• PC World
• »Security

After nearly 25 years of writing software code, Microsoft is taking a break to do a little housecleaning.

The company has ordered a temporary halt in the development of new code and has instructed its developers to go back and check for security holes in the piles of ones and zeros already written. The cleanup targets the gamut of Microsoft products from its desktop operating systems to its newly released .Net tools, a Microsoft spokesperson confirmed Monday. Each division will stop writing new code for about one month.

The development team building the next version of Windows, for example, has taken a break to perform an "intense review of the Windows source code," the spokesperson said. That includes reviews and audits of the operating system, or what the company is calling a "code scrub."

Similar efforts are already under way with the development team building Microsoft's Office software, as well as among developers working on its .Net initiative. The effort is expected to extend to other divisions at Microsoft in the next few months, the spokesperson said.

Gaining Trust

The cleaning frenzy is part of a broader effort dubbed the Trustworthy Computing Initiative, which is intended to make Microsoft's software more secure and reliable. Bill Gates, the company's chairman and chief software architect, outlined the initiative to employees in a memo last month.

Although its intentions may be good, one analyst suspected that the moratorium on new code would throw a wrench into Microsoft's development schedule. "Certainly it has an impact on development plans, on products as well as service packs," says Michael Silver, a software analyst with Gartner.

Most at risk is the first major package of updates and bug fixes for Windows XP, Microsoft's newest operating system, he says. The service pack is expected to include the updates, patches, and bug fixes developed for the operating system since its launch in October.

Possible Delays

With the service pack already in danger of delay due to events related to Microsoft's antitrust settlement proposal with the U.S. government, Silver predicts that any security flaws discovered during the house-cleaning effort could add to the work in getting the first service pack out.

"Certainly if they find something interesting they might want to include some other security fixes in [Windows XP] Service Pack 1," he says.

The service pack initially faced a possible delay because of a stipulation in the proposed settlement Microsoft reached with the Department of Justice and nine state attorneys general, Silver says. Terms of that settlement require Microsoft to disclose certain APIs (application program interfaces) for the operating system within a year of the deal being signed or in the first Windows XP service pack; whichever comes first. A judge is expected to rule on that settlement later this month.

Microsoft typically releases the first service pack to a product about six months after the product is launched. That puts the Windows XP Service Pack 1 due for release around April. It's unclear whether the company could meet that schedule if it were required to include the APIs, Silver says.

Patches and Fixes

Besides issuing service packs, users can access the latest security patches and bug fixes through Microsoft's Windows Update utility. Last week, Microsoft also released a new type of update that it calls a Security Rollup Package. The first of these packages was released for the Windows 2000 desktop and server operating systems, and comes midway between the Windows 2000 Service Pack 1 and Service Pack 2.

Microsoft's director of corporate privacy, Richard Purcell, commented on the code-cleaning effort Friday at a security conference in Washington, D.C., according to a report in the Government Computer Times. He said the effort came about partly because Bill Gates, the company's chairman and chief software architect, "is really annoyed by the incredible pain we put everyone through in computing," according to the report.

That pain has affected both corporate and consumer customers of Microsoft. Businesses running Microsoft's Internet Information Server (IIS) last year found themselves vulnerable to the damaging Code Red worm, while other Windows users fended off a worm known as Nimda in September.

Microsoft's market leadership makes it a prime target for computer hackers and worm builders, according to Rob Enderle, research fellow with Giga Information Group.

• See more like this:
• Microsoft,
• Windows,
• XP,
• code,
• security,
• flaw,
• fix,
• rollup,
• Bill Gates,
• fix,
• software