Microsoft has been ballyhooing Windows Vista’s security for years, saying that it will prove to be its strongest, toughest operating system ever.
Now that the long-awaited operating system is out, how will Vista really stack up? Ben Fathi, the former head of Microsoft’s security group and now chief of development in the Windows core operating system group, recently set the security bar.
“I made a statement six or nine months ago that I would like to see half as many vulnerabilities as XP in the first year,” Fathi said last month at the RSA Conference 2007 in San Francisco. “Obviously, I’d like less than that; I’d be happy with zero. But I think it’s reasonable to say, given the additional complexity and the additional size of Vista, that half as many would be a great goal.”
In the first year after Windows XP debuted in October 2001, Microsoft posted 30 security bulletins pegged to the Home version of the then-new operating system. (Unlike today, Microsoft didn’t spell out the number of vulnerabilities in each bulletin.)For Microsoft to meet Fathi’s goal, that means 15 or fewer security updates will tag Vista before the end of January 2008 — a year after the retail/consumer release. Is Fathi being overly optimistic, or is he being conservative in the hope that the first 12 months look even better than predicted? Computerworld US asked six security researchers and analysts for their take on Fathi’s target. Not surprisingly, they don’t all agree on whether the security objective is obtainable — or out of the question.
Minoo Hamilton, senior security researcher, nCircle Network Security
“I agree when he says that it’s a ‘great goal’, where ‘great’ implies tremendous luck and fortune. Whether it’s a reasonable goal, remains to be seen, but I don’t think so. I think that would be quite spectacular, if it came to pass.
“I think he’s overconfident, but also speaking hopefully. They’ve put a tremendous amount of effort into improving things in Vista. I just think a few factors make that harder to come to pass. First, there is so much new code and new opportunity for vulnerabilities. Second, the ease, speed and ability of people to find flaws have really improved.
“I think the age of mass-proliferating internet worms is waning, because the remote surface space is finally starting to diminish. This may partly be due to host-based firewalls and better enforcement of IT policy, but also — in the case of Vista — more standard OSs are starting with a more conservative approach to exposure. How this shifts the offensive tactics of malware and virus writers I can’t be completely sure, since it’s incredibly hard to predict. But I think this will force them into continuing the trend toward browser, email and parsing exploits.
“In the case of Vista, owning a box will now require multiple hoops or combining exploits, like a browser vulnerability and a local vulnerability that gives privilege escalation, for example. In any case, I believe this raising the bar will coincide with the trend of increased sophistication of attackers and balance out.
“I am not expecting a huge decrease in Microsoft vulnerabilities. My best guess is more likely a 20% decrease, if that.”
Michael Cherry, analyst, Directions on Microsoft
“Making these kinds of predictions is like saying when you’re going to ship. If you’re right, no one pays attention. But if you’re wrong, they’ll rub your nose in it.
“Actually, I don’t want to set my mindset to a certain number of vulnerabilities, or say a certain number is acceptable. I don’t care if it’s only one vulnerability, because if it’s really, really bad that’s worse than 20 cosmetic bugs. Better, I think, would be to set a goal that says 80% of the vulnerabilities in the first year will be [rated] important or less.
“Fathi should have said, ‘We are just not going to discuss counting’ and leave it at that.”
Graham Cluley, senior technology consultant, Sophos
“I have to say that I admire Microsoft’s optimism.
“I would perhaps be more cautious than Fathi because in the last five years, the number of hackers and researchers who are examining Microsoft’s code for vulnerabilities with ever greater intensity has increased. Furthermore, we have seen a number of legitimate security companies (including some who may have a vested interest in debunking Microsoft’s status as a security player) put efforts into finding flaws in Microsoft’s code.
“What isn’t in doubt is that there will continue to be flaws found in Microsoft Vista.
Michael Silver, analyst, Gartner
“While the number of critical holes is important, for enterprises it would be nice if they had one or more months with no critical issues on Vista. That could actually have more of an impact in reducing the cost of testing and deploying fixes than reducing the overall number, because it would mean fewer test and deployment cycles.
“I think XP even had one or two months with fixes dropped [there were no XP bulletins released in January 2002], so reducing the number of months with fixes from like 13 to 10 would be great for organisations.”
Oliver Friedrichs, director of security response, Symantec
“It’s just too early to tell. Certainly, just as with XP SP2, some of the improvements in Vista will make an improvement in the number of security vulnerabilities and the [in]ability of attackers to exploit them. But the volume of new code in Vista makes it hard to predict what we’ll see.
“I am sure, though, that hackers are already hammering away at the OS. I don’t expect it to be bug-free.
“What we need to remember, however, is that over the last decade, relatively few of the vulnerabilities released had been leveraged by attackers. The rest are largely irrelevant. So if those 15 are critical vulnerabilities, things may not be any different than with XP.
“But 15 doesn’t sound unreasonable to me, given the amount of new code.”
John Pescatore, analyst, Gartner
“We saw definite improvements [in security] from Windows Server 2000 to Windows 2003 Server, not only many fewer vulnerabilities, but many fewer critical ones. Gartner believes we will see a similar improvement from Windows XP to Vista.
“Half as many critical vulnerabilities would be a conservative goal, [though] I would hope for much fewer than those, given all of Microsoft’s investment in, and marketing of, its Security Development Life Cycle. I’d say a better success measure would be more like [a] 25% [reduction], not 50%.
“Vista does have more ‘stuff’ jammed in. Microsoft just had to announce a critical vulnerability in the malicious software detection engine, which is now built into Windows because of the [integrated] Defender antispyware. That works against security. Late in Vista’s development, Microsoft ripped out a lot of other stuff (like new file systems and virtualisation and the like), which reduced the complexity a good deal (a good thing) but always raises the worry that the late modifications may have opened up security holes. Also, many of those functions will come back to Vista later on ... Vista will change much more continuously than any previous Windows OS, and that will have to be done very, very rigorously or there will be more security worries.
“We have to look at Office as well. If you notice, many of the vulnerabilities being found are in how Word and Excel documents are handled. Also, [regarding] Office Live, the Web 2.0 version of Office, how is [Microsoft] applying security to that rapidly changing capability?
“Fathi has a lot to worry about, not just Vista security.”