14 DAY TRIAL // Windows Vista is the most prized item of prey on the software market and as such, it is also at the center stage of the security show in the vulnerability theater. Russ Humphries, a senior program manager with the Vista security team revealed that the term "vulnerability theater" refers to the show that is built around security, but without delivering actual substance. Humphries argues that vulnerability disclosures are something of a show, even more so with Windows Vista flaws.
"Vulnerability theater is where an individual, or group, will report a vulnerability that is - and let's be polite - over-blown. OK, so maybe it's not a brand new phenomenom but it certainly seems more common since the release of Windows Vista! Perhaps it's a desire on the behalf of the person making the disclosure to be one of the first to find or report a flaw in a new OS, but in some instances the lengths and steps an individual will go through to claim a vulnerability strain believability," Humphries revealed.
There is a variety of variables to consider when estimating the threat level of any vulnerability, including the one impacting Windows Vista. A flaw that involves Administrator credentials in order to generate a successful exploit is not really a vulnerability. This because of the simple fact that the attacker already owns the operating system, a position inherent with the administrative privileges. Additionally, exploits via social engineering that involve striking the user into elevating privileges for a malicious process or application also do not point to security vulnerabilities.
The bottom line is that no software and no patch would ever be able to educate the user in accordance to healthy behavior. Ultimately, Vista will perform the actions that it is told to do, even if that leads to a system compromise. Humphries stated that Windows Vista is the right balance between the limitations related to heightened security and usability. Still, it is up to the end user to set up the security configuration in a manner that will offer the best protection. And last but not least, the potential results of vulnerabilities are in some cases only theoretical, implying no actual risk whatsoever.
"Of course vulnerabilities do exist; none of the security features in Windows Vista, either individually or collectively, are intended as a "Silver Bullet" solution to the problem of computer security. Instead, a defense in depth approach makes Windows Vista far more difficult to attack than any previous version of Windows, thus making it more secure," Humphries added.