X
Business

Windows Security wrap-up: praise for Vista and a historic first

At last week's Black Hat conference, a security expert who spent time "beating up Vista" talks about Microsoft's approach to security. Microsoft falls off a top 10 list. And you should visit Windows Update now to get a new Critical update for IE.
Written by Ed Bott, Senior Contributing Editor

It’s not often that you hear the words “Windows Vista” and “world-leading” in the same sentence.

So security expert Chris Paget’s ringing testimonial for Windows at last week’s Black Hat conference is newsworthy. CNET’s Seth Rosenblatt covered the talk.

Paget and her team are among the few outsiders allowed to look at Microsoft’s code. She and her team contracted for Microsoft to review the security of Windows Vista before it shipped—“beating up Vista,” she called it. The work was covered by a five-year non-disclosure agreement that just expired, allowing her to finally break her silence.

“Vista was a giant leap in the right direction,” Paget said. And she lavished praise on Microsoft’s security processes:

"'World-leading' is entirely appropriate" when discussing Microsoft's security procedures, she said at the start of her talk. "Microsoft's security process is spectacular."

That opinion is buttressed by a new list of top vulnerabilities that represents a historic first for Microsoft.

As usual, the latest quarterly report on malware from Kaspersky Lab contains a top 10 list of vulnerabilities. But the new list doesn’t include a single Microsoft product:

For the very first time in its history, the top 10 rating of vulnerabilities includes products from just two companies: Adobe and Oracle (Java), with seven of those 10 vulnerabilities being found in Adobe Flash Player alone.

Kaspersky says the change is directly attributable to improvements in recent versions of Windows, especially Windows 7.

Microsoft products have disappeared from this ranking due to improvements in the automatic Windows update mechanism and the growing proportion of users who have Windows 7 installed on their PCs.

Paget’s talk supplies one explanation for the improvements in Windows 7: her group was only allowed to look at new code for Vista. “Recursion looked at code kernel and the user space but was told not to look at legacy code. Microsoft didn't add legacy code vetting until Windows 7.”

This week also included the second Tuesday of August. The Patch Tuesday bounty delivered included a Critical update for Internet Explorer that fixes seven vulnerabilities. Microsoft said it “expects to see reliable exploits developed within the next 30 days,” so you probably want to visit Windows Update and make sure this one has been applied.

Editorial standards