Microsofts Fathi: So Far, So Good for Vista Security

Microsoft's product development guru says Vista has been a success thus far in terms of improving security perceptions compared with previous versions of Windows, and he is already busy at work laying the foundation for yet another generation of the OS.

SAN FRANCISCO— Roughly two months after the initial launch of Windows Vista, Microsoft software development leader Ben Fathi said his company is pleased with the security, performance and feedback it has received regarding its newest operating system.

Seated in a quiet briefing room removed from the pressing mass of humanity coursing through ongoing RSA Conference 2007 being held here Feb. 5-10, Fathi, corporate vice president of development of Microsofts Windows Core Operating System Division, appears at ease, and even happy discussing the topic of Vista security.

The executives tone is markedly different than only six months ago, when he was fielding questions about potential antitrust action on the part of Microsofts largest security partners over their ability to integrate products with the new OS.

Where Microsoft was aggressively playing defense at that time, impressing its willingness to cooperate with partners and assuage their concerns over the implications of Vistas onboard security features, at the annual security industry confab Fathi seemed relaxed and more confident than ever that his companys work to better protect its flagship products is being viewed thus far as a success.

In framing Microsofts greatest accomplishments in improving Windows security with the introduction of its newest products—which range from building and using the companys new Software Development Lifecycle code analysis process, to adding anti-malware and encryption features in Vista—Fathi said the most gratifying milestone was getting the product itself out the door, along with the new iteration of its Office productivity suite.

"Vista is out, Office 2007 is out; those are two huge steps in achieving our security strategy," Fathi said. "We also had a number of additional releases coming down the pipe, and theyre all either released or will be out in 2007, so I think weve made some great steps forward in terms of overall security."

Among the additional products referenced by Fathi were those introduced by Microsoft at the show on Feb. 6, including a beta of its Forefront Server Security Management Console and its ILM (Identity Lifecycle Manager) 2007 package, to be launched in May 2007.

On the topic of partners, the executive said that the air has cleared significantly with the battle of words revolving around Microsofts inclusion of its KPP (Kernel Patch Protection) technology in the 64-bit version of Vista having been largely settled.

Security applications market leaders Symantec and McAfee appear to be satisfied with the new fleet of APIs that Redmond, Wash.-based Microsoft has provided to aid integration with Vistas kernel, and the software maker feels it was never forced to back down from its position of refusing to abandon PatchGuard, the most controversial element of KPP.

/zimages/1/28571.gifClick here to find out how one vendor is circumventing Vistas PatchGuard technology.

"Its good that were past that and moving on," Fathi said. "The conversations have gotten significantly better since it became clear that we would not turn KPP off; everyone sat down at the table and discussed the best way to find usable APIs."

While a small number of vulnerabilities have been isolated in Vista by security researchers, Fathi said he can live with that performance, compared to the torrents of flaws found in previous iterations of Windows and Office. Software is complex and will never be completely vulnerability-free, he said, and while Microsoft feels it has made significant progress with its ability to drive potential weak points out of its products using SDL, work to secure the software platform further will always remain an ongoing task.

Next Page: Security doubts remain.