As reported by Mary Jo Foley and Ed Bott, Microsoft has finally confirmed that Windows Vista SP1 actually exists and will serve as a cumulative roll-up of patches and bug fixes released over the last six months.
This white paper from Microsoft, spells out the security goodies being fitted into this Vista refresh:
- Provides security software vendors a more secure way to communicate with Windows Security Center.
- Includes application programming interfaces (APIs) by which third-party security and malicious software detection applications can work with kernel patch protection on x64 versions of Windows Vista. These APIs help ISVs develop software that extends the functionality of the Windows kernel on x64 computers without disabling or weakening the protection offered by kernel patch protection.
- Improves the security of running RemoteApp programs and desktops by allowing Remote Desktop Protocol (RDP) files to be signed. Customers can differentiate user experiences based on publisher identity.
- Adds an Elliptical Curve Cryptography (ECC) pseudo-random number generator (PRNG) to the list of available PRNGs in Windows Vista.
- Enhances BitLocker Drive Encryption (BDE) to offer an additional multifactor authentication method that combines a key protected by the Trusted Platform Module (TPM) with a Startup key stored on a USB storage device and a user-generated personal identification number (PIN).
It's also likely (but not confirmed) that several known Vista vulnerabilities/weaknesses will be addressed in this service pack.
[ SEE: Vista voice exploit - cry wolf? ]
According to the National Vulnerability Database, there are quite a few issues affecting Vista that hasn't been fully addressed by Microsoft.
Then there's the controversial User Account Control (UAC) design flaw that just might get some attention in this service pack.