"I was somewhat surprised (but pleased) at the level of interest back when I published my Windows Vista - 90 Day Vulnerability Report. It was about the earliest span of time I thought might give us some indicators, and the indicators did look good. Six months is a much more interesting time frame, and gives us the opportunity to see if the early trend indicators are holding up, or if the early signs of progress were a short-term gain."
To read all comments associated with this story, please click here.
Member since:2006-01-19
I also think Microsoft did their homework regarding code quality. But this is only one step on the way to good security.
What should have been done with Vista is getting the basics right, the design. They made way too many compromises regarding backwards compatibility. Like still allowing applications which insist on writing into system folders.
This leads people to switch off many privilege escalation prevention features.
Security of an operating system, especially a widespread one is as much a social task as it is a technical one. People have to be forced to a more secure behaviour, and it would be Microsoft's task to apply that pressure.
They should have made some sort of "virtual machine" running XP in a sandbox for backwards compatibility.
With Vista now on the market, the door to a more secure design is closed again for several years.
Member since:
2006-01-06
I know someone who worked at Microsoft on the Windows Vista project. He told me that, besides adding new features to the OS, Microsoft spent the last couple years running sophisticated static and dynamic code analysis tools. These tools do all kinds of path analysis and detect buffer overflows, identify "banned" APIs, find numeric overflows/underflows, and other dangerous calling patterns. Microsoft apparently set a very high bar for shipping Vista by requiring that all of the generated bugs be fixed prior to shipping. I think that Microsoft has taken a lax attitude toward security in the past, but they have definitely got religion now. Frankly, I applaud any effort on their part which improves security. It's still probably a little too early, and I'm sure that people will continue to do analysis. HOWEVER, really people, do all of these discussions have to degenerate into "my OS is better than your OS" flamewars?