Windows Security wrap-up: praise for Vista and a historic first

Summary:At last week's Black Hat conference, a security expert who spent time "beating up Vista" talks about Microsoft's approach to security. Microsoft falls off a top 10 list. And you should visit Windows Update now to get a new Critical update for IE.

It’s not often that you hear the words “Windows Vista” and “world-leading” in the same sentence.

So security expert Chris Paget’s ringing testimonial for Windows at last week’s Black Hat conference is newsworthy. CNET’s Seth Rosenblatt covered the talk.

Paget and her team are among the few outsiders allowed to look at Microsoft’s code. She and her team contracted for Microsoft to review the security of Windows Vista before it shipped—“beating up Vista,” she called it. The work was covered by a five-year non-disclosure agreement that just expired, allowing her to finally break her silence.

“Vista was a giant leap in the right direction,” Paget said. And she lavished praise on Microsoft’s security processes:

"'World-leading' is entirely appropriate" when discussing Microsoft's security procedures, she said at the start of her talk. "Microsoft's security process is spectacular."

That opinion is buttressed by a new list of top vulnerabilities that represents a historic first for Microsoft.

As usual, the latest quarterly report on malware from Kaspersky Lab contains a top 10 list of vulnerabilities. But the new list doesn’t include a single Microsoft product:

For the very first time in its history, the top 10 rating of vulnerabilities includes products from just two companies: Adobe and Oracle (Java), with seven of those 10 vulnerabilities being found in Adobe Flash Player alone.

Kaspersky says the change is directly attributable to improvements in recent versions of Windows, especially Windows 7.

Microsoft products have disappeared from this ranking due to improvements in the automatic Windows update mechanism and the growing proportion of users who have Windows 7 installed on their PCs.

Paget’s talk supplies one explanation for the improvements in Windows 7: her group was only allowed to look at new code for Vista. “Recursion looked at code kernel and the user space but was told not to look at legacy code. Microsoft didn't add legacy code vetting until Windows 7.”

This week also included the second Tuesday of August. The Patch Tuesday bounty delivered included a Critical update for Internet Explorer that fixes seven vulnerabilities. Microsoft said it “expects to see reliable exploits developed within the next 30 days,” so you probably want to visit Windows Update and make sure this one has been applied.

Topics: Operating Systems, Microsoft, Security, Software, Windows

About

Ed Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications. He has served as editor of the U.S. edition of PC Computing and managing editor of PC World; both publications had monthly paid circulation in excess of 1 million during his tenure. He is the a... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.