Protecting the enterprise in a Vista environment

Microsoft Vista actually has a greater need for third party security products than previous Windows versions. In reality, Microsoft Vista is poised to see a higher number of vulnerabilities earlier in its life than previous Microsoft products.

“We’re probably going to see a higher initial rate of reported vulnerabilities to us than with previous versions of our products, given the early view researchers have had into Vista,” said Stephen Toulouse, senior product manager with Microsoft’s security technology group.

The user’s ability to override Vista security and run a rogue/untrusted application at an elevated privilege or kernel level poses a significant risk that will remain unmitigated in the Vista 32-bit version.

A secure operating system should be able to contain and mitigate the actions of rogue software. Having a user account control (UAC) that allows you to point the finger of blame at the foolish user is not an acceptable solution to the issue – a better operating system is.

Hacking tools have evolved at a faster rate than most vendor security initiatives. One only has to look at the state of ‘fuzzing’ technology; fuzzing programs provide for an automated replacement for normal input and interfaces for a given protocol or application.

This automated ‘replacement’ input is computer generated, ambiguous and random in nature. By design a fuzzer automatically seeks to cause abnormal behaviour in the protocol or application. The abnormal behaviour is indicative of a software bug and can be further tested to determine if the bug is exploitable.

The use of these automated fuzzing tools by the research community to discover bugs and enable them to then create exploitable vulnerabilities has clearly outpaced software developer’s security initiatives; 32-bit implementations of Microsoft Vista will be the most widely deployed and will lack many of its key security mechanisms found in the 64-bit versions.

Hence, the largest part of the installed base will be the most vulnerable.
Consumers will regard vulnerability in the 32-bit version as a black mark against the Vista product even if the 64-bit version would have been capable of mitigating the threat. Microsoft will not be able to hide behind the capabilities of the 64-bit version when vulnerabilities arise in the 32-bit version.

In order to meet the constraints of operating on Microsoft Vista, many third-party applications will require major software revisions. One only has to look at the lack of security products that are able to work with Microsoft Vista to grasp the enormity of the problem.

Further, in the broader market of business software, because of the fluid and ever-changing requirements of writing software that is fully compatible with Vista, many vendors have not yet made the commitment to support the 64-bit version.

While Microsoft Vista does address to a limited degree spyware and known malware, it does not address the spam problem that Bill Gates in 2004 promised would end in two years, nor does it in any way address today’s fastest growing threat – the data-leakage issue that is fuelling identity theft.

paul henry software vista microsoft