Should Microsoft downgrade Vista vulnerabilities?

Should Microsoft downgrade Vista vulnerabilities?

Summary: The man who wrote the book on Microsoft's highly rated SDL (Security Development Lifecycle) believes buffer-related security vulnerabilities found in Windows Vista should be downgraded because of back-up mitigations built into the operating system.

SHARE:
42
The man who wrote the book on Microsoft's highly rated SDL (Security Development Lifecycle) believes buffer-related security vulnerabilities found in Windows Vista should be downgraded because of back-up mitigations built into the operating system.

Michael Howard, MicrosoftMichael Howard, who serves as the public voice for security in Redmond's software creation procedures, said he isn't thrilled about the MSRC's (Microsoft Security Response Center) conservative approach to rating the severity of vulnerabilities and made the argument that an "important" flaw in Vista should be downgraded because of things like UAC, /GS, /SafeSEH, ASLR.

These mitigations are not available in any other version of Windows.

"The MSRC folks are, understandably, very conservative and would rather err on the side of people deploying updates rather than trying to downgrade bug severity. So don't be surprised if you see a bug that's, say, Important on Windows XP and Important on Windows Vista, even if Windows Vista has a few more defenses and mitigations in place," Howard said in a blog entry that offered some predictions on how Vista will hold up to security scrutiny.

Microsoft's severity rating system is straightforward. For example, if a flaw can be exploited to allow the propagation of an Internet worm without user action, it will carry a "critical" rating even if defense-in-depth mitigations mean it's not wormable on Windows XP SP2 or Windows Vista.

This, in Howard's mind, will not provide an accurate measure of Vista's resilience if vulnerability counts and severity ratings are used as the criteria.

Still, despite some early hiccups, he remains confident that Vista is "the most secure Windows we have released."

"[T]hat translates into the only thing that really interests me: customers are more protected when using Windows Vista than any prior version of Windows," he added.

Howard's prediction for how Vista will hold up to third-party hacker scrutiny:

There will probably be a number of security bugs in the following months, I have no clue what that number will be. I am not going to judge Windows Vista security based on the first few months' bugs. I will, however, look back two years from now and compare Windows Vista to Windows XP SP2 and Windows Server 2003. I do believe there will be a significant drop in both security bug quantity and severity when compared to prior Windows versions.

There might well be be some "ouch" moments, when people in our group look at a bug and ask ourselves, "how on earth did we miss this?"

We will also see some bugs that are unique to Windows Vista. But I believe this number will be reasonably small.

Howard also predicted that there will be "significantly less critical vulnerabilities" in Vista over the next two years compared to Windows XP.

Topics: Windows, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

42 comments
Log in or register to join the discussion
  • Pretty ballsy of him to have that

    bumper sticker on his laptop. Guess he is a glutton for punishment, eh?! ]:)
    Linux User 147560
    • Sticker

      He's not the only one. Jesper Johanson (sp?) had it on a laptop he used at some MS Security stuff I attended. They must think it is cutsy or something. Ballmer must have put them up to it.
      sordito
      • I've seen that sticker on the laptops...

        ...of lots of security professionals (that were not Microsoft employees and probably Linux users themselves) at security conferences.

        Get a sense of humor guys.
        toadlife
    • Just so you know...from the other day..

      <i>Because your comments on Linus are speculative
      at best. And an attempt to try and pick a fight.
      </i><br><br>
      your response to me saying Linus T. had not so good things to say about how linux licensing was being handled by FSF and other parasites.<br><br>
      Here is an ezample of what I meant. <br><br>
      http://news.com.com/Torvalds+critical+of+new+GPL+draft/2100-7344_3-6099475.html
      xuniL_z
  • attacks exclusive to windows vista...

