Should Microsoft downgrade Vista vulnerabilities?

The man who wrote the book on Microsoft's highly rated SDL (Security Development Lifecycle) believes buffer-related security vulnerabilities found in Windows Vista should be downgraded because of back-up mitigations built into the operating system.

Michael Howard, who serves as the public voice for security in Redmond's software creation procedures, said he isn't thrilled about the MSRC's (Microsoft Security Response Center) conservative approach to rating the severity of vulnerabilities and made the argument that an "important" flaw in Vista should be downgraded because of things like UAC, /GS, /SafeSEH, ASLR.

These mitigations are not available in any other version of Windows.

"The MSRC folks are, understandably, very conservative and would rather err on the side of people deploying updates rather than trying to downgrade bug severity. So don't be surprised if you see a bug that's, say, Important on Windows XP and Important on Windows Vista, even if Windows Vista has a few more defenses and mitigations in place," Howard said in a blog entry that offered some predictions on how Vista will hold up to security scrutiny.

Microsoft's severity rating system is straightforward. For example, if a flaw can be exploited to allow the propagation of an Internet worm without user action, it will carry a "critical" rating even if defense-in-depth mitigations mean it's not wormable on Windows XP SP2 or Windows Vista.

This, in Howard's mind, will not provide an accurate measure of Vista's resilience if vulnerability counts and severity ratings are used as the criteria.

Still, despite some early hiccups, he remains confident that Vista is "the most secure Windows we have released."

"[T]hat translates into the only thing that really interests me: customers are more protected when using Windows Vista than any prior version of Windows," he added.

Howard's prediction for how Vista will hold up to third-party hacker scrutiny:

There will probably be a number of security bugs in the following months, I have no clue what that number will be. I am not going to judge Windows Vista security based on the first few months' bugs. I will, however, look back two years from now and compare Windows Vista to Windows XP SP2 and Windows Server 2003. I do believe there will be a significant drop in both security bug quantity and severity when compared to prior Windows versions.

There might well be be some "ouch" moments, when people in our group look at a bug and ask ourselves, "how on earth did we miss this?"

We will also see some bugs that are unique to Windows Vista. But I believe this number will be reasonably small.

Howard also predicted that there will be "significantly less critical vulnerabilities" in Vista over the next two years compared to Windows XP.