Microsoft has boosted security in its new OS. Has it done enough?

Microsoft is hoping to polish its tarnished security track record with the final release of its long-awaited Windows Vista operating system. The company has been touting the OS as its most secure platform to date and used this as a major selling point at the glitzy international launch in January.

"Some of what we've done with Vista is really about getting the fundamentals right to build an inherently more secure product," says Scott Charney, Microsoft's vice-president of Trustworthy Computing.

Although there is a consensus among many in the industry that Vista is Microsoft's best effort to date when it comes to securing a platform, some experts have reservations about whether the improvements will be enough. Others have complained about some of the company's methods to improve security. Even before the release of the OS, much of the debate has focused on a kernel-patch protection mechanism that has locked security companies out of the operating system's kernel code.

Security experts are quick to point out that no matter how many improvements are made to Vista's security, there will always be vulnerabilities and a need for third-party security solutions. "Vista is never going to be the end-all security solution," says Richard Jacobs, chief technology officer of Sophos. "It is not going to be without its own vulnerabilities, which will be identified over time."

Nevertheless, Microsoft remains confident that Vista's improvements will speak for themselves once the migrations from older Windows versions begin. "We are delivering what customers asked for: the most secure and reliable version of Windows yet," insists Stephen Toulouse, senior product manager of Microsoft's security technology unit. "There are a number of features that are fundamental to the baseline security of the operating system. We're completely changing the way we engineer our products."

High hopes

The changes to Windows have their origins in a company-wide email Bill Gates sent out five years ago. It laid the philosophical groundwork for what would become Microsoft's Trustworthy Computing (TWC) initiative. Microsoft brought Charney on board a month after Gates sent that memo, with the mission of breathing life into the initiative. Since then, he has led the cultural revolution at the company to improve in the four pillars of trustworthy computing: security, privacy, reliability and business integrity.

"We've done a lot of work in all four areas, but I can say quite clearly that security has received the most focus," Charney says. "People have a lot more faith in our products now than they did five years ago. They are now seeing changes in our products and services."

Charney believes that Vista will be the most visible indicator of his work so far. "It brings a lot of security, privacy and reliability - classic TWC features - to the client operating system," he adds. "Vista is the first client operating system to go through the security development lifecycle (SDL) and be focused on threat mitigation throughout its development."

Logistically, SDL put security at the forefront from the earliest stages of Vista's development. The idea behind the improved process was not to chase the impossibility of perfect code, but to mitigate risks by lowering the number of bugs in the code and reduce the severity of those bugs that remained.

"The product itself underwent basically the largest penetration testing effort of any commercial software product in history," Toulouse claims. "And security researchers have had unprecedented input into the design of the product. But, having said all that, we certainly understand there's going to be updates to Vista. The goal is that to the extent that there are updates, there will be fewer, and these will have less impact on customers."

Charney explains that the SDL's tenet is to be secure by design, secure by default and secure by deployment. The first aspect is the most fundamental and includes rigorous code testing and the creation of threat models during development. The second element relies on architecting the software so that default settings are less vulnerable - for example, Vista is the first iteration of Windows that sets user access controls so that machines aren't set at administrator levels by default. And the third aspect includes improvements in the automatic patching process and management of security within the OS.

All of this, explains Toulouse, should help create multiple layers of defence that should have a synergistic security effect. "There is no one silver bullet, and that was the approach we took with Windows Vista," he says. "Knowing full well that you can't ever get the code 100 per cent right, we decided to make the software more resilient across multiple layers."

So will it all work out in the real world? Some analysts believe that Vista truly will mark a turning point for Microsoft, while others in the vendor community are less certain. "We think Vista is going to bring about fairly dramatic security benefits to Windows users," says Andrew Jaquith, program manager for Yankee Group's enabling technologies enterprise group. "They've put a lot of effort into improving the OS in a very basic way."

In a recent poll conducted by US technology provider CDW Corporation, the majority of IT decision-makers familiar with Vista rank security as their biggest driver for adopting the new version of Windows. Even some in the security community, rarely known to pull punches on Microsoft, have responded relatively favourably to the new release.

"It's a very good thing that Microsoft has spent a lot of effort on security in Vista," says Ari Hypponen, chief technology officer of anti-virus vendor F-Secure. "It will be much more secure out of the box than any previous version of Windows. The biggest improvements are not very visible, as they spent a lot of time securing their code."

Additional security requirements

However, all of this early enthusiasm does come with some reservations. Jaquith, for instance, worries that new features, such as the user-access control, are onerous to use and could prompt people to turn them off. And many security professionals are quick to remind anyone who will listen that Vista's bolstered security is no replacement for strong third-party solutions. "Vista will be the most secure Microsoft operating system today, but it won't be good enough without a security package," Hypponen insists.

Even Microsoft executives agree with this sentiment. Charney cites the need for additional security solutions as one of the reasons why his company threw its hat into the security ring last year with its own offering, Windows Live OneCare.

This entree into the niche has not been without some controversy, as some vendors have complained that Microsoft has already thrown roadblocks up for its competitors with a new feature in Vista. In its effort to protect against the growing threat of rootkits, Microsoft integrated a new feature called PatchGuard into the 64-bit version of Vista. The mechanism acts to block access to the kernel's code and prevent applications from changing the kernel while it is running.

But many high-profile security companies, notably Symantec and McAfee, have complained vociferously that not only is Microsoft blocking the baddies with this new feature, they're keeping security software vendors out as well. Some executives believe the locking down of the kernel is part of Microsoft's gambit to corner the security software market now that it has launched OneCare. Ultimately, they claim, the move will hurt users.

The kernel dispute

"In the enterprise scenario, PatchGuard prevents us from getting deep into the core of the operating system," says George Heron, chief scientist for McAfee. "By not being able to monitor some of the data in the critical memory areas and the operation of that core, we're not able to detect a certain class of malware that Microsoft is frankly not able to do now."

Though Microsoft has offered to provide application programming interfaces (APIs) to grant limited access to the kernel, vendors have received no timeline for delivery, and analysts Gartner predict that they won't be delivered until 2008. Even then, Heron is concerned that they will be too little, too late.

"I worry because offering up a token API or two is very likely not going to be enough," Heron says. "It might sound OK to the public, but from a technical perspective, visibility through one peephole to the kernel is not going to suffice because malware has the tendency to hide in all of the dark corners of the basement of the operating system."

Ultimately, Charney says that security vendors are putting Microsoft in a difficult position by asking for things to be reverted back to the way they used to be. "Do you leave it open and leave the world at risk, or do you make one of these fundamental shifts in security, recognising that there will be some backward compatibility issues, and that the ecosystem will have to adjust?" Charney counters. "It seems to me that just leaving everyone at risk isn't the answer. At the end of the day, we have a fundamental choice, and it doesn't seem (Symantec and McAfee) are thinking about how the security model has to change to reflect the threat models."

Toulouse concurs that Microsoft is doing what it believes is right for users, even in the face of some resistance from vendors. The initial complaints are to be expected, they're growing pains, he says. But he believes that as the industry matures the dissent will die down.

- A version of this feature originally appeared in the US edition of SC.