How I will judge Windows Vista Security
Before I get started, I want to point out this is my opinion, not necessarily anyone else’s viewpoint.
Now that we have shipped Windows Vista and researchers are starting to prod and probe for security bugs, I want to spend a couple of minutes to explain how I will judge Windows Vista security.
“Prodding and poking” started many, many months ago, in part because we asked people to take a look at the product at BlackHat 2006, but we also know there is a great deal of underground research happening too.
The security engineering effort applied to Windows Vista was staggering; I can’t begin to explain all the work we did. I stand by our view that Windows Vista is the most secure Windows we have released. And that translates into the only thing that really interests me: customers are more protected when using Windows Vista than any prior version of Windows.
Is Windows Vista perfect and utterly security bug free? Of course not! No software is bug free. Not even Macs or Linux :-)
My prediction for Windows Vista security bugs is pretty simple, and yes, I realize I am going out on a limb here. There will probably be a number of security bugs in the following months, I have no clue what that number will be. I am not going to judge Windows Vista security based on the first few months’ bugs. I will, however, look back two years from now and compare Windows Vista to Windows XP SP2 and Windows Server 2003. I do believe there will be a significant drop in both security bug quantity and severity when compared to prior Windows versions.
There might well be be some “ouch” moments, when people in our group look at a bug and ask ourselves, “how on earth did we miss this?”
We will also see some bugs that are unique to Windows Vista. But I believe this number will be reasonably small.
There is one thing you will see that I’m not too thrilled about, but it is what it is. The MSRC rarely reduces the severity of a buffer-related security bug because a defense with no security guarantees such as /GS or /SafeSEH is in place. UAC will be a speed bump, but I doubt we would reduce the severity of many bulletins if UAC is the sole mitigation. The MSRC folks are, understandably, very conservative and would rather err on the side of people deploying updates rather than trying to downgrade bug severity. So don’t be surprised if you see a bug that’s, say, Important on Windows XP and Important on Windows Vista, even if Windows Vista has a few more defenses and mitigations in place. As I understand it, the MSRC will call out defenses that come into play.
So here’s my prediction. We will see significantly less critical vulnerabilities in the operating system over the next 2 years, as compared to Windows XP, perhaps by a factor of as much as 50%, and a 30% reduction of important vulnerabilities. If we achieve this, I will be happy, because it means customers are more protected.
Why am I making these claims? I know the SDL works, and we will continue to evolve SDL over time as we learn of new vulnerability types and new defenses, but Windows Vista is the first Windows to go through SDL from start to finish. We know that when you focus on something intensely, you can make a big difference.
I was asked recently what my favorite SDL task is that was used in Windows Vista. It’s hard to pick just one, but I was put on the spot, so I gave one: banned API removal and use of standard annotation language SAL. Ok it’s two, but they are closely related. I was also asked for my favorite security feature in Windows Vista, again, it’s hard to pick one, but I would say it’s all the security work in IE7. We saw IE7 come through the Month of Browser Bugs unharmed, and so far only a very small number of vulnerabilities that affect IE6 SP2 affect IE7. The IE team did a great job.
Comments
Anonymous
March 08, 2007
Hi, One question on this is, how does Microsoft integrate code that'd been bought in with acquisitions who probably don't use SDL or an equivalent process? Isn't there a significant risk (especially if the bought in code is security related) that the overall security of the codebase can be compromised by bought in software?Anonymous
March 08, 2007
PingBack from http://security-samizdat.com/vista-security-and-the-security-development-lifecycle/Anonymous
March 18, 2007
I'm glad that you consider UAC to be a speed bump in this particular argument, and that your points are based on deeper aspects of Windows security, given that a huge majority of Windows Vista users will disable UAC out of sheer annoyance, leaving them as local administrators with no security protection - just as almost all consumers have been on Windows XP for more than 5 years. Really. They will. It's that annoying for a consumer.Anonymous
March 18, 2007
A bug is a bug, isn't it? A severe buffer overflow is always a severe buffere overflow. In Vista as in other operating systems. :-)Anonymous
March 18, 2007
M. Fluch, not true at all - see my blog post about VML and Vista.Anonymous
March 18, 2007
The comment has been removedAnonymous
March 18, 2007
John, >>how, really, does the new IP stack serve me better integrated IP technologies, easier to upgrade, fewer reboots, better perf. >>If vista manages to go a year without a critical security bug no OS i know of goes a year without a critical security bug.Anonymous
March 18, 2007
> no OS i know of goes a year without a critical security bug. OpenBSD? "Only two remote holes in the default install, in more than 10 years!" Of course, "default install" here means "useless".Anonymous
March 19, 2007
- Don't forget that sometimes OpenBSD remote holes aren't always reported as such.
- Anonymous
March 21, 2007
The comment has been removed - Anonymous
March 21, 2007
The comment has been removed - Anonymous
March 21, 2007
The comment has been removed - Anonymous
March 21, 2007
>>I get no better service from the vista stack. perhaps you won't, but many will.