These Vista security enhancements may have raised the bar, but at what cost?
The security aspects of the operating system have been improved at the price of complexity and in some respects changed for the sake of change - causing what is known as “code bloat.” Simply, there are just too many lines of code!
Gartner has been quoted as saying that “Microsoft will be forced to migrate Windows to a modular architecture tied together through hardware-supported virtualisation.
"The current, integrated architecture of Microsoft Windows is unsustainable - for enterprises and for Microsoft," according to Gartner analysts Brian Gammage, Michael Silver and David Mitchell Smith.
According to Gartner, Vista will be the last version of Windows that exists in its current monolithic form. Hence in the authors opinion one has to question any decision to migrate to an operating system that even prior to full public release has already been deemed to be unsustainable and that may quickly itself be obsolete as it is will be forced to go through yet another significant change in the form of virtualisation as early as perhaps 2008 or 2009.
With respect to the size of Microsoft Vista in terms of code bloat, it has been estimated that Microsoft Vista has pushed the operating system to have now reached or exceeded 50,000,000 lines of code.
Many experts have claimed that there is a relationship between the number of lines of code in a given program and the number of expected bugs – vulnerabilities. In reality, there are several considerations that make this analogy too complex for generalisations.
The number of predicted vulnerabilities must also consider the programming language used the quality assurance practices in use and the level of testing afforded.
While many dispute the analogy of the number of lines of code equating in some manner to the number of vulnerabilities no one can dispute the fact that to date with each new Windows release we have seen an increase in the number of lines of code as well as the number of reported vulnerabilities.
Historical vulnerability statistics for Windows NT 4.0 (16,000,000 lines of code), Windows 2000 Professional (29,000,000 lines of code) and Windows XP Pro (40,000,000 lines of code) are detailed below:
When Windows 2000 Professional was initially released we were told it was more secure the its predecessor Windows NT 4.0 yet Windows 2000 Professional has historically had 5 times the number of reported vulnerabilities as Windows NT 4.0!
When Windows XP Professional was released we were told that it would be more secure then Windows 2000 Professional yet Windows XP had significantly more reported vulnerabilities then Windows 2000 Professional.
Is it any wonder that users are skeptical of the claims by Microsoft that Windows Vista will be more secure then Windows XP?
Vista will need all the help it can get from its security enhancements; using historical studies Vista’s 50,000,000 lines of code are poised to contain in over one million bugs “a typical commercial, closed source program has between twenty and thirty bugs per thousand lines of code,” according to study conducted by Carnegie Melon University’s CyLab -
In a May 2006 survey of executives that have tested Windows Vista, 44 percent found Vista was to large, slow and memory hungry.
Will Microsoft Vista reduce the need for third party security products?
If you believe the marketing hype and some of the statements by Microsoft executives, you might think so:
On November 9, 2006, Microsoft’s Jim Allchin, while touting the new security features of Microsoft Vista, told a reporter that the system's new lockdown features are so capable and thorough that he was comfortable with his own seven-year-old son using Vista without antivirus software installed.
Microsoft Vista actually has a greater need for third party security products then previous Windows versions.
In reality, Microsoft Vista is poised to see a higher number of vulnerabilities earlier in its life then previous Microsoft products.
"We're probably going to see a higher initial rate of reported vulnerabilities to us than with previous versions of our products, given the early view researchers have had into Vista," said Stephen Toulouse, senior product manager with Microsoft's security technology group.
Several factors beyond the early view given to researchers will contribute to the rapid vulnerability development for Microsoft Vista:
• The user’s ability to over-ride Vista security and run a rogue/un-trusted application at an elevated privilege or kernel level poses a significant risk that will remain unmitigated in the Vista 32-bit version.
A secure operating system should be able to contain and mitigate the actions of rogue software. Having a UAC that allows you to point the finger of blame at the foolish user is not an acceptable solution to the issue – a better operating system is.
• Hacking tools have evolved at a faster rate than most vendor security initiatives. One only has to look at the state of “Fuzzing” technology; Fuzzing programs provide for an automated replacement for normal input and interfaces for a given protocol or application.
This automated “replacement” input is computer generated, ambiguous and random in nature. By design a Fuzzer automatically seeks to cause abnormal behaviour in the protocol or application. The abnormal behaviour is indicative of a software bug and can be further tested to determine if the bug is exploitable.
The use of these automated Fuzzing tools by the research community to discover bugs and enable them to then create exploitable vulnerabilities has clearly outpaced software developer’s security initiatives.
