14 DAY TRIAL // There are five stages to the overall development of an attack against Windows Vista, and against any software product for that matter. The exposure of Microsoft's latest operating system is intimately connected with the availability of critical level vulnerabilities allowing for remote execution of arbitrary code. The period that Windows Vista is at risk and under attack is referred to as the window of exposure. The five stages I was talking about at the beginning are illustrated in the graphic included at the bottom, courtesy of Bruce Schneier, Founder and CTO Counterpane Internet Security.
Phases one and five are less relevant as far as the risks posed to Windows Vista are concerned. Initially, before the vulnerability is discovered, exploits can only have an accidental nature. But only once the flaw has been isolated, identified and bundled into an attack do exploits become premeditated. Additionally, the final stage involves attacks that simply function out of their own momentum, or in search of users less concerned with security issues. The fifth phase coincides with the general availability of a mitigation or security patch. Due to the update infrastructure that Microsoft has in place for Windows Vista, security fixes are served automatically as high priority.
However, the three intermediary stages of an exposure window are the ones delivering the greatest risk to the Vista users. In this respect, a vulnerability will pose a black risk to Vista, associated with what Microsoft refers to as limited and targeted attacks. The gray risk comes concomitantly with the apex of attacks, as proof-of-concept code becomes published and widely available. The white risk is associated with the time that the available security update takes to be deployed.
In this respect, Microsoft, with Windows Vista, has managed to make available not only the most secure Windows platform to date but also the operating system with the smallest exposure window.
