Real progress was made by Microsoft and its industry partners in 2005.

REDMOND, Wash., Dec. 21, 2005 — In the ongoing challenge to deliver a safer, more secure computing experience for PC users, Microsoft and its industry partners in 2005 made considerable progress on the security front with achievements such as greater customer awareness of the existence of spam, viruses, spyware and other security threats, as well as the availability of more effective and powerful software protections against software attacks and security breaches, which has resulted in improved security for Microsoft customers.

“At Microsoft, we’re focused on protecting customers from current and emerging cyber security threats,” says Mike Nash, corporate vice president of Microsoft’s Security Technology Unit. “Our strategy is to make the right technology investments, to provide clear guidance to our customers about how to stay better protected, and address industry-wide challenges through partnerships in the public and private sectors.”

In looking at the past year, Nash adds, “The deep investments we’ve made in technology are resulting in a more secure computing experience for our customers. More than 250 million copies of Windows XP Service Pack 2, which includes significant security enhancements, have been distributed. Windows Server 2003 Service Pack 1, which is more secure by design and default and includes the security configuration wizard, has been downloaded approximately 4 million times. Over 18 million customers are using the Windows AntiSpyware beta to help protect themselves against spyware threats.”

Additionally Nash offers, these new tools, coupled with customers’ better understanding of security best practices, are paying dividends. “We look forward to continuing our efforts to build greater trust in computing in 2006,” he says.

Jon Oltsik, senior analyst on information security of the Enterprise Strategy Group says in “Could Microsoft Make Security a Competitive Differentiator?” — “Microsoft has proven time and time again that its corporate focus equates with execution excellence somewhere down the line. The company is now delivering on security in a way that sets it apart from other software companies.”

Microsoft’s security efforts are focused on three areas: technology investments; prescriptive guidance and education; and industry partnerships.

Technology Investments Progress

Microsoft is making investments to achieve the highest level of quality in Microsoft software, and to deliver security technology innovations in the platform, security products and hosted security services. Over the past 12 months, Microsoft has made significant progress in delivering technologies across three key areas: fundamentals, threat and vulnerability mitigation, and identity and access control.

• Fundamentals: Microsoft’s Security Development Lifecycle (SDL)—an approach to the entire software development process that incorporates security holistically and comprehensively—expanded on the successful security improvements made in Microsoft Windows XP SP2, with another year of improved security fundamentals in a variety of products across the company. By utilizing the SDL process during product development, vulnerabilities in Microsoft Windows Server 2003 were reduced from 84 to 49 compared to the previous version of the product during the first two-and-a-half years after shipping. This year also marked a new wave of shipping products developed under the SDL process. These included Visual Studio 2005, SQL Server 2005, and BizTalk Server 2006 Beta 2. Microsoft introduced a series of improved software updating tools throughout the year, and implemented a Software Update Validation program that provides rigorous testing of updates before releasing them to customers. Additionally, it was recently announced that Microsoft Windows XP Service Pack (SP) 2 and Microsoft Windows Server 2003 Service Pack (SP)1 received Common Criteria Certification, which includes an evaluation of the broadest set of real-world scenarios of any operating system platform today, and underscores the company’s ongoing commitment to improving the security of its software.

• Threat and Vulnerability Mitigation: Microsoft began development of several technology tools designed specifically to defend and mitigate against a broad range of threats. These included the acquisition of Sybari Software for enhanced protection against malicious software for enterprise customers; the announcement of Microsoft Client Protection, which will combine strong anti-spyware tools, comprehensive virus protection and centralized management capabilities for laptops, desktops and servers in business systems; and the acquisition of FrontBridge Technologies to enhance management and security capabilities for enterprise e-mail environments. For consumers, Microsoft also delivered a beta version of Microsoft Windows OneCare Live, a subscription service that takes much of the work out of online protection, by automatically helping guard against spyware, phishing attacks and other threats. Also released was the first beta of Windows AntiSpyware—the most popular download in Microsoft’s history, which is already helping to protect the computers of more than 18 million customers. The Microsoft Windows Malicious Software Removal Tool has been executed by customers 1.8 billion times—an average of 200 million times per month—to help remove the most prevalent forms of malware from PCs.

• Identity and Access Control: Microsoft’s goal in this area is to help ensure that computing is trustworthy, that corporate policy can be managed to dictate what resources users can access, and personal and corporate information is protected throughout its lifetime—wherever it resides. In 2005, Microsoft acquired Alacris, a leading provider of strong authentication solutions for digital certificates and smart card applications. Microsoft also shipped enhanced identity control capabilities in Active Directory, as well as Microsoft Windows Rights Management Services (RMS) Service Pack 1, which offers customers further improvements in how they protect their sensitive information, no matter where it travels to, and even in the face of loss.

Prescriptive Guidance Progress

Another area of activity for Microsoft security is educational outreach and improved security guidance for consumers, IT professionals, software developers and industry partners. For developers, Microsoft provided intensive training...