this year by a court in Verden, Germany.

Because data privacy remains a focal point for any discussion around information technologies and computer security, in a speech before the Congressional Internet Caucus in November, Brad Smith, senior vice president and general counsel for Microsoft, detailed Microsoft’s support for a “comprehensive” legislation approach to data privacy at the federal level that would provide meaningful protections for individuals, focused on preventing actual harm, and set clear guidelines for businesses while still allowing commerce to flourish.

Microsoft also worked on a broad range of issues with lawmakers to pursue and support legislation to protect customers and combat online consumer fraud, spyware, spam and privacy breaches.

A Look Ahead

Microsoft plans to continue on the momentum from 2005, with a continued emphasis on security for the year ahead. This will require continued investments in technology, educational outreach and work with industry partners to help increase customers’ trust in computing.

One major technology element in the 2006 security picture for Microsoft will be the release of Microsoft Windows Vista. Specifically, customers of the Windows Vista platform will experience security improvements in everything from user account control, better support for smartcards, enhanced firewall protection, and improved security and privacy capabilities in Microsoft Internet Explorer 7.0. Customers will also benefit from enhanced information protection functionality in Windows Vista such as BitLocker Drive Encryption, a hardware-based feature that addresses the growing concern over corporate and customer data on lost or stolen machines.