Home
Downloads
RSS
A new standard of security is an integer aspect of the evolution puzzle represented by the move from Windows XP to Windows Vista.
The Redmond company applauded not only the Wow factor of its latest Windows client, but also a new milestone in user protection, synonymous with the delivery of its most secure platform to date. But while Microsoft has been beating the drum of Vista as an epitome of security, the young product offered little in support of the company's claims that it was an apex of the Windows operating system. This changed toward the end of October, when the company made available its Security Intelligence Report covering January – June 2007 and offering a complex perspective over the comparison between Vista and XP, security-wise.
"Since our last Security Intelligence Report, Microsoft is extremely excited to have successfully launched Windows Vista, the most secure Microsoft operating system to date. Windows Vista is the first operating system developed end to end using our Security Development Lifecycle (SDL). Using the SDL helped us to maintain a focus on security during the development of Windows Vista and to ensure that it was the highest quality product we could release. Several security-related features were also included in Windows Vista, including User Account Control (UAC), Kernel Patch Protection for x64 Windows, Internet Explorer 7 with Protected Mode, Windows Defender, and Address Space Layout Randomization (ASLR)," revealed George Stathakopoulos, General Manager, Microsoft Product Security Center.
The Secure Development Lifecycle is a complex methodology applied to the software development process in order to bulletproof a product. The end purpose of software build under the SDL is to deliver a minimal window for attacks, due to the reduced volume of security vulnerabilities concomitantly with the toning down of the overall severity rating. Microsoft has revealed repeatedly that its target is in fact to melt down SDL in the general development process, identifying the two in order to create security-focused products. But at the same time foolproof software cannot be the final milestone of the development process. "We understand that security is a journey and not simply a destination. Microsoft remains vigilantly committed to working with our partners in the security space to enable a safe and secure computing experience on the Internet," Stathakopoulos added.
Still, users have to understand that while Microsoft has made extensive efforts to increase the security of Windows Vista, the extra features introduced are nothing more than mitigations and not actual boundaries. And yes, UAC, ASLR, IE7 Protect Mode, PatchGuard and mandatory driver signing are not security boundaries. In this context, Microsoft Technical fellow Mark Russinovich explained that while the items are indeed beneficial to the overall security score of Vista, they are by no means a guarantee of protection made to end users. In the end it all comes down to the cost and the time associated with implementing security boundaries and the final impact delivered. Microsoft not making a guarantee about the extra security mitigations in Vista, is a silent confirmation of the fact that the Windows operating system continues to be vulnerable and exposed to attacks even with the Vista version.
But this does not mean that SDL did not add value to Vista. "Microsoft has released just six security bulletins for Windows Vista during the first six months of 2007. This demonstrates that our practices are working and reinforces our continued investment into processes like the SDL. All the same, we realize there is still a long road ahead of us and there is a lot of work to be done to further protect the entire PC ecosystem," Stathakopoulos explained. Six security bulletins in the first six months of 2007 for Vista is nothing short of a positive review onto itself of the security and code quality of the platform. According to statistics made available by Microsoft, the first half of 2007 brought with it in excess of 3,400 new vulnerabilities across the industry. Vista may be swimming in "shark infested waters" but it is not positioned as a perfect item of prey, and the small amount of security patches are an argument in this regard.
Counting Security Holes
While the volume of vulnerabilities decreased in the first half of 2007 compared to the last half of 2006, down by 4.6%, the vast majority of the new security holes were rated as critical, and experienced an ascendant trend. This translates into a new trend for the threat environment that now tends to focus increasingly on High severity vulnerabilities that permit by definition the complete takeover of an attacked system. In addition, attackers are also continuing to simplify exploits. The easier it is to exploit a security flaw, the higher the risk to the end user. At the same time, more complex exploits are easier to mitigate. And yet another factor that directly influences the risk level is public availability of exploit code. Microsoft informed that in the past couple of years, just 26% of vulnerabilities had public proof-of-concept code available in the wild.
source: news.softpedia.com
Microsoft Offers a Complex Windows Vista vs. Windows XP Perspective
Microsoft Offers a Complex Windows Vista vs. Windows XP Perspective
2007-11-04T01:24:00-07:00
Bonitoo
Microsoft
|
Windows
|
