Skip to main content

Notes from the Security Road from Mike Nash

Mike Nash here – this is actually the first time that I’ve posted on the blog. You’ve probably heard that we recently made some announcements around our security strategy with Steve Ballmer in the past couple weeks.

I thought it was the perfect occasion for me to join in on the blogging and fill you in a little more about what we did.

In early October, I traveled to Tokyo to meet with customers and government officials, as well as to keynote at the Japan Security Summit. It was a great opportunity for me to lay out our vision and strategy for security.

Our vision, stated most simply, is to establish trust in computing so our customers can realize the full potential of an interconnected world. In other words, it’s about making security so inherent and so reliable that it no longer presents a barrier in any way to all that computing has to offer for the future.

It’s a long road ahead, but we have a solid strategy to get there. We are focusing and investing in three areas: 1) technology fundamentals and innovations – ways that we can use technology to enhance security; 2) prescriptive guidance – providing authoritative information when you need it to help you keep your systems secure; and 3) partnerships – because security is an industry-wide problem, we need to work in concert with security vendors, service providers and law enforcement.

In addition to clarifying strategy and vision, I also gave a progress report on where we are today with security. We’ve made a lot of improvements over the last couple of years. Some of the highlights I talked about were:

· One of the biggest security milestones for Microsoft was the release of Window XP SP2, which has advanced security capabilities with automatic updating and the firewall turned on by default. We have distributed about 300 million copies of SP2 so far – and it has gone a long way in helping to stop threats like Blaster.

· On the server side, we also released Windows Server 2003 SP1, which is more secure by design and by default, and specifically has the Security Configuration Wizard to make it much easier to configure servers for security. More than 4 million copies of SP1 have been downloaded so far.

· For managing malware, we had two notable recent offerings. First, the Windows Anti-Spyware Beta, which remarkably is the most popular download in Microsoft history, with 18 million active users. Second, we started releasing Malicious Software Removal Tool through Microsoft Update in January. There have been more than 1.3 billion executions of the tool so far, focusing on reducing the most prevalent malware. The tool has dramatically reduced the number of bot infections that are circulating on the Internet.

I was particularly pleased to be able to announce in Japan an addition to our cleaner tool for October that cleans for Win32/Antinny, malware that targets non-Microsoft apps and causes information disclosure. Win/32Antinny has been circulating quite actively in Japan and been a serious problem for that market. We are delighted to offer our Japanese customers this solution.

I also spent time in Japan and later in the week in Munich, Germany with Steve Ballmer outlining our defense-in-depth approach through technology. We are focused on fundamentals like our Security Development Lifecycle – which has led to a significantly reduced number of vulnerabilities in our products compared to legacy products, as well as competitor products – and the efforts of the MSRC in releasing quality updates and managing security incidents. At the same time, we are also focused on providing technology enhancements that help provide threat and vulnerability mitigation in future products like IE7 and Vista, with features like User Account Protection and Secure Start Up, to name a few. We’re also focused on bringing new products and services to market to help with identity and access control, so enterprises can effectively manage where users can go on a network and limit what they can do.

In Munich, Steve announced that we will soon be offering Microsoft Client Protection for the enterprise, which will help enterprises protect against both viruses and spyware. A limited beta will be available in the next few months. In addition, Steve announced that we will be re-branding and re-releasing our anti-spam and anti-virus Sybari products as Microsoft products with a beta in the first half of 2006. We also announced a new development alliance, the SecureIT Alliance, which will help security vendors work more closely with Microsoft in developing security solutions on our platforms. There are already 30 important partners like Symantec, McAfee and Trend Micro. You can read more about the announcements here:

Overall, it was a great trip, with customer and government visits in Germany as well. I also participated in a really fun keynote at the University of Munich where I got to talk to about 250 computer science students about how we incorporate secure development practices into our product development lifecycle.

My favorite moment on the trip – which actually resulted in my circumnavigating the entire globe in just a week – was when we illustrated the difference in the number of vulnerabilities in Windows Server 2003 compared to its competitive product, Red Hat Enterprise Linux 3. Steve held Red Hots candies for each vulnerability that he would have had to manage as a Red Hat customer in the last six months. Steve ended dropping quite a few candies on the floor with 217 Red Hots (for 217 vulnerabilities in the last six months) to hold. In contrast, Windows Server 2003 only had 32 vulnerabilities for the same period. (You can check a video of a similar demo that I did at the World Wide Partner Conference in July here:

It was truly terrific to connect with so many customers, partners and our teams around the world.

For a look at how Microsoft views the changing security environment check out this article:,1895,1870612,00.asp

Best regards,


*This posting is provided “AS IS” with no warranties, and confers no rights.*

How satisfied are you with the MSRC Blog?


Feedback * (required)

Your detailed feedback helps us improve your experience. Please enter between 10 and 2,000 characters.

Thank you for your feedback!

We'll review your input and work on improving the site.