The current beta version of Microsoft Corp’s Windows Vista operating system is fraught with new security flaws, and enterprise testers should take due precautions, said security outfit Symantec Corp, in a new report.
The problems in Vista, which include several bugs, are mostly due to the network code being completely brand new, as opposed to its predecessor Windows XP, which has code that had been battle tested and patched.
Windows Vista represents a significant departure from previous Windows systems both in terms of its emphasis on security and its many new features, wrote the Symantec researchers in their report. The amount of new code present in Windows Vista provides many opportunities for new defects.
One of Vista’s largest departures from previous Windows version is its network stack, which has been rewritten from the ground up, Symantec said.
In deciding to rewrite the stack, Microsoft has removed a large body of tried and tested code and replaced it with freshly written code, complete with new corner cases and defects, said Symantec in its report. This may provide for a more stable networking stack in the long term, but stability will suffer in the short term.
So much so that, despite Microsoft’s claims, Windows Vista’s network stack as it exists today is less stable than the XP stack, said the researchers.
Oliver Friedrichs, director of Symantec Security Response, said that Microsoft might fix these flaws by the time Vista is released next year. We fully expect Microsoft to be putting a concerted effort into making sure this stack is assured. But there’s absolutely no guarantees, Friedrichs said.
After all, a networking stack is a complex piece of software that takes many years to mature, noted the Symantec researchers. Friedrichs said the stack has a level of complexity not seen in other OS components.
The underlying message is that while you can put a significant amount of effort into patching and into finding bugs prior to a release, you’re still dealing with a really challenging development project and a very complex piece of code, Friedrichs said.
Microsoft rebuffed the timing of Symantec’s claims.
Given that Windows Vista is still in the beta stage of the development and not yet final, the claims made in this report are, at best, premature, said the company, in an emailed statement. And given the extensive work we are doing to make Windows Vista the most secure version of Windows yet, we believe the claims are also unsubstantiated.
The purpose of Cupertino, California-based Symantec’s report was to make Vista beta users aware of the security risks, according to Friedrichs. Also, to alert users of the potential for security concerns once Vista is released.
Friedrichs said companies testing Vista beta releases should follow Symantec’s usual best practice recommendations, including testing the software behind sufficient firewalls and ensuring it is well protected from other IT operations. Make sure it’s protected in a lab, he said.
Vista has about an 80% chance of being broadly released in January — or a 20% chance of being delayed yet again — according to recent remarks by Microsoft chairman Bill Gates.
The last major OS release for the software maker was in 2001, with XP. During that time, Microsoft has increasingly pushed into the security market, with its first stand-alone antivirus offering released in June. It now competes head on with Symantec, which makes the bulk of its money selling its proprietary antivirus software.
Friedrichs said Symantec had alerted Microsoft to its findings before prior to releasing its security report.