Cameras
Camcorders
Cell Phones
Components
Desktops
HDTV
Home Theater
GPS
Laptops
Monitors
MP3 Players
Networking &
Printers
Storage
More…
Facebook
Twitter
Digg
PrintMore Opinions
Michael Silver, analyst, Gartner
"While the number of critical holes is important, for enterprises it would be nice if they had one or more months with no critical issues on Vista. That could actually have more of an impact in reducing the cost of testing and deploying fixes than reducing the overall number, because it would mean fewer test and deployment cycles.
"I think XP even had one or two months with fixes dropped [there were no XP bulletins released in January 2002], so reducing the number of months with fixes from like 13 to 10 would be great for organizations."
Oliver Friedrichs, director of security response, Symantec
"It's just too early to tell. Certainly, just as with XP SP2, some of the improvements in Vista will make an improvement in the number of security vulnerabilities and the [in]ability of attackers to exploit them. But the volume of new code in Vista makes it hard to predict what we'll see.
"I am sure, though, that hackers are already hammering away at the OS. I don't expect it to be bug free.
"What we need to remember, however, is that over the last decade, relatively few of the vulnerabilities released had been leveraged by attackers. The rest are largely irrelevant. So if those 15 are critical vulnerabilities, things may not be any different than with XP.
"But 15 doesn't sound unreasonable to me, given the amount of new code."
John Pescatore, analyst, Gartner
"We saw definite improvement [in security] from Windows Server 2000 to Windows 2003 Server, not only many fewer vulnerabilities, but many fewer critical ones. Gartner believes we will see a similar improvement from Windows XP to Vista.
"Half as many critical vulnerabilities would be a conservative goal, [though] I would hope for much fewer than those, given all of Microsoft's investment in, and marketing of, its Security Development Life Cycle. I'd say a better success measure would be more like [a] 25% [reduction], not 50%.
"Vista does have more 'stuff' jammed in. Microsoft just had to announce a critical vulnerability in the malicious software detection engine, which is now built into Windows because of the [integrated] Defender antispyware. That works against security. Late in Vista's development, Microsoft ripped out a lot of other stuff (like new file systems and virtualization and the like), which reduced the complexity a good deal (a good thing) but always raises the worry that the late modifications may have opened up security holes. Also, many of those functions will come back to Vista later on. ... Vista will change much more continuously than any previous Windows OS, and that has to be done very, very rigorously or there are more security worries.
"We have to look at Office as well. If you notice, many of the vulnerabilities being found are in how Word and Excel documents are handled. Also, Office Live, the Web 2.0 version of Office, how is [Microsoft] applying security to that rapidly changing capability?
"Fathi has a lot to worry about, not just Vista security."
