Microsoft has been talking up Windows Vista's security for years, saying that it will prove to be its strongest, toughest operating system ever.
But now that the long-awaited operating system is out, how will Vista really stack up? Ben Fathi, the former head of Microsoft's security group and now the chief of development in the Windows core operating system group, recently set the security bar.
"I made a statement six or nine months ago that I would like to see half as many vulnerabilities as XP [had] in the first year," Fathi said earlier this month at the RSA Conference 2007 in San Francisco. "Obviously, I'd like less than that; I'd be happy with zero. But I think it's reasonable to say, given the additional complexity and the additional size of Vista, that half as many would be a great goal."
In the first year after Windows XP debuted in October 2001, Microsoft posted 30 security bulletin pegged to the Home version of the then-new operating system. (Unlike today, Microsoft didn't spell out the number of vulnerabilities in each bulletin.)
For Microsoft to meet Fathi's goal, that means 15 or fewer security updates will tag Vista before the end of January 2008 -- a year after the retail/consumer release. Reseller News asked three security researchers and analysts for their take on Fathi's target. Not surprisingly, they don't all agree on whether the security objective is obtainable -- or out of the question.
Michael Cherry, analyst, Directions on Microsoft.
"Making these kinds of predictions is like saying when you're going to ship. If you're right, no one pays attention. But if you're wrong, they'll rub your nose in it.
"Actually, I don't want to set my mindset to a certain number of vulnerabilities, or say a certain number is acceptable. I don't care if it's only one vulnerability, because if it's really bad, that's worse than 20 cosmetic bugs. Better, I think, would be to set a goal that says 80 percent of the vulnerabilities in the first year will be [rated] important or less.
"Fathi should have said, 'We are just not going to discuss counting' and leave it at that.
Graham Cluley, senior technology consultant, Sophos
"I have to say that I admire Microsoft's optimism.
"I would perhaps be more cautious than Fathi because in the last five years, the number of hackers and researchers who are examining Microsoft's code for vulnerabilities with ever greater intensity has increased. Furthermore, we have seen a number of legitimate security companies (including some who may have a vested interest in debunking Microsoft's status as a security player) put efforts into finding flaws in Microsoft's code.
"What isn't in doubt is that there will continue to be flaws found in Microsoft Vista.
Michael Silver, analyst, Gartner
"While the number of critical holes is important, for enterprises it would be nice if they had one or more months with no critical issues on Vista. That could actually have more of an impact in reducing the cost of testing and deploying fixes than reducing the overall number, because it would mean fewer test and deployment cycles.
"I think XP even had one or two months with fixes dropped [there were no XP bulletins released in January 2002], so reducing the number of months with fixes from like 13 to 10 would be great for organisations."