    From what i've read, the amount of DRM on Vista will serve as a springboard for a new breed of attack, and a much easier one. How 'bout a virus that changes your key to one on the blacklist...voila, your copy of windows no longer appears as genuine! (works for XP, too)

    How 'bout one that makes your desktop 'premium content' and won't display it. how 'bout one that messes with the 'secure audio path' and makes windows mute your audio?

    With Windows Vista hackers don't need to press too hard to trip up computers. back in the day people needed to address RAM and mess up files and be really sneaky. Now...just trip DRM, and Windows does the virus stuff for you!

    Needless to say, I plan on staying with XP for now. and to the people who wanna tell me that I should use Linux, i'll e-mail you a list of software I need to work on Linux and if you can get me a complete list, i'll switch over.

    Joey
    voyager529
    • But why?

      What would be the point of such attacks? If there is no financial gain to be had by an attack,attackers generally won't bother.
      toadlife
      • Financial gain?

        Nice red herring. Attacks are also done for bragging rights, to send a political
        message (windows sucks) or just to plain wreak havoc.

        How fun would it be for an anarchist to, say in three years, put all the Vista
        workstations at your local power plant into reduced functionality mode?
        frgough
        • Red herring?

          Yes, attacks are done for other reasons than financial gain, but the percentage of attacks like this are next to zero.

          My point was not that the attacks would not happen, but that they were not something to worry much about.

          As for your power plant scenario, give me a break.
          toadlife
          • I'd like to see those statistics (nt)

            nt = no test
            CobraA1
          • Sure

            Just go to any of the AV sites that maintain lists of malware. Compare the percentage of viruses that hijack computers into bot-nets with viruses that just do damage and nothing else.
            toadlife
    • They'd have to get past the UAC and other protections

      Well, for tampering with the DRM, they'd have to get admin privileges, so they'd have to get past the UAC and the user would know about it - and possibly block it. They can't do it without the user's knowledge anymore.

      In XP, they'd just do it silently and you wouldn't know about.

      "to the people who wanna tell me that I should use Linux, i'll e-mail you a list of software I need to work on Linux and if you can get me a complete list, i'll switch over."

      Go ahead and give me a list - other than games, I've found that Linux has plenty of compatible apps. Games and poor NTFS support are pretty much the only reasons I still use Windows. Applications I found plenty of - they weren't a problem.
      CobraA1
      • Not comparable!

        Time = money! Having comparable apps is not worth much if the learning curve and data conversion time costs more than the next 20 years of Windows versions.

        Some apps, such as audio recording software, have a long learning curve because they have so many facilities and useful features that help with workflow. So-called compatible apps for these apps usually have different ways of doing the multitude of tasks handled by these apps. Just visit the Steinberg forum for Cubase and read the comments that PC-based Logic users who were abandoned by Apple and switched to Cubase have to gripe about all the little differences that they miss and wish were in Cubase. Of course Cubase does a lot of other things that Logic did not. To change, there would have to be a quantum leap in workfow benefits, not just equivalence, otherwise there is months of lost time leaning new ways of doing the same stuff. Add to this the huge investment in effects plugins that are only available to the Windows/Apple OSs and the case for a Linux solution at this time looks pretty lame.

        Then do this for every app used daily in the support of work or hobby.

        None of this touches the difficulties faced if trying to interface with client's systems. Just have to basically go with the flow.

        In the end, a few hundred $ on a new Windows OS version every few years is minor compared to the time and money involved in transferring to a relatively undersupported OS.

        This is not to say that it won't be worthwhile at some time, especially when more support is provided for Linux across the board. But, a few compatible apps without the rest of the infrastructure being available is not good enough reason to change.

        You may have 'ideological reasons' to want to change, but if you want to justify the change to others, you may want some stronger justifications than you have presented.
        Patanjali
        • You didn't actually try

          Based on your broad sweep, it's obvious you have never run Linux or any of the applications. Since I use both at work I can:

          Use both MS Office and OpenOffice.org (no learning curve, all features I need). I do presentations using both software tools, have all featires I need to use.
          Savings 496.00

          Eclipse for JAVA development (no cost, cross platform)

          My wife uses Wordperfect and OpenOffice for court documents, no problems all features required are available.

