Can Microsoft Finally Kill All The Bugs?

It was the worm that turned Microsoft. In early July 2001, a malicious piece of computer code squirmed into a Web server running on Microsoft's Internet Information Server software. It quickly propagated across the Internet and into at least a quarter million other servers, knocking an untold number of Web sites offline. The computer worm, dubbed Code Red, slowed Internet traffic to a crawl and cost companies billions in fixes and lost productivity. Some computer-security analysts called it the most damaging Web-server virus ever. As it turned out, its symptoms were fleeting; within a month, the fever had broken. But because it had exploited a known flaw in Microsoft's Internet server program, Code Red caused the Redmond, Washington, giant to turn red with embarrassment, especially when it was revealed that Microsoft's own MSN Hotmail servers were also infected.

Code Red proved to be a defining moment for Microsoft. Coupled with other quality concerns and computer viruses, it prompted some industry analysts to renew their periodic warnings against using newly released (and therefore risky) Microsoft products. Those warnings came at a time when Microsoft was going head to head with IBM and Oracle in the rich server-software market for large corporations, where security and reliability are deal- breaking priorities. "Customers were concerned whether Microsoft products could be trusted to be available whenever they needed them," says Michael Cherry of Directions on Microsoft, a firm that analyzes the company's products and strategies. "These trust- related issues threatened to damage Microsoft's OS and Office business, hamper the company's drive to increase server-product sales, and impede its expansion into consumer services."

The worries were crystallized in a January 2002 memo that chairman and chief software architect Bill Gates emailed to Microsoft's 50,000 employees. Gates declared that a companywide initiative, Trustworthy Computing, would unfold over the next 10 years. The goal: to make computing as reliable, dependable, and secure as a phone's dial tone. The days of rushing out imperfect software were over. Cool features and tight deadlines would no longer drive product rollouts; quality and security were now the top priorities. "Flaws in a single Microsoft product . . . not only affect the quality of our platform and services overall, but also our customers' view of us as a company," Gates wrote. "We can and must do better."

Better late than never, Microsoft is discovering that we are living in a quality economy, where companies are pouring vast amounts of craftsmanship into their wares. As it seeks to sign up large corporations for its server software and shake the bad publicity that comes with chronic attacks from computer viruses, Microsoft has concluded that its decades-long practice of putting out "good enough" software is no longer good enough.

This fall, Microsoft is rolling out Exchange Server 2003 and Office 2003. The new and supposedly improved versions of two of its biggest workhorse products will be an acid test of whether Gates can make good on his vow to develop dependable code -- and of whether his quest for quality is for real. "The joke inside Microsoft has been that quality is job 1.1 -- the real bugs don't get fixed until after the release, when the service patches come out," says Greg DeMichillie, a Directions on Microsoft analyst who spent nine years at the software maker. "It's not yet clear that quality really is a top priority across all of Microsoft's lines of business."

The results so far are indeed mixed. This past January, Microsoft suffered a major setback in its quality effort when Slammer, another pernicious computer worm, attacked a vulnerability in Microsoft's SQL server database software and spread through network connections, crashing more than 100,000 databases around the world and shutting down at least 15,000 ATMs in the United States. And in mid-August, thousands of computers were infected by the Blaster worm, which exploited a hole in Windows operating systems. To skeptics, Slammer and Blaster prove that Gates's talk of improving the security and stability of Microsoft's products amounts to little more than a sales pitch.

Not long ago, I traveled to Redmond to see for myself. I met with CIO Rick Devenuti and key leaders on the Exchange and Office teams to get a closeup view of how they're grappling with Gates's new mandate. I found that Microsoft's quality effort is for real, and that it rests on four simple propositions. But be forewarned: This initiative is still very much in development. Call it quality, first release. Patches will arrive over the next decade.