AOH :: ISN-2929.HTM

Microsoft bets big on Vista security

Microsoft bets big on Vista security
Microsoft bets big on Vista security;15277042 

Robert McMillan
IDG News Service

Microsoft's Vista developers can't catch a break these days. After years 
of warnings from security researchers that old code in Windows was 
creating security risks, the software giant decided to rewrite key parts 
of the operating system.

The result? Last month, Symantec published a report suggesting all of 
this new code will introduce new security problems.

"The network stack in Windows Vista was rewritten from the ground up. In 
deciding to rewrite the stack, Microsoft has removed a large body of 
tried and tested code and replaced it," Symantec wrote, noting that it 
found vulnerabilities in the Windows Vista networking software.

"Despite the claims of Microsoft developers, the Windows Vista network 
stack as it exist today is less stable than the earlier Windows XP 
stack," it said after examining a beta release of the software.

After years of being blamed for countless security problems, Microsoft 
may be in a no-win situation.

"You get beaten up if you modify the old code; you get beaten up if you 
write new code," Cybertrust senior information security analyst, Russ 
Cooper, said. "The historic complaint against Microsoft has been that 
its code is bloated with all this legacy stuff. Rewrite it and now, 
'this is too new; this is untested'."

The fact that Symantec was able to discover flaws in a beta release 
should not raise eyebrows, Cooper said.

"There's a reason products are put in to beta, and it isn't because 
people just want to see the default colours change," he said.

More secure

If customers do not ultimately see Vista as a more secure product than 
its predecessor, however, it will be a disaster for Microsoft - on an 
epic scale. Over the past few years, the company has literally 
reinvented the way it produces software, instituting a new set of 
software development practices known as the Security Development 

It has retrained developers, built a suite of automated security testing 
tools, and, most remarkably, invited scores of independent researchers 
to have unprecedented access to early versions of Vista.

"Vista is really the first release of the operating system to go through 
our Security Development Lifecycle from beginning to end," corporate 
vice-president of Microsoft's security technology unit, Ben Fathi, said. 
"That's fundamentally a different way of looking at building security 
into the platform."

Microsoft has gone to great lengths to publicise its Security 
Development Lifecycle, which was used in the development of Windows XP 
Service Pack 2 and SQL Server 2005.

Company executives claim the strict development guidelines used for XP 
Service Pack 2 played a big role in eliminating the widespread worm 
virus outbreaks that seemed so common just three years ago.

The emphasis on security is perhaps best illustrated by an event that 
Microsoft executives have declined to discuss in detail: the recent slip 
in Vista's ship date.

Last March, Microsoft grabbed headlines by announcing Vista would not be 
available in time for the 2006 holiday shopping season, as expected. It 
never gave specific reasons for the miss, but it was a major setback for 
a product already five years in the works. Microsoft immediately 
reorganised the Platforms and Services Division responsible for the 
delay, putting a new executive, Steve Sinofsky, in charge of Windows 
development Privately, several sources familiar with Vista's development 
say security concerns caused the widely publicised slip in the product's 
ship date.

Contract work

In fact, t-shirts reading "I caused Vista to slip" soon became common at 
Microsoft's Building 27, home to the Secure Windows Initiative group. 
The group is responsible for securing Microsoft's software.

Fathi isn't saying how much money it has spent on making Vista secure, 
but judging by the contract work available for penetration testers - 
hacking professionals that specialise in poking and prodding systems to 
unearth vulnerabilities - it hasn't come cheap.

Although Microsoft will be sponsoring a Vista track at this year's Black 
Hat hacker conference, many of the most prominent Windows security 
experts are now under nondisclosure agreements, according to show 
director, Jeff Moss.

"They've hired pretty much all of the bright people," he said. "So the 
number of speakers who can actually go out and publicly talk about 
Windows Vista security has rapidly dwindled."

Brave new world

Microsoft's design choices will have a big effect on Vista's security as 

Developers have changed the way Vista runs applications, scaling back 
default operations in order to limit the damage malware can wreak. And 
they have also changed the way Vista works with computer memory - by 
fencing off parts of memory and shuffling around the location of Windows 
functions - in order to make it harder for hackers to trick the PC into 
running malicious software.

This will make life harder for hackers, but it will also present 
challenges to users and legitimate software developers as well, who may 
suddenly have problems running Windows XP code on Vista.

Microsoft downplayed the importance of Symantec's paper. "The issues it 
discovered were all addressed in Beta 2," a security program manager 
with Microsoft's security response centre, Stephen Toulouse, said.

HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: 

Site design & layout copyright © 1986-2015 CodeGods