Gates Previews Security Projects

SAN FRANCISCO -- The recent leak of Windows source code was not connected to any intrusion on the Microsoft network or to its shared source program, Bill Gates, chairman and chief software architect, told an opening day audience at the RSA Security Conference here.

Gates said little else about the incident, in which incomplete portions of Windows NT and Windows 2000 source code were posted on the Internet. The company confirmed the code's authenticity and said it had enlisted the FBI to investigate. While Gates acknowledged the leak, he also tried to impress attendees with Microsoft's accelerated efforts to improve security in its products and operations.

He also gave a preview of several upcoming products, including parts of Windows XP Service Pack 2 and future updates for Windows XP, as well as biometric security in development.

Sneak Peek at Products

Microsoft publicly demonstrated a new Windows Security Center for the first time. This component of Windows XP Service Pack 2, which is due out in the first half of this year, provides a single-screen display of essential Windows security settings. In it, a user can see if the system's firewall is on, as well as if antivirus software is installed, operational, and up-to-date.

"It centralizes many security settings previously available in unrelated parts of the system," Gates said.

Microsoft also demonstrated two other Windows XP SP2 security components: Windows Firewall (the successor to Internet Connection Firewall) and an enhanced Internet Explorer capable of letting users trust downloaded ActiveX controls on an individual Web site basis.

Gates also showed an early alpha version of Active Protection Technology, due out in Windows XP after 2004. The feature can block suspicious network traffic by watching for out-of-the-ordinary system behavior, such as use of network ports or remote procedure calls.

"The system will truly know what actions are allowed for operating system components and the applications that are running," said Zachary Gutt, a technical product manager in Microsoft's security business and technology unit.

Active Protection Technology will also allow system managers to dynamically raise and lower the security level of a PC based on changes in the computer's state. Gutt showed how a computer lacking a vital patch could be prevented from loading a Web page's ActiveX control until the required patch is installed.

"Active protection represents the next generation of how systems will react and understand what the appropriate policies will be," Gates said.

Biometric Research

Representatives of Microsoft Research also took the stage to show a prototype of a tamper-resistant biometric ID card.

These cards, printable on ordinary paper or plastic using an ink jet printer, were shown compressing a facial image into 136 bytes, combined with a text hash, to create a color bar code making the ID card resistant to tampering.

The system is extensible to include iris and fingerprint authentication, says Gavin Jancke, a development manager at Microsoft Research.

Gates urged developers to take advantage of the next version of Visual Studio, Whidbey, to permit users to install and run applications without having to have administrator privileges.

Security Priorities

Gates emphasized Microsoft's ongoing security efforts. He described Microsoft's latest security thrust as secure by design, secure by default, secure by deployment, plus communications. He used the formula "D³ + C" to summarize Microsoft's goal.

As evidence that Microsoft is getting a handle on its security problems, Gates displayed a graph that compared the number of critical and important security bulletins issued by Microsoft in the first 300 days after release availability of Windows Server 2000 compared to the same time period after the release of Windows Server 2003.

The data showed the number of bulletins has been significantly fewer with Windows Server 2003. However, Gates noted the graph does not necessarily represent the severity of each security problem.