Security Progress at Microsoft

If you have not already done so, I would urge you to take a look at Bill Gates' “Microsoft Progress Report: Security” at One thing that will hit you is the shear breadth of effort being undertaken at Microsoft in the security arena. And by security, I don't just mean crypto, I mean quality and attack resilience too.

As some of you know, I spend all my time working on security engineering; helping engineers (developers, designers, program managers, testers, documentation people, architects and the odd VP) “do the right thing” from a security perspective. It takes time to see the results of your labors when you start a mammoth undertaking like Trustworthy Computing, but I really feel like we are starting to see real progress. And I mean REAL PROGRESS. Now don't get me wrong, there is still a huge amount of work to be done, but some of the early indicators in Bill's email are, for me anyway, very encouraging:

The security development processes we instituted prior to releasing Windows Server 2003 last year are a prime example of where this effort is showing results that benefit customers. The number of "critical" or "important" security bulletins issued for Windows Server 2003, compared to Windows 2000 Server, dropped from 40 to 9 in the first 320 days each product was on the market. Similarly, for SQL Server 2000, there were 3 bulletins issued in the 15 months after release of Service Pack 3, compared to 13 bulletins in the 15 months prior to its release. With Exchange 2000 SP3, there was just 1 bulletin in the 21 months after its release, compared to 7 bulletins in the 21 months prior.

To me, the most telling figures are the Windows figures:

  • 320 days after the release of Windows 2000, we had issued 40 important or critical security bulletins.
  • 320 days after the release of Windows Server 2003, we have issued 9 important or critical security bulletins.

Once again, don't get me wrong, that's still 9 security bulletins, but 9 is MUCH better than 40! And we're seeing this trend across other products too.

There's one figure not in Bill's email, and that is the number of security bulletins issued against IIS6. So here's a pop-quiz, we're nearly at the one-year anniversary of the release of Windows Server 2003 and IIS6, how many security bulletins have been issued for IIS6? Zero. I'm not saying there are no security defects in IIS6, I have no doubt there are. But I like zero! I like zero a lot!

It's warming to see all the work we've done in the last two years starting to pay off. All the training, documentation, root cause analysis, process improvement, threat modeling, security pushes, security reviews, code changes, attack surface reduction work, penetration testing, automated source analysis, compiler improvements, heap improvements and much more has been worth every penny.

Now onto the next two years!

Comments (31)

  1. Umm.. We’re nearly a year away from the one-year anniversary of Windows Server 2K3?

    Feel free to delete this if you want.

  2. Michael Howard says:

    Yeah – 24 April 2003 was the release. Doesn’t time fly, Larry 🙂

  3. Michael Howard says:

    Oh dear – I see what I did!

  4. Bernard says:

    yes ! IIS 6.0 ROCKS !!!

  5. Mike Dimmick says:

    Relevant to Stefan’s link: the only issue reported against IIS 6.0 is The authors seem to have something against MS – see their message at, where they mention that they haven’t contacted MS.

    Also, there are side issues which while not in IIS codebase still affect it, for example the ASN.1 vulnerability, which could affect IIS if it tries to authenticate a malformed client certificate (perhaps).

    Anyhow, a good effort so far, and I think it’s having knock-on effects in general code quality too.

  6. Uber Braner says:


    As we’ve said before, Microsoft is strongly committed to using state-of-the-art engineering practices, standards and processes in the creation of our software. We have undertaken a rigorous "engineering excellence" initiative so that our engineers understand and use best practices in software design, development, testing and release.


    Rigorous "engineering excellence" as in (don’t) "catch exceptions by reference"? See:

    msdn: .NET Enterprise Services Performance

  7. RichB says:

    It’s telling that Bill catalogues Security Bulletins rather than Vulnerabilities. Over time the number of vulnerabilities announced per bulletin has increased noticeably, so it doesn’t surprise me the number of bulletins has decreased.

    Michael – do you have figures for the number of vulnerabilities? Could you post them on your blog?

  8. Michael Howard says:

    I only have the vuln numbers for 2003, but you can easily check ’em yourself by looking at the CVE (Common Vuln & Exposures) numbers for each bulletin. Of the 51 bulletins in 2003, 39 fixed only one CVE, 6 fixed two, three fixed 3, two fixed four, and one bulletin fixed five CVEs.

