The last 12 months have been a particularly busy time for the MSRC, and, upon reflection, there are two activities that stand out to me. These were the releases of two major operating system service packs: Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1.
Windows XP SP2 was released in August 2004, and we are very pleased with the results so far. One of the key goals around this release was to get enhanced security features for Windows XP into the hands of consumers and enterprises, and so far more than 218 million copies have been distributed worldwide. This was an important security milestone for us. Many people put a lot of effort into this service pack and features like the firewall being on by default and the hardening changes made to Internet Explorer are already paying off and helping customers become more secure.
In Service Pack 1 for Windows Server 2003, the great features and security enhancements I mention above for Windows XP SP2 were also incorporated into this product, along with many other changes. We're particularly excited about the Security Configuration Wizard feature, which reduces the attack surface by querying users about the role their servers fill and then stopping all services and blocking ports that are not needed.
There is very significant work going on behind the scenes in the development cycle of current and all future software releases coming from Microsoft. Now, certain categories of software released from Microsoft now must go through the Security Development Lifecycle process which aims to provide customers with high quality software that is meticulously engineered and rigorously tested to help withstand malicious attack. We've published a lengthy whitepaper about this which is available here. Essentially the SDL is a mandatory process that certain categories of Microsoft software must go through before it is released publicly. It helps us make sure that the software coming from Microsoft today has the latest security engineering advancements included in the code for the benefit of customers. It's a huge step forward for us to have this now as a formal process for our software. So far, we have used the SDL on Windows Server 2003, SQL Server 2000 SP3, and Microsoft Exchange Server SP3. Windows Server 2003 was the first operating released at Microsoft that implemented large portions of the SDL, and compared to Windows 2000, it had 63 percent fewer vulnerabilities in the first year.
While these developments cover significant activity on the product development side at Microsoft as a whole, the Microsoft Security Response Center has also made available a number of free tools and special guidance that can help customers become more secure.