Few topics have been at the centre of more discussions in the security industry of late than the security of Windows Vista. Security experts, analysts, CSOs and Microsoft executives themselves have spent months, or years in some cases, dissecting and analysing every little change in the operating system and how each of them would affect security. And that was all before Vista even hit the shelves.
Of course, now that it is on the streets, the race is on among researchers and hackers to find the first Vista zero-day and bask in all of the attendant glory. But what's missing from all of these discussions and analyses is the question of how exactly we should be measuring the security of Vista. The simplest and most common way of doing this would be a straight quantitative comparison of the number of vulnerabilities found in Vista in the first six months or 12 months after its release to the number found in Windows XP during the same time period after its release.
This is a quick way to take the pulse of the OS and see how it stacks up against its youngest sibling. In fact, Microsoft security officials have been using this statistic for years in measuring the security of XP SP2 against Windows 2000 and NT. And Ben Fathi, corporate vice president of development in the Window Core Operating System Division, who oversaw the Microsoft Security Business Unit until recently, told me last fall that's exactly how he planned to measure Vista's security.
Microsoft's software security guru and the man who oversees the Security Development Lifecycle, Michael Howard, said on his blog recently that counting the number of flaws in Vista is an important way of measuring its security. But, he added, that measurement won't mean much for at least a couple of years.
"There will probably be a number of security bugs in the following months, I have no clue what that number will be. I am not going to judge Windows Vista security based on the first few months' bugs. I will, however, look back two years from now and compare Windows Vista to Windows XP SP2 and Windows Server 2003. I do believe there will be a significant drop in both security bug quantity and severity when compared to prior Windows versions," Howard wrote. "So here's my prediction. We will see significantly less critical vulnerabilities in the operating system over the next 2 years, as compared to Windows XP, perhaps by a factor of as much as 50%, and a 30% reduction of important vulnerabilities.
The key word in Howard's comments is "critical." Already we have seen a couple of minor vulnerabilities in Vista, and we'll continue to see those on a regular basis. No piece of software with the scale and complexity of Vista can come through the development process -- which is still performed by humans, after all -- without its share of flaws. But the bet here is that comparatively few of those vulnerabilities will be of the white-knuckle, pagers-going-off-at-4 a.m.-on-Saturday variety that we saw on a regular basis with both Windows 2000 and pre-SP2 Windows XP (not to mention Internet Explorer and IIS).
Vista is the first version of Windows to go through the company's SDL process from start to finish, and Microsoft's developers spent a lot of time working out ways to implement the principle of least privilege and making it as difficult as possible for attackers to execute malicious code. Technologies such as Windows Resource Protection, Address Space Layout Randomisation, stack buffer overflow detection and BitLocker all are designed to ensure that if an attacker is able to get access to a Vista machine, his options will be severely limited.
But there's another reason why we may not be hearing about many Vista zero days, and that's because the game has changed completely since XP debuted more than five years ago. Then, hackers spent time looking for vulnerabilities so that they could either publish advisories and see their names in the paper or so they could write a worm such as Slammer or Code Red that would take down banks and ISPs and be the top story on CNN.
Now, it's all about money and the attackers are much more concerned with finding zero-days that they can sell to the highest bidder on the IRC black market -- or to the Zero-Day Initiative -- than they are with being famous. When legitimate organisations such as 3Com and VeriSign will pay $5,000 or $10,000 for a new vulnerability, imagine what that information can fetch from folks with more flexible morals.
The researchers at NGS Software, Immunity Security, eEye, Core Security and other such shops are digging through the Vista code right now, and they'll find their share of bugs, rest assured. And when they do, we'll hear about it.
But it's the ones that we don't hear about that should be keeping you up at night, because those are the flaws being shipped to Eastern Europe or Brazil, not being written up in advisories.
