Feeds

Vista raises the bar for flaw finders

But the battle's not over yet

Boost IT visibility and business value

Microsoft launched its latest operating system - Windows Vista - on Monday, a move that will make finding easily exploitable vulnerabilities a lot harder, according to security researchers.

In a launch event in New York City, the software giant took the wraps off both Windows Vista and its Office 2007 productivity suite. Long awaited, Windows Vista brings together a number of security features, some aimed at hardening the operating system against attack and others designed to encourage users to make security a priority when using their PCs.

"None of the features in Windows Vista, either individually or together, are meant to be bulletproof," said Stephen Toulouse, senior product manager for Microsoft's Security Technology Unit. "But the defense-in-depth will significantly raise the security level compared to Windows XP."

The launch of its latest operating system comes five years after the company restructured its approach to software security with the Trustworthy Computing Initiative. The revamped strategy - prompted by the Code Red and Nimda worms that struck a massive number of the software giant's customers in the summer of 2001 - led to a massive push to educate developers and provide tools to weed out software bugs. In 2004, Microsoft refocused Windows XP Service Pack 2, making the update almost completely about security.

While other applications, including Internet Explorer 7 and Office 2007, have benefited from Microsoft's secure development lifecycle, the development of Windows Vista was the first time the software giant's consumer operating system was designed from the ground up with a focus on security. For example, the operating system enforces least-privilege rules of access, requesting the user's password to execute certain higher privilege tasks. The software giant has also improved the operating system's firewall and revamped the Security Centre to give more information to users. Internet Explorer 7 brings additional security enhancements, such as limiting ActiveX controls and significant anti-phishing features.

For security researchers, however, it's what's under the hood that matters. Three major features will make Vista more difficult to exploit even when vulnerabilities are found: Kernel Patch Protection, Data Execution Prevention, and Address Space Layout Randomisation.

The controversial Kernel Patch Protection, also known as PatchGuard, limits the practice of some software developers of creating add-on features for the operating system by patching the kernel, the core system software. Many security software makers have criticised the feature because it limits their software's ability to modify the core features offered by the Windows operating system.

"This is especially popular among anti-virus products, which sometimes use exactly the same hooking techniques as some popular malware, like rootkits," Joanna Rutkowska, senior researcher for COSEINC Advanced Malware Labs, said in an email interview with SecurityFocus. "This is not good, not only because it may have potential impact on system stability, but it also confuses malware detection tools."

Such restrictions are good for the overall security of the Windows platform, but it's not comprehensive by any means, Rutkowska said. PatchGuard only protects against modifications to code and static-kernel objects, what Rutkowska calls type-I infections. It does not detect modifications to dynamic structures (type-II infections) nor does it detect modifications to code running through hardware virtualisation (type-III infections), she said.

Boost IT visibility and business value

More from The Register

next story
KDE releases ice-cream coloured Plasma 5 just in time for summer
Melty but refreshing - popular rival to Mint's Cinnamon's still a work in progress
Leaked Windows Phone 8.1 Update specs tease details of Nokia's next mobes
New screen sizes, dual SIMs, voice over LTE, and more
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Mozilla keeps its Beard, hopes anti-gay marriage troubles are now over
Plenty on new CEO's todo list – starting with Firefox's slipping grasp
Apple: We'll unleash OS X Yosemite beta on the MASSES on 24 July
Starting today, regular fanbois will be guinea pigs, it tells Reg
Another day, another Firefox: Version 31 is upon us ALREADY
Web devs, Mozilla really wants you to like this one
Cloudy CoreOS Linux distro declares itself production-ready
Lightweight, container-happy Linux gets first Stable release
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.