Microsoft's Message on Vista Security

Ballmer & Co. say their new operating system will go far to protect computers from threats, but malware writers are sure to put Vista to the test

By Catherine Holahan

Microsoft (MSFT) is heralding the launch of its new operating system, Vista, as a "new day for business." It better be, say the legions of Microsoft users who remember all too well days past, when malicious code writers relentlessly, and successfully, attacked the company's popular products. They brazenly created bugs that tore through security holes in Microsoft's operating system and Internet browser, taunting Chairman Bill Gates with messages such as, "Billy Gates why do you make this possible? Stop making money and fix your software!"

With Vista, Microsoft hopes it can do both. Microsoft designed Vista with security at the forefront, going so far as to challenge top security professionals in August to find flaws. Several vulnerabilities were exposed as a result, and Microsoft execs promised fixes (see BusinessWeek, 8/21/06, "Heading Off the Hackers").

Incubation Delays

The consumer version of Vista has been delayed several weeks, until January, in part to give Microsoft time to ensure that the security features are easy to manage (see, 3/21/06, "Microsoft's Receding Vista"). "You need to give new technology time to incubate," Microsoft Chief Executive Steve Ballmer said at the Nov. 30 global launch of Vista's business product, explaining why the operating system took so long to debut. He added that five million test versions of Vista were downloaded.

Security was a key theme of the highly publicized launch of Windows Vista and 2007 Microsoft Office at the Nasdaq in New York's Times Square. Two of the four critical areas stressed by Ballmer during the press conference focused on security: guarding the system from hackers and viruses and providing tools to prevent data from ending up in the wrong hands. (The other two areas centered on enabling users to collaborate more easily in a borderless work environment and helping locate documents more easily.)

Vouching for Vista

Ballmer took pains during the event to establishing Vista's security bona fides. He brought on stage Verizon (VZ) Chief Information Officer Shaygan Kheradpir to discuss how the telecommunications company has implemented Vista's security features. Kheradpir discussed the benefits of Vista's BitLocker Drive Encryption at length, explaining how the new operating system quickly encrypts data, making it more efficient to secure data from outsiders, and allows users to better manage access to information by preventing messages from being viewed or printed by employees who don't have access. "The security infrastructure makes us a lot less worried," said Kheradpir. "You have done a quantum leap with security and privacy."

How much of a difference Vista really makes when it comes to security remains to be seen. Early on, security software makers Symantec (SYMC) and McAfee (MFE) complained that, by blocking access to the code at the core of its system, Microsoft was rendering its software incapable of receiving sufficient outside protection and leaving it more vulnerable to attack (see, 10/3/06, "McAfee and Symantec Confront Microsoft"). Microsoft has since offered to cooperate and the companies have both tempered their criticism. "They have committed to working with us," says McAfee spokeswoman Siobhan McDermott. She says Microsoft has shown some of its sensitive code to McAfee and the company is "cautiously optimistic" that it will get to review the operating system's core.

During a Nov. 29 press call highlighting what it expects to be the biggest security threats in 2007, David Marcus, McAfee's security research and communications manager, even offered some slight praise, calling Microsoft's efforts with Vista "a step in the right direction." However, he stressed that the system is likely to become a bull's-eye for malware writers in the future due to its inevitable prevalence and new emphasis on security. "You will probably see a short-term lull in malware that targets Vista…a six-month, seven-month, eight-month lull and then you will probably see an uptick [of viruses] at the end of 2007."

Hacker Magnet

Alfred Huger, Symantec's senior director of engineering, echoes the concerns. Though he has not yet seen viruses attacking Vista, Huger believes hackers and security researchers will both devote more attention to the operating system as it develops a critical mass. Marcus said McAfee has seen a few "proof of concept" viruses intended to attack Vista.

Critics will undoubtedly assume Symantec and McAfee's concerns with Vista have more to do with their desire to continue supplying security software to the millions of Americans who use Windows and will, at some point, likely upgrade to Vista. Microsoft has put that business in some jeopardy with its foray into the security software business this summer (see, 6/1/06, "Microsoft Sweeps Into Security"). And, clearly, their business interest in Vista demands that they zero in on possible flaws. However, the sheer dominance of Microsoft products has traditionally made its software a favorite target of malicious code writers.

It is unlikely that its new flagship product, which Ballmer boasts is "the biggest launch in the company's history," will be any less of a flashpoint for hackers. "It is impossible to have something as large as Vista and not have security problems with it," says Huger, adding that the company has reviewed Vista and reported several security issues to Microsoft. "At some point it becomes a question of math, if it is that big there will be vulnerabilities."

Both Symantec and McAfee individually stress that their security products are compatible with Vista, in spite of only recently having access to some of the system's more crucial code. They maintain that, no matter how much more secure Vista may be in comparison to earlier operating systems, it is still not invincible. "It is important to keep this in perspective," says Huger. "Vista takes Windows to where a lot of Unix operating systems have been for years. It takes them to where they should be. It is not, in and of itself, a security product."

Before it's here, it's on the Bloomberg Terminal. LEARN MORE