          The Ottawa Carelton Schoolboard now use OpenOffice.org. No complaints so far from teachers or staff.
          Savings 70.00 per computer.

          At home I have Rosegarden and Cakewalk. Files interchange, can do same things (features that I use).
          Savings 600.00

          AutoCAD (no replacement, run it in a VM under Linux)
          Savings $4000 (can't afford to upgrade both the OS and software, plus it works)

          No Vista upgrade from XP (no VMware option for virtual motion due to stupid licensing from MS)
          Savings 300.00

          I host www.esips.com, www.lapinede.ca and www.dssinc.ca all on Linux / JAVA
          No cost for software, sites appear to be working well...

          You get the picture?
          There is also the Sound software from Adobe that is covered by Audacity.

          I also have Video manipulation software for my Sony CAM that I can covert to different formats and still send the output overseas so they can watch a DVD encoded to PAL while we watch in NTSC.

          Software I WILL and do pay for:
          Drivers for Linux (Linuxant - modem and network)
          VMWare (I get a virtual hardware cluster)
          LinuxCAD (not as good as AutoCAD but only 99.00)
          Anything else I don't have the time to write / modify / interest in.
          douglasids
        • A few hundred $...

          multiplied by 5,000 users for the OS, plus another few hundred $ multiplied by 5,000 users for MS Office. Or zero $ multiplied by 5,000 users for Linux plus another zero $ multiplied by 5,000 users for OpenOffice for routine word processing and spreadsheets. Hmmmm... The same skills can be utilized in OpenOffice as MS Office. The files created in OpenOffice can be saved in an MS Office compatible format in case you need to send them to someone who uses MS Office. Sounds like a good business decision to me.

          Sure, there are going to be specialty applications that will keep people locked into Windows just like there are specialty applications that keep people locked into Apple or Unix or a mainframe. Beyond that, it's "ideological reasons" that are keeping companies married to Microsoft. There are very few stronger justifications for doing so. In the 80s, the saying was "nobody ever got fired for choosing IBM". Today, you can just replace "IBM" with "Microsoft".
          jasonp@...
      • NTFS

        I can't speak to games, but LinuxMint has MintDisk that reads and writes from/to NTFS. I only write to my Windows2000 once in a while and am in no position to assess or judge how well that is or would work/-ing out in a professional setting. It hasn't let me down at home, though.
        maskimummu@...
      • ntfs support

        CobraA1 wrote:

        [i]Games and poor NTFS support are pretty much the only reasons I still use Windows.[/i]

        Games I don't miss, and ntfs support is working just fine in linux. Check out the ntfs-3g project (http://www.ntfs-3g.org/), which recently went to 1.0 -- meaning stable and reliable.
        JDThompson
      • "compatible apps" don't count because ...

        ... people WANT Photoshop, not GIMP. They WANT ehat they want and a "compatible app" just won't cut it for most people who have time, money, and data invested in what they've been using for years. Transition costs are non-trivial.
        M Wagner
        • People also want...

          a Mercedes, not a Chevy. They want a 35,000 square foot home in the Hamptons and not a 1,700 square foot home in the city. People can't always get what they want, so there need to be alternatives available for them. Sure, some transition costs are non-trivial. But having something instead of nothing is also non-trivial.
          jasonp@...
  • Let's see

    If these actually lead to something. If not then they're PoC items (just like on OS X).
    However if someone releases an exploit then we'll all revisit it again. Sound fair?
    Rick_K
  • It really all depends

    on whether you're an ABMer, in which case, "ABSOLUTELY NOT",
    or an NBMer, it which case, "Yeah, it's no big deal".

    There, I think I covered [i]Everybody[/u] whith that one.
    John Zern