Microsoft has reportedly resumed Windows development after the security pause that began in February. Time for an interim assessment.
What is reported
The pause lasted about 10 weeks. Reports describe:
- All Windows engineers completed the structured security training.
- Code review of substantial portions of the Windows codebase has been done.
- Threat-modelling exercises have produced documented threat models for major components.
- A wave of internal-discovered vulnerabilities has been queued for patching.
The reported scope is substantial. Translating reports into measurable claims is harder, but the visible commitment is consistent with the Trustworthy Computing memo.
What is starting to be visible
Three things.
The patch cadence has tightened. Microsoft's Patch Tuesday model — monthly bundled patches — is being formalised. The cadence is more predictable for operators.
Specific advisories have been more thorough. Recent Microsoft advisories include more detailed root-cause analysis, more specific mitigation guidance, and clearer affected-version lists than was typical pre-pause.
Customer communication has improved. Microsoft is publishing more security-related material — best-practice guides, hardening checklists, configuration tools. The information density is higher than a year ago.
None of these is dramatic. All of them are consistent with a measurable internal shift.
What is not yet visible
The big test — a substantially-improved next-generation product — is still pending. Windows Server 2003 is in development; the public release is expected in 2003. Until it ships, the trust-but-verify question remains open.
My probability estimate is broadly unchanged: 80-85% that Trustworthy Computing produces real, visible improvement. The pace is consistent with what was promised; the proof remains forward.
More as the year develops.