Symantec: Vista Code Has Holes

Researchers say redesigned networking technologies could be hacker targets

A new report from Symantec security researchers contends that Microsofts much-awaited Vista operating system could harbor a range of vulnerabilities that will make it less secure than previous iterations of Windows.

According to research published July 18 by Symantec, in Cupertino, Calif., a number of Vistas software components, specifically a handful of protocols related to its redesigned networking technologies, could become security loopholes if Microsoft does not fix the problems or ensure that the product is configured appropriately to hide the glitches when it is shipped.

The Redmond, Wash., software maker is slated to deliver a final version of Vista in January 2007.

Symantec researchers reported finding three different types of potential flaws in Vistas underlying software code, including the presence of stability issues that could cause the operating system to crash when presented with attacks that use malformed files to deliver their payloads.

Other issues include undocumented IP protocols with no known purpose in the product and problems with some new protocols deep within the operating systems so-called network stack.

The security company based its assessment on tests run on three different publicly available beta iterations of Vista and conceded that Microsoft has eliminated large numbers of potential vulnerabilities with each successive beta release.

However, despite Microsofts aggressive efforts to rid its next-generation operating system of bugs, specifically with the employment of its SDL (Security Development Lifecycle) process, which re--quires that all Vistas code be scoured for potential problems before being added into the product, the task of completely rewriting the sprawling code base without introducing any loopholes may be too much to expect from any vendor, said Oliver Friedrichs, director of emerging technologies at Symantec Security Response, also in Cupertino.

Enterprises should be most concerned that Microsoft configure Vista so as to best protect customers from any potentially risky protocols, Friedrichs said. He suggested that if Microsoft fails to address the problematic code appropriately, Vista could end up less secure than Windows XP, which has demanded a long list of security patches.

Microsoft officials didnt immediately return calls seeking comment on the Symantec report, but Ben Fathi, corporate vice president for Microsofts Security Technology Unit, said in a June interview that the company is doing as good a job as it can in building Vista while always looking for new ways to eliminate problems introduced during the software development process.

"Theres no question that Microsoft is making progress, but research shows that any time you attempt to rewrite a core component like the network stack, you face a number of challenges from a security standpoint," said Friedrichs.

Up to code?

Symantec claims Vistas code will have holes, while Microsoft believes SDL will keep issues down.

Symantecs Critiques

* Virgin code base will have vulnerabilities

* Undocumented protocols must be eliminated

* Network stack additions such as IPv6 could allow attacks

* Aggressive hacker community will find holes

Microsofts Strategy

* SDL clearinghouse scours for developer errors

* Beta versions will be reworked

* On-board anti-malware tools will fight threats

* New security products augment finished Vista