Michael Howard, who calls himself ‘a simple security software guy at Microsoft’, has written in his blog that Vista’s security vulnerabilities should receive a different rating to the critical vulnerabilities found in Windows XP due to Vista’s much more hardened security layers and core.
While you should read Howard’s blog entry to see everything that he says, which includes a prediction that the next couple of years will see up to 50% fewer critical vulnerabilities compared with Windows XP, a couple of interesting passages are as follows: “There is one thing you will see that I’m not too thrilled about, but it is what it is. The MSRC rarely reduces the severity of a buffer-related security bug because a defense with no security guarantees such as /GS or /SafeSEH is in place. UAC will be a speed bump, but I doubt we would reduce the severity of many bulletins if UAC is the sole mitigation”.
Howard continues that “The MSRC folks are, understandably, very conservative and would rather err on the side of people deploying updates rather than trying to downgrade bug severity. So don’t be surprised if you see a bug that’s, say, Important on Windows XP and Important on Windows Vista, even if Windows Vista has a few more defenses and mitigations in place. As I understand it, the MSRC will call out defenses that come into play.”
Howard then tells us why he thinks this is the case. He says: “Why am I making these claims? I know the SDL [Security Development Lifecycle] works, and we will continue to evolve SDL over time as we learn of new vulnerability types and new defenses, but Windows Vista is the first Windows to go through SDL from start to finish. We know that when you focus on something intensely, you can make a big difference”.
Of course, not everyone agrees, with plenty of analysts believing that the system should stay as it currently stands, and that just because Microsoft (or at least Michael Howard) might believe Vista is more secure, doesn’t mean that hackers won’t be just as clever at finding new ways through Microsoft’s admittedly greatly improved defenses.
But what’s the real vulnerability that Vista has to deal with? Please continue onto page 2 for the conclusion...