Will the threat environment move on?
Microsoft has beaten the old drum of Windows Vista as the most secure Windows operating system on the market since the release of the platform in January 2007. But of course this perspective is part truth part marketing strategy. Microsoft, Windows and security are not concepts that mix well with one another. This is why the main focus with Vista was to deliver an operating system as close as possible to the level of being bulletproof.
Security is an ongoing process, according to Michael Howard, the Senior Security Program Manager in the Security Engineering group at Microsoft, and the leader of the Security Development Lifecycle, the development methodology and model which produced Windows Vista. And in this context, Vista raised the standards for security. As far, the threat environment failed to respond. Sure, Vista’s just over 7% of the operating system market – a position equivalent in obscurity to that of Mac OS X or Linux –, along with the additional security mitigations introduced, contributed to an undeveloped threat environment.
“One has to admit that Vista is arguably the most secure closed-source OS available on the market. Microsoft did do a good job at addressing the issues of previous Windows versions. Progress on all fronts has been achieved, and MS is probably better than any other closed-source software vendor when it comes to the the security of their products. This makes it difficult for attackers. The cost of developing an exploit for Vista is significantly higher than for any previous versions,” stated Halvar Flake, a security expert from Sabre Security after participating in Microsoft’s BlueHat v6: The Vuln Behind The Curtain.
While Vista is in no way a silver bullet solution that will solve all security problems for Windows users, it is an evolution compared to its predecessor, XP. Flake considers it to be such an evolution in fact that it will push the threat environment away from the operating system. This because there is a luxuriant ecosystem of software designed to run on top of Vista, just as ubiquitous as XP, but less secure than both.
“I think that most of the security researchers will move on to greener pastures for a while. Why try to chase a difficult overflow out of Vista when you have Acrobat Reader installed, some Antivirus software with shoddy file parsing, and the latest ITunes? I expect only a small number of remotely exploitable vulnerabilities in Vista. We will see everybody else getting hammered though. But, for a while, there will be (relative) quiet and calm in Redmond”, Flake added.