14 DAY TRIAL // Windows Vista is touted as the most secure Windows platform to date, and there is a good reason behind this. Microsoft has extensively scrubbed the Vista base code for issues commonly associated with security vulnerabilities. The operating system was also tested for all the previously discovered flaws affecting Windows XP. And Microsoft even took this one step forward and looked at vulnerabilities that impacted rival operating systems; several Linux versions and Mac OS Tiger flaws were analyzed. The cryptographic algorithms in Windows Vista were combed for "weaknesses in algorithm choice or key strength" according to Microsoft.
The Redmond Company has also scrapped in excess of 100 programming APIs that have been the target of exploits, from the Vista base code, while non-Microsoft components in Windows Vista were also placed under the microscope and assessed. All the efforts poured by Microsoft into building Windows Vista have been concentrated on the Security Development Lifecycle, as a method to engineer the most secure Windows operating system on the market. One example of the SDL is the fact that over 1,400 threat models were designed for Windows Vista in order to identify security problems.
"Automation was a key focus in this engineering process. For example, the product groups used two tools developed by Microsoft?known as PREfix and PREfast?to identify source code vulnerabilities not found by typical compilers. The tools integrate cleanly with the build process, reduce development time, streamline code review, and help improve overall quality and reliability. The Windows team annotated all Windows Vista functions containing readable or writeable buffers using the Standard Annotation Language (SAL), which allows these automated code quality tools to evaluate the consistent use of variables and buffers and helps developers detect and remove exploitable coding errors," Microsoft explained in the Security Enhancements in Windows Vista article.
Moreover, Windows Vista components were "fuzz tested". The main purpose of fuzz testing was to ensure that Vista components designed to "parse or process inputs from potentially hazardous sources" were up to the job and that they would hold under pressure. During fuzz testing, malformed input is automatically served to Vista components in order to evaluate their potential to handle malicious content.
"Another Microsoft-developed tool, called FxCop, scans managed code applications for vulnerabilities and helps prevent malicious code from taking advantage of buffer overruns in applications. In addition, the Microsoft Visual C++ 2005 C runtime library adds buffer checks to functions that are known to be vulnerable to attack. These tools were initially developed for internal use at Microsoft but are also available to the developer community in Visual Studio 2005," Microsoft added.