Security Watch | Matt Hines » Microsoft awards high marks in Vista report card

January 24, 2008 | Comments: (0)

Microsoft awards high marks in Vista report card

TAGS: Security

Microsoft is giving itself straight As in its first year Vista security report card, at least when comparing the new operating system's initial track record to its Windows OS forbearers.

According to a blog post on the topic authored by Austin Wilson, director of Windows security at Microsoft, Vista is proving to be the most secure version of the OS released to date.

Wilson specifically credits the company's Security Development Lifecycle (SDL) program -- aimed at drumming flaws out of the OS during all of its design phases -- for lowering the sheer volume of security patches released for Vista thus far.

The expert also contends that all the security-oriented improvements resident in the software have made the total cost of running a Vista PC cheaper than previous Windows iterations.

"Our investments in the SDL and our defense in depth approach to building Windows Vista seem to be paying off," Wilson said in his blog. "Our job with security is never finished, but the focus we put on engineering for security and the defense in depth approach of Windows Vista are showing real-world benefits for customers."

Among the highlights of Wilson's report card:

Fewer months with Patch Tuesday updates. So far the Vista OS has had three months (December '06, January '07 and November '07) when Microsoft didn't issue any monthly security fixes.

Less frequent malware exploitation. Microsoft claims that it tracked 60 percent fewer malware infections aimed at Vista during the first six months of 2007, and 2.8 percent less unwanted software, compared to Windows XP SP2 systems.

Fewer vulnerabilities. The company claims that Vista had only 36 vulnerabilities patched in its first year, along with 30 that have yet to be addressed, compared to 68 patched flaws for XP, and another 54 that remain open, during the same timeframe.

In terms of onboard security features, Microsoft touted the efficacy of its User Account Control model -- aimed at thwarting the ability of malware programs to tap into administrator-level control of machines -- and its IE Protected Mode -- which runs the browser in what is believed to be its safest possible configuration -- as keys to stemming attacks against Vista systems.

As a result of the security improvements, along with others, the Microsoft expert pointed to a report filed by GCR Custom Research which contends that of the $251 in savings per year spent to maintain a Vista machine, compared to an XP box, $55 of the savings could be attributed to its improved security and onboard protection features.

Despite the improvements researchers have found some fairly serious flaws in the OS over the last year. Among the most significant (via InfoWorld sister site PC World):

- A flaw in animated cursor code used by Windows 2000 SP4 through Vista. With a poisoned .ani, .cur, or .ico file, remote attackers can create a buffer overflow, overwhelming a program with more data than it can handle and allowing takeover of a victim's PC. The issue was fixed with Microsoft's critical MS07-017 patch.

-Malware Protection Engine: A critical vulnerability in all versions of Windows using the Microsoft Malware Protection Engine, built into Vista's baked-in Windows Defender anti-spyware and the Microsoft OneCare antivirus program. The flaw can force the engine to execute attack code when it scans a hacked PDF file. This issue was fixed in Microsoft's critical MS07-010 patch.

-CSRSS privilege escalation: A vulnerability in the Windows Client/Server Runtime Server Subsystem's (CSRSS) error handling could allow an attacker to make an end run around Vista's UAC (User Account Control) protections. This issue was fixed in Microsoft's critical MS07-021 patch.

Posted by Matt Hines on January 24, 2008 09:48 AM

RATE THIS ARTICLE: