Gates Highlights Progress on Security, Outlines Next Steps for Continued Innovation

SAN FRANCISCO, Feb. 15, 2005 — During his keynote address at the annual RSA Conference today, Bill Gates, chairman and chief software architect at Microsoft Corp., announced continued innovation and technology investments including future enhancements for safer Web browsing, such as plans for a new version of Microsoft Internet Explorer for Windows XP Service Pack 2 customers; expanding anti-spyware protection by including the Windows AntiSpyware technology at no additional charge as part of the Windows value proposition; edge protection technology for businesses, notably the release to manufacturing of Microsoft Internet Security & Acceleration (ISA) Server 2004 Enterprise Edition; and the need for more robust anti-virus protections for collaboration and messaging, demonstrated with Microsoft’s intention to acquire Sybari Software Inc.

“Our primary goal is to improve security and safety for all our customers — consumers and businesses, regardless of size — through a balance of technology innovation, guidance and industry leadership,”

Gates said.

“We’re committed to continued innovation that addresses the threats of today and anticipates those that will undoubtedly emerge in the future.”

Windows XP SP2 Gains Momentum; New Browser Planned





At RSA Conference 2005, Microsoft Chairman and Chief Software Architect Bill Gates announces Internet Explorer 7.0, designed to add new levels of security to Windows XP Service Pack 2. Feb. 15, 2005, San Francisco. Click image for high-res version.

In August, Microsoft released Windows XP Service Pack 2 (SP2), which included major security advancements. Windows XP SP2 includes significant upgrades to Internet Explorer, incorporating a stronger security infrastructure to help thwart malicious software attacks, block suspicious content and eliminate many common spoofing attempts. Gates cited the fact that there are now more than 170 million copies of Windows XP SP2 distributed around the world, and highlighted a recent report from Web analytics firm WebSideStory Inc. that shows almost half of all computer users browsing the Web on weekends are better protected with Windows XP SP2. Businesses are also embracing Windows XP SP2: Of 800 enterprise customers recently surveyed, Microsoft has received commitments from 77 percent to deploy Windows XP SP2 over the next six months. For example, Merrill Lynch, a leading financial management and advisory company, has committed to deploying Windows XP SP2 companywide — across 50,000 desktops — by the middle of the year.

“We’re installing Windows XP SP2 companywide on over 50,000 desktops because we recognize that its security enhancements are significant. As the frequency of attacks against computer systems increases, it’s becoming critically important to have our systems protected against hackers, viruses and other security risks,”

said Joseph Martella, director of End User Computing, Product Engineering at Merrill Lynch.

Building on those advancements, Gates announced Internet Explorer 7.0, designed to add new levels of security to Windows XP SP2 while maintaining the level of extensibility and compatibility that customers have come to expect. Internet Explorer 7.0 will also provide even stronger defenses against phishing, malicious software and spyware. The beta release is scheduled to be available this summer.

Addressing the Threat of Malware

Since December, Microsoft has rolled out new capabilities to assist customers in combating malicious or unwanted software and removing it from their machines, including the beta version of Windows AntiSpyware. Customers have downloaded more than 6 million copies of Windows AntiSpyware since it became available Jan. 6, 2005. Gates announced the company’s plan for making the personal version of the final Windows AntiSpyware software available at no additional charge to licensed Windows customers as part of the Windows value proposition. The offering will offer full functionality to consumers, including the ability to detect and remove spyware, continual protection that helps guard against more than 50 ways that Web sites and programs can put spyware on a PC, and protection against the latest threats through the combined efforts of the SpyNet

™

community and Microsoft researchers. For business customers, with more complex infrastructure support, management and deployment needs, Microsoft plans a managed anti-spyware solution that will be available as part of a paid solution.

“Customers are concerned about the risk malware poses to their personal information, and frustrated by its impact on the reliability and performance of their computers,”

Gates said.

“We are responding by making security easier and more cost-effective for Windows customers, helping to protect millions of people who are vulnerable today.”

Gates also discussed how Microsoft’s security investments will help business customers better protect their systems from constantly evolving threats. Last month Microsoft began shipping a malicious software removal tool on a regular, predictable basis as part of the company’s monthly update cycle. The tool, which detects and removes a range of the most prevalent threats including the Netsky, Korgo and Zafi viruses, was rolled out Jan. 11, 2005, and has been used on more than 133 million PCs worldwide.

Gates expanded on Microsoft’s recently announced plans to acquire security vendor Sybari Software Inc., which provides solutions to help protect messaging and collaboration servers from malicious software. Gates noted that when the acquisition is closed, Microsoft intends to ship a Microsoft engine, based on the GeCAD technology acquired in 2003, as one of the multiple scanning engines supported by Sybari’s flagship Antigen software. Gates further noted that the Microsoft engine would also be integrated into a broad consumer offering by the end of this year.

Streamlining Software Updates

Gates highlighted Microsoft’s efforts to promote the computing ecosystem and infrastructure that allows customers to keep software current with the latest security updates. As a result of these efforts, there was a 400 percent increase in the number of PCs that are being automatically updated by customers using Software Update Services and Windows Update in 2004. To further simplify the update process, Gates announced that a beta version of Microsoft Update, a unified update service for consumers and small businesses that includes technologies such as Windows XP, Windows 2000, Windows Server

™

2003, Office 2003 and Exchange Server 2003, is scheduled for release in mid-March. Microsoft Update will consolidate the latest security and reliability updates in one convenient location. In addition, Gates confirmed that the final version of a complimentary service designed for midsize and larger enterprises, Windows Update Services, will be available in the first half of 2005. Windows Update Services will enable system administrators to more quickly obtain updates for a wider array of Microsoft applications and distribute them across their networks.

