Gates shows off Service Pack 2 security

Microsoft on Tuesday showed off a forthcoming update to Windows designed to make the operating system more secure and proposed a caller ID-like system for email that could help curtail the growing spam problem.

Speaking at the RSA Conference here, Microsoft Chairman Bill Gates previewed several new features that will be added to Windows XP as part of a major midyear update to the OS. Among the enhancements that will be part of Service Pack 2 will be an expanded firewall and a pop-up ad blocker within Internet Explorer.

The company also showed publicly for the first time the Windows Security Center, a dashboard within Windows XP and a part of SP2 that will serve as a centralised place to view security settings and get advice on how to remedy PC vulnerabilities.

"SP2 is a release that is entirely focused on security," Gates said. While Microsoft is working on a more major update to Windows, codenamed Longhorn, the company wanted to issue a release for XP that could improve security in the near term, he said. "We prioritised the resources and activities around an intermediate release that is very security oriented," Gates said.

Gates said Service Pack 2 should be available in the first half of the year. The company has been beta testing the software since late last year.

The added security features will arrive more than two years after Gates launched the company's Trustworthy Computing Initiative. While the initiative has garnered a varied response from security experts, Gates said that the company is making progress. Microsoft is spending more than $6bn on research and development this year, with the largest portion going to security, he said.

"Microsoft is putting forward some ideas and they seem willing to put them into production," said Michael Cherry, an analyst with Directions on Microsoft, who recently authored a report on the Trustworthy Computing Initiative. However, "it is critical that they deliver on these [plans]," he said.

While Cherry gave Microsoft high marks for Tuesday's announcement, he said the company has yet to make good on a plan, discussed last year, to commercially release several code-checking tools used by Microsoft's in-house programmers. The tools could help developers catch errors in code that could lead to security breaches.

"One of the things that Gates promised is that those tools will be in Whidbey [code-name for the next version of the Visual Studio.Net development tool bundle]. Those have been promised for a long time. I'm not sure why they're not available," he said.

Moreover, Gates argued that the company has reduced the vulnerability of Windows computers. In the first 300 days, Microsoft Windows Server 2003 had only eight vulnerabilities ranked critical or important, while Windows 2000 had 38.

"Everything we are doing has been impacted" by security concerns, Gates said. "It's not a case of simply fixing a few vulnerabilities and moving on."

The features in SP2 largely continue Microsoft down the path it has been heading. For example, the inclusion of a firewall is not new to Windows, though Microsoft is trying to make the software more usable. The company expanded the capabilities of its basic Internet Connection Firewall and renamed the integrated software Windows Firewall. Where the original security application just closed possible points of entry, the new firewall will also prevent applications from contacting the internet unless given express permission to do so by the user.

Other fundamental changes in Windows will be the addition of an integrated pop-up ad blocker for Internet Explorer, a feature included in many alternative browsers, such as Mozilla. The feature will allow users to block all pop-up ads, none or to ask permission each time an ad tries to appear.

On the spam front, Gates outlined a caller ID-like system designed to root out unwanted email by verifying the address of the sender. Microsoft said it would include the technology as part of Exchange Edge Services, an update to its Exchange Server 2003 email software.

Calling spam the leading problem with email, Microsoft said it was launching a long-term effort designed to help the industry fight back. The program, dubbed the Coordinated Spam Reduction Initiative, includes the caller ID plan as well as other methods to create policies for legitimate bulk email.

Microsoft also previewed technology to detect software that appears to be exhibiting malicious behaviour. The company showed off a feature that will control the downloading of ActiveX components, an interactive feature of Internet Explorer that security experts have long criticised as being insecure. Like the pop-up blocker, the feature will allow the user to control whether the components are downloaded and displayed, blocked or require permission for each instance.

Other software makers weren't so impressed with Microsoft's efforts.

Fred Felman, vice president of marketing for Zone Labs, one of the leading makers of firewall software, said the firewall components added to Windows XP are broad tools that don't distinguish between different types of internet activities or network privileges.

"Microsoft would be doing them a vast disservice in representing this [to be] enough protection for their users, but they seem to be willing to take that risk," he said. "I think it's going to take Microsoft a good three or four years to provide the level of security their users will demand."

Microsoft seems to be taking on Zone Labs and other firewall makers in the home and business market. Gates said Windows Firewall and other security features also have the ability to be managed using policy settings in Microsoft's ActiveDirectory server. That sort of central management has previously given the edge to Zone Labs, Symantec and other companies.

Ryan McGee, director of product marketing for security company Network Associates' McAfee division, said the Windows XP enhancements won't replace third-party firewalls such as McAfee's but will instead add an extra level of protection.

"The additional help of a protective technology built into Windows gives a very good base for us to build on," he said. "But there are so many pieces required to get good security in place that the one piece that gets added into XP won't be the whole pie."

Another feature that can be remotely managed is Microsoft's "active protection technology" that the company says will block software from performing certain activities that could be considered malicious. Such technology attempts to screen out hostile behaviour by an application and can also limit the amount of access a computer has on a network if it has not been updated with the latest patch.

"We want to make computers resilient to viruses and attacks," Gates said.

Gates also reiterated Microsoft's assertions that the recent leak of Windows source code didn't come from a breach of the company's network or from a participant of the shared-source initiative. Microsoft has given source code to the governments of more than 30 countries, including China, Russia and Japan, as part of its shared source program.

"We are very committed to the shared-source initiative," he said.

CNET News.com's David Becker and Mike Ricciuti contributed to this report.

Robert Lemos and Ina Fried write for CNET News.com