Symantec Report: Vista Code Contains Security Loopholes
According to research published July 18 by Symantec, in Cupertino, Calif., a number of Vistas software components, specifically a handful of protocols related to its redesigned networking technologies, could become security loopholes if Microsoft does not fix the problems or ensure that the product is configured appropriately to hide the glitches when it is shipped.
The Redmond, Wash., software giant is slated to deliver a final version of Vista in January 2007.
Symantec researchers reported finding three different types of potential flaws in Vistas underlying software code, including the presence of stability issues that could cause the operating system to crash when presented with attacks that utilize malformed files to deliver their payloads.
Other issues include undocumented IP protocols with no known purpose in the product and problems with some new protocols deep within the operating systems so-called network stack.
The security company based its assessment on tests run on three different publicly available beta iterations of Vista, and conceded that Microsoft has eliminated large numbers of potential vulnerabilities with each successive beta release.
However, despite Microsofts aggressive efforts to rid its next-generation operating system of bugs, and specifically the employment of its SDL (Security Development Lifecycle) process, which requires that all of Vistas code be scoured for potential problems before being added into the product, the task of completely rewriting the sprawling code base without introducing any loopholes may be too much to expect from any vendor, said Oliver Friedrichs, director of emerging technologies at Symantec Security Response.
Enterprises should be most concerned that Microsoft configure Vista so as to best protect customers from any potentially risky protocols, Friedrichs said. He suggested that if Microsoft fails to address the problematic code appropriately, Vista could end up less secure that Windows XP, which has demanded a long list of security patches.
Microsoft officials didnt immediately return calls seeking comment on the Symantec report.
All software makers, including open-source groups and security providers such as Symantec, face the same issues in creating new products, but the sheer scope of Vistas code and the products popularity make the potential for problems even greater, Friedrichs said.
"Theres no question that Microsoft is making progress in trying to make the stack as robust as possible and flush out a lot of vulnerabilities, but research shows that any time you attempt to rewrite a core component like the network stack, you face a number of challenges from a security standpoint," he said. "The majority of stability issues and flaws are being fixed already, but whats most concerning will be the deployment and configuration of the new network protocols; if left unaddressed, these could allow for hackers to tunnel over firewalls and open up networks to attack."
For instance, Symantec highlighted Microsofts work to include default support for the IPv6 (Internet Protocol Version 6 standard in Vista as one potential weakness. The use of IPv6 in Windows to support new file-sharing applications could allow for such firewall tunneling and other outside attacks, the company said.
"Network stacks are very sophisticated pieces of code, which have traditionally been plagued by bugs, even in open-source products," Friedrichs said. "SDL is making a major impact into the development of the entire OS, but no matter how hard you try, developers are human and tend to make mistakes, oftentimes not until years after the product has been shipped."
Friedrichs said he expects Microsoft to address a large proportion of the problems that have already been found in the beta versions of Vista, but he believes that more flaws may be introduced every day that the product is in development, especially as Microsoft rushes to meet its latest shipping deadline.
Microsoft executives have admitted that it would likely be impossible to avoid the inclusion of any security flaws in the final version of Vista, but have said that the company believes it is making major strides in securing its products through the employment of SDL and other precautions.
In an interview with eWEEK reporters at the companys TechEd conference in Boston in June, Ben Fathi, corporate vice president for Microsofts Security Technology Unit, said he feels the firm is doing as good a job as it can in building Vista while always looking for new ways to eliminate problems introduced during the software development process.
"Vista is by far the most secure OS we have ever built, and maybe the most secure ever shipped by anyone," Fathi said. "There is no silver bullet in security, but our strategy is defense in depth. First you have to build a secure platform, and then you need to take additional steps in applying technologies to fight malware, and thats what were trying to do."
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.