“Microsoft Windows Vista is the most secure and trustworthy Windows operating system yet.” This notion seems to be the foundation of the many media articles on the upcoming Windows Vista release that have been written over the past year or so. This tagline is probably a fairly accurate statement based on general testing of the Vista Community Technology Preview (CTP) distributions and on the functional security feature set provided in Vista, as specified by Microsoft. Windows Vista will likely be more secure out of the box than Windows 2003, XP, 2000, or NT were during their initial releases.
However accurate the above notion is, the technology industry pundits, editorialists, and “expert” analysts have managed to translate the aforementioned would-be truth about Vista into a more general statement. This statement is that Vista is a highly secured and hardened operating system that may well be impenetrable and impervious to attack, one that solves our platform security problems and will reduce the need for, and effectiveness of, third-party security products. There is a sense that the security issues that existed in abundance in previous versions of Windows will not be of concern in Vista.
The implication that Vista is to be so secure has trickled into the mindsets of executives, analysts, product developers, and even engineers. However, as any observant veteran of the technology industry can tell you, while the marketing tagline may be true, the translation is quite likely to be far from reality. Windows Vista will probably continue to have security issues, as every new or improved operating system does.
Vista has buffer overflow protection, as it is a carryover from XP. Unfortunately, it does not protect against all types of overflows. Additionally, the protection offered has been shown to be subject to subversion with some clever techniques, as have many of the stack guard products designed to prevent stack buffer overflows.
Vista is written with security in mind and adheres to strict code integrity. The caveat is that anything new written into the Vista code base, even security-related code, will be potentially subject to new bugs. The average Microsoft developer is said to average six bugs for every thousand lines of code, which is considered better than average. With the ten-plus million lines of new code, and the millions of lines of modified code migrated into Vista, there could be a fair number of bugs present out of the box, including bugs that can be leveraged by a malicious party. (Keep an eye on that new TCP/IP stack).
Vista code is being heavily audited to enforce secure coding techniques, with special focus on eradicating buffer overflows. Code audits reduce, but do not eliminate, bugs and security issues in complex software. In August of 2001, a well known Microsoft executive boldly proclaimed in a keynote speech that a massive code audit in XP had eradicated “all” buffer overflows in the product. To this day, years later, buffer overflows are still commonly found in Windows XP. The complexity of Vista’s 50 million lines of code will likely produce a similar problem. Additionally, patches and service packs will continually introduce new code into Vista that may or may not be as tightly audited due to time constraints for patch releases. Vista is too complex a product to catch all of its security holes in a single code audit.
Vista’s new security features and "security mentality” will, over time, reduce the opportunity for attacks, as well as reduce the available attack vectors to a degree. However, while the new Vista security features are welcome, they do not, in fact, solve most of the security issues that current Windows users are subject to. There will still be a dependence on the traditional anti- software. The secure coding emphasis will be of benefit, but the true code audit will be the result of intent Whitehats, Greyhats, and Blackhats trying to find the holes. It may take a while for the hacker/cracker community to find the holes in Vista. It mayl take a week, a month, or a year, but it seems inevitable that holes will be found.
As security professionals, we must not become lax in our assumptions about the impact of the release of Windows Vista. We should assume that at least as many security problems exist in Vista as in any previous version of Windows, if not more, no matter what the hype or rhetoric that surrounds its security expectations. Perhaps Vista will live up to the lofty expectations placed upon it, but history has shown this is not likely.