Today, Microsoft Chairman Bill Gates sent out an e-mail (here) about the company's progress improving security. At first I did a double-take and checked to make sure it wasn't April Fools Day, as opposed to March 31. That's because Mr. Gates and I must have a different way of counting.
He said that Microsoft issued nine "critical" or "important" security alerts for Windows Server 2003 compared to 40 for Windows 2000 Server, during both products' first 320 days of release. For starters, I'd like to know if Mr. Gates counted "Moderate" or "Low" alerts, seeing as how Microsoft changed how it rates security problems in-between product releases.
How funny: Last month, I went out and counted the number of Windows Server 2003 security alerts issued since the product shipped in April 2003 (see blog here). I found 15--more than 20 when figuring in products like Internet Explorer that are integrated into Windows Server 2003.
I figure where there is one counting disagreement, there might be another. So, this evening, I went back and counted up those Windows 2000 Server security alerts. I came up with 28 during the same span of time I got 15 for Windows Server 2003. Windows 2000 Server reached 15 alerts seven months after launch. The list of alerts is available here.
Certainly my different counting than Mr. Gates shows fewer alerts for Windows Server 2003 compared to Windows 2000 Server during the first 11 months following release. My point is one of credibility--and that's something Microsoft could use a little more of right now. In a Jupiter Research report soon to publish on Microsoft security, a mere 36 percent of IT managers from businesses with revenue of $50 million or more acknowledged that Microsoft product security had improved.
[via Microsoft Monitor]