14 DAY TRIAL // There is a dark side to Windows Vista... One not advertised by Microsoft, one less applauded and that is not in accordance or in tune with the $500 million's worth of Wow marketing campaign. In mid May 2007, Microsoft Chairman Bill Gates attended the Windows Hardware Engineering Conference (WinHEC) 2007 in Los Angeles and touted approximately 40 million sold Windows Vista licenses. But as Windows Vista outperformed rival operating systems with its exploding installed base in just the first five weeks of general availability, Russian security developer Kaspersky was performing the autopsy of the operating system's initial 100 days.
"There's no doubt that the release of Microsoft's new operating system, Vista, onto the market at the end of January 2007 was a major event, not just for the antivirus industry but for the computer world as a whole. Microsoft announced that this latest version of its operating system would be the most secure in the history of Windows, and that many security issues which had caused virus epidemics in the past had been solved," stated Alexander Gostev, Senior Virus Analyst, Kaspersky Lab, going in for the kill.
Kaspersky enumerated the main enhancements of Windows Vista introduced into the platform for additional security. User Account Control, Patch Guard or Kernerl Patch Protection, Internet Explorer 7, Address Space Layer Randomization, Network Access Protection, Windows Service Hardening, and Windows Defender are the features mentioned by Gostev.
Kaspersky has adopted a skeptical position in relation to the security level of Vista. In the security company's perspective it is only a matter of "when" Windows Vista would fall. "Vista was released for sale on 30th January 2007, and the race to find vulnerabilities was on. Within two weeks, on 13th February, Microsoft released the latest bundle of patches. However, the February patch bundle didn't include a single vulnerability in Vista! This was a surprise, and could be viewed as confirmation that the new operating system is truly secure. However, there was one 'but'. The vulnerabilities which were patched in February were detected prior to Vista's release. Even if vulnerability had already been identified in Vista, it would not be patched in February. Consequently, we had to wait until March in order to get a true picture," Gostev added.
And of course that March was the Microsoft security update sabbatical, as the Redmond Company released no patches at all. It was an event that has not occurred over at Microsoft for more than two years. Still, in the same month, no less than five unpatched flaws were identified in Windows, it had been the calm before the storm. And on March 29, 2007 the first signs of exploits associated with the ANI file handling format vulnerability started to be detected.
Microsoft ended up patching a total of seven different vulnerabilities in Windows, three of which directly impacted Vista with the maximum severity rating of critical. Vista was affected by "EMF Elevation of Privilege Vulnerability, Windows Animated Cursor Remote Code Execution Vulnerability, GDI Incorrect Parameter Local Elevation of Privilege Vulnerability. Microsoft had known about the problem since December the previous year, and had spent the intervening period testing; it decided not to release the patch as part of the March cycle, but to wait until April, although the patch was actually released prior to the scheduled date. The vulnerability had been known about, both by Microsoft and the computer underground, for more than three months," Gostev commented.
Kaspersky's conclusion is that Windows Vista is no different than any other operating system, and especially from previous versions of the Windows platform. Vista came to prove that the new security measures implemented could be taken down, and that the operating system was still vulnerable to zero-days.