Few topics have been at the centre of more discussions in the
security industry of late than the security of Windows Vista.
Security experts, analysts, CSOs and Microsoft executives
themselves have spent months, or years in some cases, dissecting
and analysing every little change in the operating system and how
each of them would affect security. And that was all before Vista
even hit the shelves.
Of course, now that it is on the streets, the race is on among
researchers and hackers to find the first Vista zero-day and bask
in all of the attendant glory. But what's missing from all of these
discussions and analyses is the question of how exactly we should
be measuring the security of Vista. The simplest and most common
way of doing this would be a straight quantitative comparison of
the number of vulnerabilities found in Vista in the first six
months or 12 months after its release to the number found in
Windows XP during the same time period after its release.
This is a quick way to take the pulse of the OS and see how it
stacks up against its youngest sibling. In fact, Microsoft security
officials have been using this statistic for years in measuring the
security of XP SP2 against Windows 2000 and NT. And Ben Fathi,
corporate vice president of development in the Window Core
Operating System Division, who oversaw the Microsoft Security
Business Unit until recently, told me last fall that's exactly how
he planned to measure Vista's security.
Microsoft's software security guru and the man who oversees the
Security Development Lifecycle,
Michael Howard, said on his blog recently that counting the number
of flaws in Vista is an important way of measuring its
security. But, he added, that measurement won't mean much for
at least a couple of years.
"There will probably be a number of security bugs in the
following months, I have no clue what that number will be. I am not
going to judge Windows Vista security based on the first few
months' bugs. I will, however, look back two years from now and
compare Windows Vista to Windows XP SP2 and Windows Server 2003. I
do believe there will be a significant drop in both security bug
quantity and severity when compared to prior Windows versions,"
Howard wrote. "So here's my prediction. We will see significantly
less critical vulnerabilities in the operating system over the next
2 years, as compared to Windows XP, perhaps by a factor of as much
as 50%, and a 30% reduction of important vulnerabilities.
The key word in Howard's comments is "critical." Already we have
seen a couple of minor vulnerabilities in Vista, and we'll continue
to see those on a regular basis. No piece of software with the
scale and complexity of Vista can come through the development
process -- which is still performed by humans, after all -- without
its share of flaws. But the bet here is that comparatively few of
those vulnerabilities will be of the white-knuckle,
pagers-going-off-at-4 a.m.-on-Saturday variety that we saw on a
regular basis with both Windows 2000 and pre-SP2 Windows XP (not to
mention Internet Explorer and IIS).
Vista is the first version of Windows to go through the
company's SDL process from start to finish, and Microsoft's
developers spent a lot of time working out ways to implement the
principle of least privilege and making it as difficult as possible
for attackers to execute malicious code. Technologies such as
Windows Resource Protection, Address Space Layout Randomisation,
stack buffer overflow detection and BitLocker all are designed to
ensure that if an attacker is able to get access to a Vista
machine, his options will be severely limited.
But there's another reason why we may not be hearing about many
Vista zero days, and that's because the game has changed completely
since XP debuted more than five years ago. Then, hackers spent time
looking for vulnerabilities so that they could either publish
advisories and see their names in the paper or so they could write
a worm such as Slammer or Code Red that would take down banks and
ISPs and be the top story on CNN.
Now, it's all about money and the attackers are much more
concerned with finding zero-days that they can sell to the highest
bidder on the IRC black market -- or to the Zero-Day Initiative --
than they are with being famous. When legitimate organisations such
as 3Com
and VeriSign will pay
$5,000 or $10,000 for a new vulnerability, imagine what that
information can fetch from folks with more flexible morals.
The researchers at NGS Software, Immunity Security, eEye, Core
Security and other such shops are digging through the Vista code
right now, and they'll find their share of bugs, rest assured. And
when they do, we'll hear about it.
But it's the ones that we don't hear about that should be
keeping you up at night, because those are the flaws being shipped
to Eastern Europe or Brazil, not being written up in
advisories.