In a letter E-mailed to Microsoft customers Wednesday morning, Gates wrote, "Given human nature, evolving threat models, and the increasing interconnectedness of computers, the number of security exploits will never reach zero. But we can dramatically blunt the impact of cybercriminals and are dedicating a major portion of our R&D investments to security advances."
The letter sites improvements in Windows XP Service Pack 2 that will help to improve security, including the Windows Firewall being turned on by default, automatic blocking of unwanted Web-site downloads and pop-up advertisements, and improved memory protection designed to thwart all-too-common buffer-overflow attacks. Also, Windows Server 2003 Service Pack 1, which is scheduled to ship later this year, will contain the server security technologies within Windows XP Service Pack 2.
Gates also highlighted some of the work the company is doing for what it calls its "active protection technologies," which, when completed, would help systems adjust security defenses based on their "state," such as the installation of new software or users logging on from untrusted networks, Gates wrote.
The letter, available at www.microsoft.com/mscorp/execmail, didn't unveil any new security initiatives from Microsoft, but rather highlighted many of the security programs and investments the company has under way since Gates' "Trustworthy Computing" E-mail, which was sent to customers in January 2002. The letter also touted the Web-services security specs, WS-Security; improvements in user-authentication technologies, such as smart cards and biometrics; and improvements in patch deployment, which will help improve security.
"Security is as big and important a challenge as any our industry has ever tackled. It is not a case of simply fixing a few vulnerabilities and moving on," Gates wrote. "Reducing the impact of viruses and worms to an acceptable level requires fundamentally new thinking about software quality, continuous improvement in tools and processes, and ongoing investments in resilient new security technologies designed to block malicious or destructive software code before it can wreak havoc."