• 32-Bit implementations of Microsoft Vista will be the most widely deployed and will lack many of its key security mechanisms found in the 64-bit versions. Hence, the largest part of the installed base will be the most vulnerable.
Consumers will regard vulnerability in the 32-bit version as a black mark against the Vista product even if the 64-bit version would have been capable of mitigating the threat. Microsoft will not be able to hide behind the capabilities of the 64-bit version when vulnerabilities arise in the 32-bit version.
• In order to meet the constraints of operating on Microsoft Vista, many third-party applications will require major software revisions. One only has to look at the lack of security products that are able to work with Microsoft Vista to grasp the enormity of the problem.
Further in the broader market of business software because of the fluid and ever changing requirements of writing software that is fully compatible with Vista many vendors have not yet made the commitment to support the 64-bit version.
• While Microsoft Vista does address to a limited degree spyware and known malware, it does not address the Spam problem that Bill Gates in 2004 promised would end in two years, nor does it in any way address today’s fastest growing threat - the data-leakage issue that is fueling Identity Theft.
Ultimately, the security enhancements in Microsoft Vista may perhaps make it capable of surviving more hits by malicious bullets than it was before, but by no means makes your network bullet proof.
If you intend to run the Vista OS on your corporate desktops, consider that the security enhancements in the OS will drive hackers to further expand their application-layer and web-application attacks. Hence, Gateway security at the application layer will be more important then ever in a Microsoft Vista environment.
Also, the difficulty of anti-virus or anti-malware products working with Windows as a third-party security product will necessitate that in order to protect a Microsoft Vista network, malware will need to be detected on the wire and neutralised before it reaches the Microsoft Vista operating system.
The days of a signature-based anti-virus, IDS and IPS products working at the kernel level of the Windows operating system are simply over.
Weak passwords still plague Windows under Microsoft Vista for the intranet and for remote users. Hackers will naturally shift their attacks to the weakest link, which will increase the need for stronger authentication.
Further, the lack of significant improvements in combating insider threats will still need to be addressed by third party solutions.
Identity and Access Management (IAM) will be a necessity in addressing the issues of weak passwords for remote and internal users and also provide a necessary additional layer of security for the required segmentation and access control within the intranet.
Despite the promise of Microsoft’s CEO Bill Gates in 2004 “Spam will be a thing of the past in two years' time,” it will not go away with Microsoft Vista security improvements.
In fact, social engineering is poised to increase via email and messaging as hackers probe for weak links to overcome any resistance imposed by new security enhancements in other attack vectors.
Hence, anti-spam bolstered with Reputation and Trusted Source capabilities as found in current generation messaging gateway security offerings will be a necessity within a Microsoft Vista environment to mitigate the expected increase in the respective threat.
The fastest growing crime in America today is identity theft and it is being fueled with data leakage. Microsoft Vista in a 64-bit enterprise version offers a new feature called Trusted Platform Module (TPM) that provides for the storage of digital certificates, encryption keys and passwords on hardware “chip” on the system motherboard.
The use of TMP to store encryption keys off the hard disk allows Vista to provide for the encryption of the entire hard disk including the operating system and boot sector. Whole disk encryption is significantly more secure then traditional file or folder level encryption.
A weakness in file and folder level encryption is that the unencrypted portion of the hard drive can often contain clues as to the encryption key used to decrypt the file or folder.
Moving the encryption key to tamper proof hardware on the motherboard and encrypting the entire hard drive eliminates the ability for a hacker to recover the encryption key from an unencrypted area of the hard drive.
While the use of TPM to encrypt an entire hard disk does a great job of addressing one attack popular vector in the mitigation of data leakage, the issue is that it is only available on the Enterprise version of Vista; hence it is simply not going to be installed on the typical desktop or laptop.
When one considers that 80 percent of the data formerly reserved for the enterprises protected servers, finding its way to individual desktops and laptops during the normal course of business the scope of the issue can be fully realised.
Further, with respect to data leakage - Vista still does little to address the actions of a wayward insider. Simply put outside of TPM Microsoft Vista offers little in terms of risk mitigation to stem the tide in this growing issue. Microsoft’s Digital Rights Management (DRM) falls short of addressing the issue, as it does not provide the safety net for user error or intentional abuse by a wayward insider in rights assignment.
Paul Henry is vice president of technology evangelism at Secure Computing, a leading global provider of enterprise gateway security.