It must be tough to be the largest software company in the world. Everyone is always trying to exploit every little hole in your applications. And every little mistake you make gets played up in the media.

On the other hand, your software is in so many homes and offices across the world that you directly or indirectly touch the lives of millions, if not billions, of people.

Microsoft's responsibility
With that popularity, though, comes a responsibility not only to call attention to any flaws in your products that might adversely affect your customers, but also to build products from the ground up that are as secure as they can be. Microsoft is improving its track record on the former, but after almost two years of Trustworthy Computing, I've yet to see much progress on the latter.

Microsoft hasn't been aggressive in locating its own software flaws.

Let's start with the positives. Since the MSBlast worm appeared last month, the software giant has been on the media offensive, doing its best to make sure everyone knows about a new patch that fixes a newly discovered flaw in Windows. The company even set up a dedicated Web site to help people protect their PCs against worms and other attacks.

The site is hardly perfect. It basically tells you how to turn on the Windows XP firewall that's left off by default. If Microsoft really cared about securing the millions of Windows computers in the world, it would have enabled the firewall component in XP by default. It also would have disabled a long list of services and protocols that do little for us, yet make us bait for any hacker smart enough to exploit them.

Still, it's great that Microsoft is being proactive, right? Well, sort of. It's great if the folks in Redmond really mean it. Trouble is, Microsoft hasn't been aggressive in locating its own software flaws--it still leaves that job to third-party security experts. And even when it finds out about problems from others, it doesn't always fix them in a timely manner. Internet Explorer, for example, contains 31 flaws that are known and still unpatched. Moreover, I've yet to see new software from Microsoft that is actually more secure than previous versions.

New Microsoft Office: secure?
I'm thinking about this last issue right now because the final shipping code for the next version of the Microsoft Office suite just arrived on my desk. This is the version that will run on new computers sold this holiday season. It won't be in stores until October 21, but I have an advance copy so that my colleagues and I can evaluate it before it ships.

Though Microsoft's PR folks are touting the new Office as the latest and greatest, I have reservations about the application suite from a security standpoint. More to the point, I wonder, will it be any more secure than earlier versions of Office?

Am I to believe, as the Trustworthy Computing initiative promised, that Microsoft developers have reviewed every line of code to make sure Office 2003 is free of security vulnerabilities? Or that Microsoft has redesigned Word, Outlook, and Excel, employing the latest security techniques? When I expressed these concerns to Microsoft's PR reps, they simply answered, "We'll get back to you."

Poor track record
Unfortunately, history is not on Microsoft's side. Office 97 required so many service patches (many of which dealt with security issues) that the software giant rushed out a new version of Office several months ahead of schedule. I know from my briefings with Microsoft that Office 2003 will contain many new ways for computers to communicate with the Internet, including several ways to authenticate documents and e-mail. That means more of your PC's ports will be open to the Internet, providing more opportunities for hackers to find new flaws to exploit.

It's reasonable to expect Microsoft to secure the new version of Office.

I believe it's reasonable to expect Microsoft to secure the new version of Office. After all, it was Bill Gates himself who threw down the gauntlet almost two years ago and asked his employees to ensure the security of all Windows products. I'm just asking the company to follow up on the promise. So far, it's not looking good.

Do you think Microsoft takes security seriously? Do you think it will ever fulfill the promise of its Trustworthy Computing initiative? TalkBack to me!