Microsoft has been ballyhooing Windows Vista's security for years, saying that it will prove to be its strongest, toughest operating system ever.
But now that the long-awaited operating system is out, how will Vista really stack up? Ben Fathi, the former head of Microsoft's security group and now the chief of development in the Windows core operating system group, recently set the security bar.
"I made a statement six or nine months ago that I would like to see half as many vulnerabilities as XP [had] in the first year," Fathi said earlier this month at the RSA Conference 2007 in San Francisco. "Obviously, I'd like less than that; I'd be happy with zero. But I think it's reasonable to say, given the additional complexity and the additional size of Vista, that half as many would be a great goal."
In the first year after Windows XP debuted in October 2001, Microsoft posted 30 security bulletin pegged to the Home version of the then-new operating system. (Unlike today, Microsoft didn't spell out the number of vulnerabilities in each bulletin.)
For Microsoft to meet Fathi's goal, that means 15 or fewer security updates will tag Vista before the end of January 2008--a year after the retail/consumer release. Is Fathi being overly optimistic, or is he being conservative in the hope that the first 12 months look even better than predicted? Computerworld asked a half-dozen security researchers and analysts for their take on Fathi's target. Not surprisingly, they don't all agree on whether the security objective is obtainable--or out of the question.
Minoo Hamilton, senior security researcher, nCircle Network Security
"I agree when he says that it's a 'great goal,' where 'great' implies tremendous luck and fortune. Whether it's a reasonable goal, it will remain to be seen, but I don't think so. I think that would be quite spectacular, if it came to pass.
"I think he's overconfident, but also speaking hopefully. They've put a tremendous amount of effort into improving things in Vista. I just think a few factors make that harder to come to pass. First, there is so much new code and new opportunity for vulnerabilities. Secondly, the ease, speed and ability of people to find flaws have really improved.
"I think the age of mass-proliferating Internet worms in waning, because the remote surface space is finally starting to diminish. This may partly be due to host-based firewalls and better enforcement of IT policy, but also--in the case of Vista--more standard OSs are starting with a more conservative approach to exposure. How this shifts the offensive tactics of malware and virus writers, I can't be completely sure, since it's incredibly hard to predict. But I think this will force them into continuing the trend toward browser, e-mail and parsing exploits.
"In the case of Vista, owning a box will now require multiple hoops or combining exploits, like a browser vulnerability and a local vulnerability that gives privilege escalation, for example. In any case, I believe this raising the bar will coincide with the trend of increased sophistication of attackers and balance out.
"I am not expecting a huge decrease in Microsoft vulnerabilities. My best guess is more likely a 20% decrease, if that."
Michael Cherry, analyst, Directions on Microsoft
"Making these kinds of predictions is like saying when you're going to ship. If you're right, no one pays attention. But if you're wrong, they'll rub your nose in it.
"Actually, I don't want to set my mindset to a certain number of vulnerabilities, or say a certain number is acceptable. I don't care if it's only one vulnerability, because if it's really, really bad, that's worse than 20 cosmetic bugs. Better, I think, would be to set a goal that says 80% of the vulnerabilities in the first year will be [rated] important or less.
"Fathi should have said, 'We are just not going to discuss counting' and leave it at that.
Graham Cluley, senior technology consultant, Sophos PLC.
"I have to say that I admire Microsoft's optimism.
"I would perhaps be more cautious than Fathi because in the last five years, the number of hackers and researchers who are examining Microsoft's code for vulnerabilities with ever greater intensity has increased. Furthermore, we have seen a number of legitimate security companies (including some who may have a vested interest in debunking Microsoft's status as a security player) put efforts into finding flaws in Microsoft's code.
"What isn't in doubt is that there will continue to be flaws found in Microsoft Vista.
Ad Choices
Comments