IDG News Service
Microsoft's Vista developers can't catch a break these days. After years
of warnings from security researchers that old code in Windows was
creating security risks, the software giant decided to rewrite key parts
of the operating system.
The result? Last month, Symantec published a report suggesting all of
this new code will introduce new security problems.
"The network stack in Windows Vista was rewritten from the ground up. In
deciding to rewrite the stack, Microsoft has removed a large body of
tried and tested code and replaced it," Symantec wrote, noting that it
found vulnerabilities in the Windows Vista networking software.
"Despite the claims of Microsoft developers, the Windows Vista network
stack as it exist today is less stable than the earlier Windows XP
stack," it said after examining a beta release of the software.
After years of being blamed for countless security problems, Microsoft
may be in a no-win situation.
"You get beaten up if you modify the old code; you get beaten up if you
write new code," Cybertrust senior information security analyst, Russ
Cooper, said. "The historic complaint against Microsoft has been that
its code is bloated with all this legacy stuff. Rewrite it and now,
'this is too new; this is untested'."
The fact that Symantec was able to discover flaws in a beta release
should not raise eyebrows, Cooper said.
"There's a reason products are put in to beta, and it isn't because
people just want to see the default colours change," he said.
If customers do not ultimately see Vista as a more secure product than
its predecessor, however, it will be a disaster for Microsoft - on an
epic scale. Over the past few years, the company has literally
reinvented the way it produces software, instituting a new set of
software development practices known as the Security Development
It has retrained developers, built a suite of automated security testing
tools, and, most remarkably, invited scores of independent researchers
to have unprecedented access to early versions of Vista.
"Vista is really the first release of the operating system to go through
our Security Development Lifecycle from beginning to end," corporate
vice-president of Microsoft's security technology unit, Ben Fathi, said.
"That's fundamentally a different way of looking at building security
into the platform."
Microsoft has gone to great lengths to publicise its Security
Development Lifecycle, which was used in the development of Windows XP
Service Pack 2 and SQL Server 2005.
Company executives claim the strict development guidelines used for XP
Service Pack 2 played a big role in eliminating the widespread worm
virus outbreaks that seemed so common just three years ago.
The emphasis on security is perhaps best illustrated by an event that
Microsoft executives have declined to discuss in detail: the recent slip
in Vista's ship date.
Last March, Microsoft grabbed headlines by announcing Vista would not be
available in time for the 2006 holiday shopping season, as expected. It
never gave specific reasons for the miss, but it was a major setback for
a product already five years in the works. Microsoft immediately
reorganised the Platforms and Services Division responsible for the
delay, putting a new executive, Steve Sinofsky, in charge of Windows
development Privately, several sources familiar with Vista's development
say security concerns caused the widely publicised slip in the product's
In fact, t-shirts reading "I caused Vista to slip" soon became common at
Microsoft's Building 27, home to the Secure Windows Initiative group.
The group is responsible for securing Microsoft's software.
Fathi isn't saying how much money it has spent on making Vista secure,
but judging by the contract work available for penetration testers -
hacking professionals that specialise in poking and prodding systems to
unearth vulnerabilities - it hasn't come cheap.
Although Microsoft will be sponsoring a Vista track at this year's Black
Hat hacker conference, many of the most prominent Windows security
experts are now under nondisclosure agreements, according to show
director, Jeff Moss.
"They've hired pretty much all of the bright people," he said. "So the
number of speakers who can actually go out and publicly talk about
Windows Vista security has rapidly dwindled."
Brave new world
Microsoft's design choices will have a big effect on Vista's security as
Developers have changed the way Vista runs applications, scaling back
default operations in order to limit the damage malware can wreak. And
they have also changed the way Vista works with computer memory - by
fencing off parts of memory and shuffling around the location of Windows
functions - in order to make it harder for hackers to trick the PC into
running malicious software.
This will make life harder for hackers, but it will also present
challenges to users and legitimate software developers as well, who may
suddenly have problems running Windows XP code on Vista.
Microsoft downplayed the importance of Symantec's paper. "The issues it
discovered were all addressed in Beta 2," a security program manager
with Microsoft's security response centre, Stephen Toulouse, said.
HITBSecConf2006 - Malaysia
The largest network security event in Asia
32 internationally renowned speakers
7 tracks of hands-on technical training sessions.
Register now: http://conference.hitb.org/hitbsecconf2006kl/