Reports are emerging of Microsoft pausing Windows development for security review, following the Trustworthy Computing memo. The pause is reportedly substantial — multiple weeks of paused feature development across the Windows team — and the substance is becoming clearer.
A short note on what is being reported.
What is reported to be happening
From multiple sources, the broad shape:
- The Windows team has paused new feature development as of early February.
- All Windows engineers are reportedly being put through a structured security training programme.
- Code review is being applied to existing Windows source code, with a focus on the security-sensitive components (network handling, authentication, parsing).
- Threat-modelling exercises are being applied to the architecture.
The duration is reported to be "several weeks" with no firm end date. The implication is that feature development resumes when the security work is judged complete.
This is, by any reasonable measure, a substantial commitment. Microsoft engineering capacity is large; pausing it for weeks represents tens of thousands of engineer-hours.
Why this matters
A few specific reasons.
It signals that security is genuinely strategic. A company that is willing to pause feature development for security review is, by visible action, treating security as a top priority. The economic cost is real; the willingness to bear it is the signal.
The training affects future work. Engineers who go through structured security training will be better at security in their subsequent work. The benefit compounds over years.
The code review may find substantial issues. A focused review of legacy Windows code is likely to find vulnerabilities that have not yet been disclosed. The findings will produce a wave of patches over the next several months.
The threat-modelling discipline becomes embedded. If threat-modelling becomes part of the standard development process, future Windows components will start with security considerations baked in. This is a cultural change with multi-year implications.
What I expect to be visible from outside
Three things over the next 6-12 months.
A wave of Microsoft-disclosed advisories. The internal review will find issues; the issues will produce advisories; the advisories will be disclosed publicly along with patches. The advisory rate may go up in the short term as a result of the review work.
Slower feature shipping in 2002. The pause will produce schedule pressure. Some Windows features that were planned for 2002 release will probably ship later or be cut.
Better defaults in upcoming products. Windows Server 2003 (in development) and IIS 6 should ship with measurably more restrictive defaults than their predecessors. This will be the empirical test of the commitment.
A calibration update
The Windows pause is happening, which resolves prediction 8 from my 2002 list on the affirmative side. The 70% probability was approximately right; the timing is faster than my central estimate (early February rather than later in the year).
My overall probability that Trustworthy Computing produces substantive change has shifted up again — from 80% post-memo to 85% post-pause. The visible commitment is producing evidence beyond rhetoric.
What this means for operators
For anyone running Microsoft infrastructure in 2002:
Expect a heavier patching cadence in coming months. The internal review will produce advisories. Patching discipline matters more than usual.
Plan for slower Microsoft feature shipping. Products that were on the roadmap for 2002 may slip. This is, on balance, good news — the slip is producing better products.
Continue with current defensive disciplines. Defence in depth, structured logging, off-host monitoring. The structural improvement is years away from changing what operators need to do today.
A closing reflection
This is genuinely encouraging. The most-criticised vendor in this notebook's lifetime is doing the most-substantive thing they could do in response to the criticism. The trajectory may not be enough to outpace the threat evolution; it is meaningfully better than continued business-as-usual.
For my own writing: more posts on the structural-improvement track. The next year is going to produce a lot of evidence to write about.
More as the situation develops.