14 DAY TRIAL // Believe it or not, but Microsoft is setting up Windows 7 as the perfect target for what the company referred to as state-of-the-art hacking tools, some of them not even created yet. Windows 7 is heading straight for a feast of attacks, and Windows 7 Server will be joining it at sharing the menu. Sporting new bulletproofed cores, the successors of Windows Vista and respectively Windows Server 2008 are being designed to raise the bar in terms of security, but the question is: will it be sufficient? Because a new standard of security is also valid for the current releases of the Windows client and server operating systems, and both are far from perfection.
Kevin Turner, Microsoft Chief Operating Officer claimed the title of the most secure operating system in the world for Windows Vista at the company's Worldwide Partner Conference 2008 in Houston, Texas, last week. But even with Turner applauding Vista as more secure than Apple's Mac OS X, Linux and all of the open source for that matter, Microsoft is still acknowledging that the operating system was owned more than once.
But this is not stopping the Redmond giant from baking Windows 7 as the next "most secure operating system in the world," a goal that has to be delivered by the Windows Security Assurance (WinSA) team. Windows 7 and Windows 7 Server are planned as new security standards in comparison with Windows Vista and Windows Server 2008.
"WinSA's charter is to ensure the core Windows operating system and Server products are resilient to attack. Security researchers worldwide continue to explore new and creative ways to compromise our operating systems: unfortunately, even with its advanced features and the extensive engineering improvements, Vista has been compromised multiple times already. We're focused on making the next releases even more secure than previous ones," a member of the Windows Security Assurance group revealed.
Michael Howard, Senior Security Program Manager in the Security Engineering group at Microsoft stated in the past that security is an ongoing cat-and-mouse game, and that the Redmond company has to set standards higher and higher with each release, and fight attackers trying to overcome them. This is precisely what the evolution from Vista and Windows Server 2008 will deliver with Windows 7 and Windows 7 Server.
Windows 7 - Zero Security Barriers
At the same time, Howard was one of the first to admit that perfection is impossible to achieve, and as Vista was compromised, so will Windows 7. Microsoft's Security Development Lifecycle is working to ensure an as low risk as possible for eventual successful attacks which will break Windows 7. However, since Windows 7 is but an evolution of Windows Vista, and the current Windows client featured no security barriers, but just added mitigations, it is clear that, in terms of security, this development model will be perpetuated.
The introduction of any security barrier in Windows 7 would fundamentally alter the architecture of the operating system. Mitigations such as User Account Control, PatchGuard, driver signing and ASLR have already produced their fair share of pain, related mostly to compatibility problems. Microsoft simply cannot afford to go beyond just evolving the existing security mitigations and setting new protection layers in place. Just don't expect any of the extra tiers to act as impassible barriers, because this won't happen.
Proof of this is the new position of Software Development Engineer in Test offered by the WinSA. "We are seeking a highly technical, self-starting tester and/or pentester to join our engineering team to find security bugs through a variety of means before we ship. You'll have the opportunity to create, use, and deploy state-of-the-art hacking tools. You'll investigate new Windows features for security soundness, and scour legacy code for security flaws. You'll come to see the OS from the perspective of a target, and figure out ways to defend against attacks. Come help us make Windows the most secure operating system in the world!" Microsoft said (emphasis added).
The Redmond company is willing to break down the code of Windows 7 and place the operating system on the "cutting edge of penetration testing". Windows 7 will have to take on a barrage of hacking tests, all inhouse and all for the sake of a more secure Windows. And of course, before it ships to the general public, by the end of 2009, as Microsoft hinted.