14 DAY TRIAL // Is Windows Vista secure? Microsoft touted its latest operating system as the most secure Windows platform available to date. In this context, it is true that Vista delivers a higher level of security. As Microsoft security expert Michael Howard put it, Vista raises the standard in an ever evolving threat environment. This is in a sense a clear indication of the expired status of Windows XP. Even with Service Pack 2 on board, Windows XP hit the market when the threat landscape was entirely different. The new Windows Server 2003 core of Windows Vista along with the additional mitigations introduced into the operating system are a guarantee of added security.
Mark Harris, Director of SophosLabs revealed his perspective over Vista security following "the annual get together of security vendors with Microsoft." And I am going to assume that he is talking about the recent Microsoft Security Response and Safety Summit. "Vista is more secure than previous versions and whilst Microsoft should be applauded with the efforts made in Vista, there is always a balance between usability and security. Vista will be targeted, vulnerabilities will be found and exploited, but most of all, users will be exploited and there will be a need to additional security products and services," Harris stated.
This means a lot coming from a security company that has not deployed Windows Vista across its organization, and that sees no benefits in doing so in the future. The Microsoft Security Response and Safety Summit was a veritable parade of the Security Development Lifecycle sessions. Harris appeared to be impressed: "a lot of what was discussed is under non disclosure agreement so I can't discuss specifics, but it was interesting to hear first hand the efforts Microsoft have put into making Vista more secure. The whole development process is now focused on security and there were a number of sessions describing that process. The success of this approach seems to backed up but the relatively small number of vulnerabilities found in the first 90 days."
And despite this, Harris' prediction is that vulnerabilities are inherent to code, and security best practices will not resolve this aspect, users will continue to be victims of social engineering schemes, UAC will cause users to get "message box fatigue" and malware will ultimately adapt to Vista.