In addition, Gates announced that version 2.0 of the Microsoft Baseline Security Analyzer (MBSA), a tool to help identify common security misconfigurations, will be available in the same timeframe as Windows Update Services, and will work seamlessly with Windows Update Services to provide consistency in scanning and deployment.

Innovation to Better Protect Networks and Sensitive Information

As part of Microsoft’s initiatives to better protect the edge of corporate networks, Gates announced the release to manufacturing of the Enterprise Edition of Microsoft Internet Security and Acceleration (ISA) Server 2004. ISA Server 2004 Enterprise Edition is designed to help customers reduce risks and security-related costs by helping protect key business scenarios in the enterprise; features include more-secure remote access to essential applications for employees and partners, security-enhanced connections for branch offices to corporate headquarters, and better protections from malicious Internet traffic. The Enterprise Edition of ISA delivers improved manageability, scalability and availability.

Gates also restated Microsoft’s long-term commitment to providing customers with innovative solutions to help protect their sensitive information from unauthorized use by announcing how Service Pack 1 for Windows Rights Management Services (RMS) will enable new solutions for regulatory compliance and records management. RMS SP1 will add the ability to deploy a low-cost enterprise rights management solution without a network connection to the Internet and without an operational dependency on an external entity such as Microsoft, integration with smart-card technology for improved authentication, and more-efficient management of group definitions through stronger integrations with Active Directory service.

Comprehensive Guidance, Training and Support

Gates stressed the important role developers play in overall IT security, noting that a recent Microsoft study showed that 64 percent of developers are not confident in their ability to write secure applications. To help address that gap, he announced three worldwide initiatives:

A partnership with SPI Dynamics Inc., Fortify Software Inc., Mercury, ISSA and others on the Secure Software Forum, aimed at bringing focus to application security as a life-cycle and industrywide issue.

An effort to educate developers on threat modeling and how to write more-secure code that is based on Microsoft’s own Security Development Lifecycle (SDL) program. The SDL has been Microsoft’s approach to enhancing its software development processes to better accommodate security best practices. Microsoft has used the SDL on many products, including Windows Server 2003, SQL Server

™

2000 SP3, Exchange Server 2003 SP1 and the upcoming release of Microsoft Exchange Server 2003 SP2 (due out in the second half of 2005) to measurably improve security. The first Microsoft operating system that implemented large portions of the SDL, Windows Server 2003, had 63 percent fewer security vulnerabilities in its first year compared to Windows 2000 Server.

A worldwide Microsoft Most Valuable Professional (MVP) program, a community of credible technology experts from around the world willing to help others, is specifically targeted at helping developers who have issues with securing applications. This outreach effort is designed to educate the developer community about writing more-secure applications, and to invite the developer community to help guide the direction of Microsoft with product feedback and recommendations for application security.

Microsoft has made significant advancements in the security guidance and tools designed to reduce risks for customers. Over the past year, it has provided security training to more than 750,000 IT professionals, developers and partners around the world.

Partnering With the Industry, Government and Law Enforcement

Gates also described how Microsoft continues to partner with governments, law enforcement agencies and industry partners worldwide to address the key societal challenges of IT security. Microsoft actively supports domestic policy initiatives that target criminal and dishonest behavior that compromises the safety and privacy of online data. Microsoft also supports international efforts to enhance the ability of law enforcement to catch and punish online criminals who prey on consumers and businesses.

Microsoft’s Internet Safety Enforcement team continues its collaboration with other technology companies, law enforcement agencies and state attorneys general to combat the proliferation of illegal spam. Already in 2005, Microsoft helped the Texas attorney general target the world’s fourth-largest spammer, and partnered with pharmaceutical industry leader Pfizer Inc. to bring lawsuits against other global spam rings that engage in illegal practices.

To help parents and teachers improve children’s safety online, Microsoft has partnered with AMD, McAfee Inc., NetZero Inc., Cox Communications Inc., Comcast Corp. and The Cybersmart Education Company to introduce WebWatchers, an elementary school curriculum for safe computing. Nearly 13,000 school districts across the United States serving 4.6 million students have the opportunity to take advantage of this program, which was released in early February.

Microsoft has funded and collaborated with Interpol and the International Centre for Missing and Exploited Children to conduct six four-day training sessions on computer-facilitated crimes against children. The sessions have trained more than 570 officials from 67 countries worldwide in sessions hosted in Hong Kong; Zagreb, Croatia; Lyon, France; Cape Town, South Africa; San Jose, Costa Rica; and Bucharest, Romania.

“Security remains a top priority for Microsoft,”

Gates said.

“Technology’s full potential can be realized only when customers are able to securely deploy solutions, and the entire community works in partnership to foil attacks by hackers and criminals.”

More information about Microsoft’s efforts around security can be found at “http://www.microsoft.com/security .

About Microsoft

Founded in 1975, Microsoft (Nasdaq “MSFT”) is the worldwide leader in software, services and solutions that help people and businesses realize their full potential.

Microsoft, Windows, Windows Server and Active Directory are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Note to editors: If you are interested in viewing additional information on Microsoft, please visit the Microsoft Web page at http://www.microsoft.com/presspass on Microsoft’s corporate information pages. Web links, telephone numbers and titles were correct at time of publication, but may since have changed. For additional assistance, journalists and analysts may contact Microsoft’s Rapid Response Team or other appropriate contacts listed at http://www.microsoft.com/presspass/contactpr.asp .