  9. Bernard says:

    I posted this at Stefan’s blog


    Microsoft Multiple IIS 6.0 Web Admin Vulnerabilities

    I won’t consider this as a core bugs or exploits. as this is related to the web admin interfaces that ‘didn’t’ does it client site checking probably.

    beside, if you really need the web admin interface. you MUST limit the access to this interface. e.g. firewall, ip restriction and etc.

  10. Bernard says:

    and FYI, I don’t have any WEB admin interface running on production box.

  11. AT says:

    It’s nice to see how Microsoft change a way how they count instead of that to count.

    "Surface reduction" practice – by disabling all the services not needed to show nice "Click here to start" button really helped a lot of "Critical" to become "Warning". Enabling them back will reveal real value.

    Also I may assure you that this year you will have at most 12 bulletins – you have changed the way bulletins issued – monthly.

    This clearly show that Microsoft expect numerous exploits – to batch them in one message instead of releasing ASAP as separate.

    Do you think this is advantage to keep user systems 15 days at average at risk ? If I will be evil person – I will release exploits next day after previous bulletin issued.

    P.S> Just for a record I like that Microsoft thinking about security a lot. But there will be never enough security. Do not allow people to think that everything is fine.

  12. Michael Howard says:

    >that this year you will have at most 12 bulletins

    Not so, each month we will probably issue more than one bulletin. Mar04 we issued three (one each for MSN Messenger, Outlook and Media Server), Feb04 we issued 4 and Jan04 we issued 3.

  13. Pete says:

    Couple of comments on this:

    "and FYI, I don’t have any WEB admin interface running on production box."

    -This was from Bernard. The comment on this is: good for you. Not all of the administrators are following the security checklists or how someone should be done according to some guidelines. Not all of the people are reading the Bugtraq et al, they should yeah, but they’re not. They are more or less just wanting to get job done. Which means that there most likely are many boxes out there WEB admin interfaces running regardless should there be or not.

    For the general; Is it wrong to calculate the level of security by how many bulletings MS has released so far? for example, there are upcoming stuff coming from eEye, which includes bugs found last year but no bulletins released yet, which means the count could be higher.

    Moreover, the statement also requires that Microsoft *does* know all the vulnerabilities that people have been finding all over the globe, which i doubt. Not all people are seeking fame and glory by sending that info to either any public place or for Microsoft – Partially this also prevents some exploitation of people’s systems since the group that is the reason causing havoc – script kiddies – do not have those info. I think Marcus Ranum spoke about this couple of years back, and while it sounds awkward, i think he was right.

    Actually, also the usage of Windows 2003 has led into situations where the administrator has purposefully lowered the state of the security of the host due to their application not running on default, locked down state. This does not relate to bulletin level, but more or less that there are two different places to count security; the vendor and the actual place where the OS is used.

    All in all, the amount of bulletins, while it tells something, shouldn’t be used as a meter for definitive statement in which level the security is in reality.

    But; keep going. The direction is definitely good.

  14. Mark says:


    I have created a website concerning the possibility of terrorist attack through INTERNAL access to software source code. Most software companies DO NOT perform path coverage analysis (an industry standard method for discovering untested software paths), and I know of no company performing concordance analysis (examination of the words used in a software program).

    Comments would be greatly appreciated.



  15. Bhupinder Singh says:

    Hi Michael,

    Will we ever see a trusted Windows like a trusted Solaris or a trusted Linux SE.

  16. Bauq says:

    Agree. Windows is on the right track to be more and more secure.

  17. Security Progress at Microsoft (Michael Howard’s blog)

  18. Security Progress at Microsoft (Michael Howard’s blog)

  19. Hi. I have an idea. How about formalizing these values with other factors like the numbers of packages/licenses shipped and consumed, or numbers downloaded from betaplace and MSDN (just a few examples, so there may be other more important factors to show.)?

    That way you can evaluate what it really means more precisely, more accurately, and more objectively. I believe through such an evaluation with other important factors still shows that Windows Server 2003 is far and far better than the previous platforms.

  20. Anita says:

    Hi! I would like to say that Microsoft is doing great thing! Our privacy depends on you guys! Keep doing like this!

Skip to main content