X
Tech

Vista SP1 will contain undocumented fixes

Interesting email in today mailbag: "Will SP1 contain undisclosed or undocumented security fixes?" Let's find out ...
Written by Adrian Kingsley-Hughes, Contributing Writer

Interesting email in today mailbag: "Will SP1 contain undisclosed or undocumented security fixes?"

For some people, counting the number of security flaws that one OS has compared to another is important because it offers a metric upon which to determine which OS is the most secure (personally, I feel that it's a bogus metric, but I'll let it slide for now). However, many claim that Microsoft stacks the deck in its favor by not disclosing a full list of vulnerabilities that have been patched by omitting to include those discovered and patched in-house.

Well, for those of you who do count security flaws then SP1 is likely to annoy you because it will contain an unknown number of fixes that aren't being disclosed. Microsoft makes this clear in the Notable changes in Windows Vista SP1 document available for download from their website. The relevant wording is under the Security Improvements (page 11):

SP1 includes Secure Development Lifecycle process updates, where Microsoft identifies the root cause of each security bulletin and improves our internal tools to eliminate code patterns that could lead to future vulnerabilities.

Well folks, there you have it. We can't tell how many code patterns have been eliminated or whether these code patterns would ahve given rise to vulnerabilities, but Microsoft has taken steps to remove them anyway.

Now I have no doubt that this will make Vista SP1 safer and more secure than Vista RTM, and that's a good thing for users, but throwing in that kind of comment does throw some doubt over a report by Jeff Jones, Security Strategy Director in Microsoft’s Trustworthy Computing group, in which he claims that Vista had fewer vulnerabilities in the first year than Windows XP, Ubuntu 6.06 LTS, Red Hat rhel4ws and Mac OS X 10.4. I've asked Microsoft for comment on undisclosed vulnerabilities on several occasions and always had a "no comment" as a response.

But if you're still interested in playing the "count the vulnerabilities" game, here's something that you can do over the next 12 - 15 months - see how many vulnerabilities disclosed for Vista RTM don't apply to Vista SP1. The results should give you an idea of whether Microsoft's Secure Development Lifecycle process updates works or not.

I open the floor to discussion ...

Editorial standards