How I will judge Windows Vista Security

Before I get started, I want to point out this is my opinion, not necessarily anyone else’s viewpoint.

Now that we have shipped Windows Vista and researchers are starting to prod and probe for security bugs, I want to spend a couple of minutes to explain how I will judge Windows Vista security.

“Prodding and poking” started many, many months ago, in part because we asked people to take a look at the product at BlackHat 2006, but we also know there is a great deal of underground research happening too.

The security engineering effort applied to Windows Vista was staggering; I can’t begin to explain all the work we did. I stand by our view that Windows Vista is the most secure Windows we have released. And that translates into the only thing that really interests me: customers are more protected when using Windows Vista than any prior version of Windows. 

Is Windows Vista perfect and utterly security bug free? Of course not! No software is bug free. Not even Macs or Linux :-)

My prediction for Windows Vista security bugs is pretty simple, and yes, I realize I am going out on a limb here. There will probably be a number of security bugs in the following months, I have no clue what that number will be. I am not going to judge Windows Vista security based on the first few months’ bugs. I will, however, look back two years from now and compare Windows Vista to Windows XP SP2 and Windows Server 2003. I do believe there will be a significant drop in both security bug quantity and severity when compared to prior Windows versions.

There might well be be some “ouch” moments, when people in our group look at a bug and ask ourselves, “how on earth did we miss this?”

We will also see some bugs that are unique to Windows Vista. But I believe this number will be reasonably small.

There is one thing you will see that I’m not too thrilled about, but it is what it is. The MSRC rarely reduces the severity of a buffer-related security bug because a defense with no security guarantees such as /GS or /SafeSEH is in place. UAC will be a speed bump, but I doubt we would reduce the severity of many bulletins if UAC is the sole mitigation. The MSRC folks are, understandably, very conservative and would rather err on the side of people deploying updates rather than trying to downgrade bug severity. So don’t be surprised if you see a bug that’s, say, Important on Windows XP and Important on Windows Vista, even if Windows Vista has a few more defenses and mitigations in place. As I understand it, the MSRC will call out defenses that come into play.

So here’s my prediction. We will see significantly less critical vulnerabilities in the operating system over the next 2 years, as compared to Windows XP, perhaps by a factor of as much as 50%, and a 30% reduction of important vulnerabilities. If we achieve this, I will be happy, because it means customers are more protected.

Why am I making these claims? I know the SDL works, and we will continue to evolve SDL over time as we learn of new vulnerability types and new defenses, but Windows Vista is the first Windows to go through SDL from start to finish. We know that when you focus on something intensely, you can make a big difference.

I was asked recently what my favorite SDL task is that was used in Windows Vista. It’s hard to pick just one, but I was put on the spot, so I gave one: banned API removal and use of standard annotation language SAL. Ok it’s two, but they are closely related. I was also asked for my favorite security feature in Windows Vista, again, it’s hard to pick one, but I would say it’s all the security work in IE7. We saw IE7 come through the Month of Browser Bugs unharmed, and so far only a very small number of vulnerabilities that affect IE6 SP2 affect IE7. The IE team did a great job.