SAN FRANCISCO— Roughly two months after the initial launch of Windows Vista, Microsoft software development leader Ben Fathi said his company is pleased with the security, performance and feedback it has received regarding its newest operating system.
Seated in a quiet briefing room removed from the pressing mass of humanity coursing through ongoing RSA Conference 2007 being held here Feb. 5-10, Fathi, corporate vice president of development of Microsofts Windows Core Operating System Division, appears at ease, and even happy discussing the topic of Vista security.
The executives tone is markedly different than only six months ago, when he was fielding questions about potential antitrust action on the part of Microsofts largest security partners over their ability to integrate products with the new OS.
Where Microsoft was aggressively playing defense at that time, impressing its willingness to cooperate with partners and assuage their concerns over the implications of Vistas onboard security features, at the annual security industry confab Fathi seemed relaxed and more confident than ever that his companys work to better protect its flagship products is being viewed thus far as a success.
In framing Microsofts greatest accomplishments in improving Windows security with the introduction of its newest products—which range from building and using the companys new Software Development Lifecycle code analysis process, to adding anti-malware and encryption features in Vista—Fathi said the most gratifying milestone was getting the product itself out the door, along with the new iteration of its Office productivity suite.
“Vista is out, Office 2007 is out; those are two huge steps in achieving our security strategy,” Fathi said. “We also had a number of additional releases coming down the pipe, and theyre all either released or will be out in 2007, so I think weve made some great steps forward in terms of overall security.”
Among the additional products referenced by Fathi were those introduced by Microsoft at the show on Feb. 6, including a beta of its Forefront Server Security Management Console and its ILM (Identity Lifecycle Manager) 2007 package, to be launched in May 2007.
On the topic of partners, the executive said that the air has cleared significantly with the battle of words revolving around Microsofts inclusion of its KPP (Kernel Patch Protection) technology in the 64-bit version of Vista having been largely settled.
Security applications market leaders Symantec and McAfee appear to be satisfied with the new fleet of APIs that Redmond, Wash.-based Microsoft has provided to aid integration with Vistas kernel, and the software maker feels it was never forced to back down from its position of refusing to abandon PatchGuard, the most controversial element of KPP.
“Its good that were past that and moving on,” Fathi said. “The conversations have gotten significantly better since it became clear that we would not turn KPP off; everyone sat down at the table and discussed the best way to find usable APIs.”
While a small number of vulnerabilities have been isolated in Vista by security researchers, Fathi said he can live with that performance, compared to the torrents of flaws found in previous iterations of Windows and Office. Software is complex and will never be completely vulnerability-free, he said, and while Microsoft feels it has made significant progress with its ability to drive potential weak points out of its products using SDL, work to secure the software platform further will always remain an ongoing task.
Next Page: Security doubts remain.
2
Microsofts security doubters remain, spreading rumors that Vistas BitLocker encryption keys are already being cracked, and the news media continues to produce stories criticizing the frequency with which the operating systems UAC (User Account Control) feature presents users with distracting pop-ups. But Fathi said those criticisms arent as much a source of frustration as they are inspiration for his future development efforts.
“Headlines are what reporters are after, but we feel that the real message is getting out there that security for end users has been greatly improved,” Fathi said. “The great security we have today comes at some cost to the user, such as with the frequency of [the UAC] pop-ups, but we will work with our partners to improve integration for applications security so the system doesnt need to ask users for approval so often.”
Those types of considerations, and planning the security underpinnings of a future generation of Windows products—delivery date to be determined—have taken over Fathis day-to-day work, with the developer relishing his ability to spend most of his time with his true passion, building software, rather than sparring with Microsofts partners and fielding a nearly constant stream of questions from a media that often appears bent on discrediting his work.
“Im back doing what Ive always done, designing software versus dealing with problems, and not just being focused on security issues,” Fathi said. “The next six months are all about planning the next version of Windows and spending time fixing things we didnt fix in Vista.”
With a sly grin the developer suggests that perhaps as soon as five years from now customers of Microsofts products wont need to worry about OS security at all. Its clear that Fathi isnt serious, given his earlier concession that finding new ways to improve and defend Microsofts products will always be a part of his job, but its not hard to detect that the frustration the executive felt when handling the waves of controversy surrounding the release of Vista, before the product even arrived, has been replaced a much sweeter emotion.
The glimmer in Fathis eye as he postulates about his more security-free work of today and the future gives away the feeling he harbors regarding what Microsoft has accomplished with Vista. While the word never crosses his lips, its easy to see what hes driving at— satisfaction.
At least until the next headline.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.