Microsoft has boosted security in its new OS. Has it done enough?
Microsoft is hoping to polish its tarnished security track record withthe final release of its long-awaited Windows Vista operating system.The company has been touting the OS as its most secure platform to dateand used this as a major selling point at the glitzy internationallaunch in January.
"Some of what we've done with Vista is really about getting thefundamentals right to build an inherently more secure product," saysScott Charney, Microsoft's vice-president of Trustworthy Computing.
Although there is a consensus among many in the industry that Vista isMicrosoft's best effort to date when it comes to securing a platform,some experts have reservations about whether the improvements will beenough. Others have complained about some of the company's methods toimprove security. Even before the release of the OS, much of the debatehas focused on a kernel-patch protection mechanism that has lockedsecurity companies out of the operating system's kernel code.
Security experts are quick to point out that no matter how manyimprovements are made to Vista's security, there will always bevulnerabilities and a need for third-party security solutions. "Vista isnever going to be the end-all security solution," says Richard Jacobs,chief technology officer of Sophos. "It is not going to be without itsown vulnerabilities, which will be identified over time."
Nevertheless, Microsoft remains confident that Vista's improvements willspeak for themselves once the migrations from older Windows versionsbegin. "We are delivering what customers asked for: the most secure andreliable version of Windows yet," insists Stephen Toulouse, seniorproduct manager of Microsoft's security technology unit. "There are anumber of features that are fundamental to the baseline security of theoperating system. We're completely changing the way we engineer ourproducts."
The changes to Windows have their origins in a company-wide email BillGates sent out five years ago. It laid the philosophical groundwork forwhat would become Microsoft's Trustworthy Computing (TWC) initiative.Microsoft brought Charney on board a month after Gates sent that memo,with the mission of breathing life into the initiative. Since then, hehas led the cultural revolution at the company to improve in the fourpillars of trustworthy computing: security, privacy, reliability andbusiness integrity.
"We've done a lot of work in all four areas, but I can say quite clearlythat security has received the most focus," Charney says. "People have alot more faith in our products now than they did five years ago. Theyare now seeing changes in our products and services."
Charney believes that Vista will be the most visible indicator of hiswork so far. "It brings a lot of security, privacy and reliability -classic TWC features - to the client operating system," he adds. "Vistais the first client operating system to go through the securitydevelopment lifecycle (SDL) and be focused on threat mitigationthroughout its development."
Logistically, SDL put security at the forefront from the earliest stagesof Vista's development. The idea behind the improved process was not tochase the impossibility of perfect code, but to mitigate risks bylowering the number of bugs in the code and reduce the severity of thosebugs that remained.
"The product itself underwent basically the largest penetration testingeffort of any commercial software product in history," Toulouse claims."And security researchers have had unprecedented input into the designof the product. But, having said all that, we certainly understandthere's going to be updates to Vista. The goal is that to the extentthat there are updates, there will be fewer, and these will have lessimpact on customers."
Charney explains that the SDL's tenet is to be secure by design, secureby default and secure by deployment. The first aspect is the mostfundamental and includes rigorous code testing and the creation ofthreat models during development. The second element relies onarchitecting the software so that default settings are less vulnerable -for example, Vista is the first iteration of Windows that sets useraccess controls so that machines aren't set at administrator levels bydefault. And the third aspect includes improvements in the automaticpatching process and management of security within the OS.
All of this, explains Toulouse, should help create multiple layers ofdefence that should have a synergistic security effect. "There is no onesilver bullet, and that was the approach we took with Windows Vista," hesays. "Knowing full well that you can't ever get the code 100 per centright, we decided to make the software more resilient across multiplelayers."
So will it all work out in the real world? Some analysts believe thatVista truly will mark a turning point for Microsoft, while others in thevendor community are less certain. "We think Vista is going to bringabout fairly dramatic security benefits to Windows users," says AndrewJaquith, program manager for Yankee Group's enabling technologiesenterprise group. "They've put a lot of effort into improving the OS ina very basic way."
In a recent poll conducted by US technology provider CDW Corporation,the majority of IT decision-makers familiar with Vista rank security astheir biggest driver for adopting the new version of Windows. Even somein the security community, rarely known to pull punches on Microsoft,have responded relatively favourably to the new release.
"It's a very good thing that Microsoft has spent a lot of effort onsecurity in Vista," says Ari Hypponen, chief technology officer ofanti-virus vendor F-Secure. "It will be much more secure out of the boxthan any previous version of Windows. The biggest improvements are notvery visible, as they spent a lot of time securing their code."
Additional security requirements
However, all of this early enthusiasm does come with some reservations.Jaquith, for instance, worries that new features, such as theuser-access control, are onerous to use and could prompt people to turnthem off. And many security professionals are quick to remind anyone whowill listen that Vista's bolstered security is no replacement for strongthird-party solutions. "Vista will be the most secure Microsoftoperating system today, but it won't be good enough without a securitypackage," Hypponen insists.
Even Microsoft executives agree with this sentiment. Charney cites theneed for additional security solutions as one of the reasons why hiscompany threw its hat into the security ring last year with its ownoffering, Windows Live OneCare.
This entree into the niche has not been without some controversy, assome vendors have complained that Microsoft has already thrownroadblocks up for its competitors with a new feature in Vista. In itseffort to protect against the growing threat of rootkits, Microsoftintegrated a new feature called PatchGuard into the 64-bit version ofVista. The mechanism acts to block access to the kernel's code andprevent applications from changing the kernel while it is running.
But many high-profile security companies, notably Symantec and McAfee,have complained vociferously that not only is Microsoft blocking thebaddies with this new feature, they're keeping security software vendorsout as well. Some executives believe the locking down of the kernel ispart of Microsoft's gambit to corner the security software market nowthat it has launched OneCare. Ultimately, they claim, the move will hurtusers.
The kernel dispute
"In the enterprise scenario, PatchGuard prevents us from getting deepinto the core of the operating system," says George Heron, chiefscientist for McAfee. "By not being able to monitor some of the data inthe critical memory areas and the operation of that core, we're not ableto detect a certain class of malware that Microsoft is frankly not ableto do now."
Though Microsoft has offered to provide application programminginterfaces (APIs) to grant limited access to the kernel, vendors havereceived no timeline for delivery, and analysts Gartner predict thatthey won't be delivered until 2008. Even then, Heron is concerned thatthey will be too little, too late.
"I worry because offering up a token API or two is very likely not goingto be enough," Heron says. "It might sound OK to the public, but from atechnical perspective, visibility through one peephole to the kernel isnot going to suffice because malware has the tendency to hide in all ofthe dark corners of the basement of the operating system."
Ultimately, Charney says that security vendors are putting Microsoft ina difficult position by asking for things to be reverted back to the waythey used to be. "Do you leave it open and leave the world at risk, ordo you make one of these fundamental shifts in security, recognisingthat there will be some backward compatibility issues, and that theecosystem will have to adjust?" Charney counters. "It seems to me thatjust leaving everyone at risk isn't the answer. At the end of the day,we have a fundamental choice, and it doesn't seem (Symantec and McAfee)are thinking about how the security model has to change to reflect thethreat models."
Toulouse concurs that Microsoft is doing what it believes is right forusers, even in the face of some resistance from vendors. The initialcomplaints are to be expected, they're growing pains, he says. But hebelieves that as the industry matures the dissent will die down.
- A version of this feature originally appeared in the US edition of SC.