Microsoft Image

[Editor’s Note: Christopher Budd worked previously in Microsoft’s Security Response Center for 10 years.]

With this week’s “Pluton” news, Microsoft reminded the world that the new Microsoft is still Microsoft, and Bill Gates’ nearly 20-year-old Trustworthy Computing (TWC) memo is still providing important direction to the company.

Pluton is the new chip initiative that Microsoft announced with AMD, Intel and Qualcomm. Pluton is meant to improve the security of Windows systems in two key ways: First, by moving the Trusted Platform Module (TPM) from a separate chip into the central processing unit (CPU) itself. Second, by enabling Pluton for Windows computers to integrate with the Windows Update process for security firmware updates.

While these are good improvements, it’s easy to miss the deeper the significance of this announcement in the technical minutiae. Pluton represents more than deep technical changes: it shows that Microsoft is still an industry giant that has the power to direct the fundamentals of the technology industry, and it is willing to do so in the interest of a trust-based vision that Gates outlined in 2002.

This mobilization of industry giants is reminiscent of Microsoft at the height of its power. There are many things truly new about today’s Microsoft, but this is a reminder that it is still a powerful force in the industry. Few other companies could point other players directions like these and make it happen this broadly.

The directions Microsoft is dictating trace directly back to the TWC memo of 2002. Specifically, the focus on trusted devices and the use of automatic updates to keep those devices secure.

In terms of trusted devices, Pluton builds on work that was first seen in Windows Vista in 2006 and the Xbox One in 2013. Windows Vista brought support for TPM into Windows for the first time, while the Pluton design itself was part of the Xbox One, itself an outgrowth of earlier work in Windows and TPM.

Pluton weaves these two technology threads together into a fabric that also increases defenses against attacks both against CPUs and current TPM technology. Pluton can provide new defenses against the emerging class of hardware-based speculative execution that we saw emerging in 2018 with Spectre and Meltdown. The movement of the TPM into the CPU can also counter bus-based attacks against the TPM and its communications with the CPU, which we’ve seen since 2019 in particular. Pluton is the latest move in the ongoing chess match between attackers and defenders, a dynamic that is critical in maintaining trusted devices.

Windows Update has been a critical tool for Microsoft’s security since before the TWC memo, when it was first pressed into service during the Code Red attacks of 2001. After it showed its usefulness in helping counter those attacks, it became a central pillar in Microsoft’s security tactics and strategy and made its way into Gates’ memo.

While expanding Windows Update’s scope of protection like Microsoft is doing with Pluton is so logical that it seems unremarkable, that masks the significant legal, logistical, and technological difficulties this move entails. Put another way, this is a move that has literally been nearly 20 years in the making. It will happen at great cost, obligation hassle and expense for Microsoft. And this is a move that has, at best, indirect financial benefit for the company, so it’s driven by trust rather than dollars.

Six years ago, Microsoft split up the Trustworthy Computing group. At the time, I wrote, “this [split up] could be a good thing for security and privacy at Microsoft…the truth of what this means will be shown in actions and not words.” The Pluton announcement shows that while there may not be a TWC group, the ideas and ideals from the TWC memo are still a part of Microsoft. And it shows that we should not mistake the new Microsoft’s gentleness for weakness: it still has the ability to single-handedly move the industry.

Like what you're reading? Subscribe to GeekWire's free newsletters to catch every headline

Job Listings on GeekWork

Find more jobs on GeekWork. Employers, post a job here.