Feel more secure yet?

REDMOND, WASH. — It has now been more than three months since Microsoft chairman Bill Gates sent all employees his “Trustworthy Computing” e-mail, calling for the company’s software to be made secure “right out of the box.” So I’ve traveled to corporate headquarters here to find out on your behalf what progress the software giant has made so far.

I have no doubt that Gates is sincere in wanting to stop the headlines about how wide open his company’s products are to malicious hackers. Persuading people to entrust their data to Passport, .Net, and Microsoft’s many other offerings is hard enough. It’s no help to see front pages reporting, say, that Passport had to be shut down for two days because people’s credit cards could be acquired just by sending the victims a short e-mail message (see ” Microsoft times out “).

It isn’t like Microsoft isn’t trying. When security flaws are found, the company does strive to inform Windows users about free, corrective patches.

But this creates its own headaches. Since Windows XP shipped in October 2001, Microsoft has posted at least seven patches for the operating system, three of them rated “critical.” (Some of these patches also apply to earlier versions of Windows.)

According to the company’s security bulletin service (see www.microsoft.com/technet/security/current.asp ), 60 patches were released for all Microsoft products in 2001 alone. That’s more than one a week. Merely keeping track of the changes can be a full-time job, and in some cases, applying a patch has caused other problems.

I personally hope Microsoft gets this situation under control, so I can write about more interesting things than the latest threat.

I’m glad to report, therefore, that Gates’ e-mail has so far produced at least one tool to cope with the flood of patches. It’s called MBSA (Microsoft Baseline Security Analyzer), available at www.microsoft.com/technet/security/tools/Tools/mbsahome.asp . This program, released on April 8, runs on Windows XP or 2000 and searches a network of XP, 2000, and NT 4.0 SP4 machines for missing patches, insecure configurations, and weak passwords.

Some glitches, unfortunately, have already arisen. InfoWorld reported last week that MBSA gives erroneous warnings even after some hotfixes have been applied. (See ” Microsoft defends Baseline Security Analyzer tool “.)

Alternatives to MBSA include commercial programs that not only discover missing patches but apply fixes remotely to the vulnerable machines.

What has your experience been? I’ll send a gift certificate for a free book, CD, or DVD of your choice to readers whose comments I print. Watch this space in coming weeks for more about your options.