How Vista Stacks Up
Jones also compared Vistas performance with the number of embarrassments Windows XP suffered in its first six months. According to Jones, when Windows XP shipped, there were already three vulnerabilities in Internet Explorer that had been disclosed and fixed three weeks previously. Consequently, new users needed to apply an IE patch immediately to address those. Microsoft fixed a total of 36 vulnerabilities (including the three mentioned above) during the first six months the product was available. Twenty-three of the vulnerabilities were rated high severity in the NVD. At the end of the six-month period, three publicly disclosed vulnerabilities did not yet have a patch available from Microsoft, two of which (CVE-2002-0189 and CVE-2002-0694) were rated high severity by NIST. The other was rated low severity."So, with respect to its predecessor product, Windows Vista seems to have a better initial 90 days, with one-third as many vulnerabilities fixed and with both Windows Vista and Windows XP having only two high-severity issues outstanding at the end of the six-month period," Jones wrote in the report.The most serious of Vistas unfixed vulnerabilities is that the operating system implements a Teredo address without user action upon connection to the Internet. This is a problem Symantec raised in March about Microsofts use of the proprietary IP tunneling protocol, used to transition to IPv6 from IPv4. The issue with Teredo, according to Oliver Friedrichs, director of emerging technologies for Symantec, based in Cupertino, Calif., is that many firewalls and intrusion detection systems are not Teredo-aware. "Theyre not familiar with the protocol or how to decapsulate the protocol. That means, for one, when were talking about a firewall, Teredo may allow attacks to circumvent or bypass the firewall," Friedrichs said at the time. To read more about the concerns raised by Symantec about Vistas use of Teredo, click here. Microsoft is pointing proudly to Vistas security performance, particularly given that its client is the first to go through its secure development life-cycle process. That process involves the creation of a threat model for each new feature, along with vetting by outsider security researchers. "From the start, with Windows Vista, we said for any new feature in the product were going to first of all start with a threat model," Wilson said. "Every feature had to have a threat model. When developing you have to say, What are the things you have to do if a bad guy was going to exploit [a feature]? Evaluating threat models, thats brand-new in Vista." Microsoft also hired a "significant number" of third-party security researchers to come onto campus in 2006, Wilson pointed out. They were given access to source code and told to hammer away at vulnerabilities. Many of those researchers went on to present findings at the Black Hat security conference. Also at Black Hat in July 2006, Microsoft gave a copy of the Vista beta to participants, inviting them to find vulnerabilities. "We think the big difference was a hard-core focus on doing the right thing from an engineering standpoint end-to-end on the product, and using third-party researchers to look at it," Wilson said. UAC (User Account Control) is one example of how a feature was changed in reaction to its threat model. Microsoft painted a scenario where if the user is running as a standard user and wants to do an administrative action, he or she will get a prompt to proceed as an administrator. Early threat models posed the question, What would happen if somebody spoofed the user into thinking he or she was typing passwords into the system, but in fact the user was actually giving a third party the log-in and password? "We determined that the prompt needed to happen on a secure desktop, where the code cant run where the user interface is spoofed," Wilson said. "Thats one example of [Microsoft creating] a threat model, saying, Hey, could somebody spoof that dialogue? The answer was we saw the potential, so we did a change to the code to make sure that threat couldnt happen." In related news, security blogger Ryan Naraine blogged on June 20 about Microsoft having silently fixed vulnerabilities in its bulletinswhat he called "a controversial practice that effectively reduces the number of publicly documented bug fixes (for those keeping count) and affects patch management/deployment decisions." However, Cherry of Directions on Microsoft couldnt get excited about the issue. "I dont understand what the surprise is about. Microsoft is continually finding things in the code, and they fix them. And so, if nobodys reported it yet, I dont see the harm in why they have to tell somebody theyre there. And when they get to a service pack, they always have told us whats in it. [They have] a large list of what fixes are there. There will always be some that youve never heard a whisper about."
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.