So much for “More Secure”

There has been a lot said about how much more secure Microsoft Windows Vista has better security features than its predecessors. Security researchers who were invited to Redmond for this year’s Blue Hat security event talked up how much better Vista was; one researcher even called it “arguably the most secure closed-source OS available on the market”. A back-handed compliment, to be sure, but still a compliment.

But with all this security, and all of the much-ballyhoo’d improved software quality in Vista, why is it that there were six new patches today that affected Vista?

To be fair, only one of these — a Windows RPC vulnerability in the networking authentication service— is an actual operating system bug. It effects every version of Windows back to Windows 2000 SP4. And that’s the source of the problem–the RPC is there for backward compatibility with the NTLM networking security provider. For those of you who don’t remember, NTLM stands for Windows NT LAN Manager, the successor to Microsoft LAN Manager, which originally shipped on Microsoft OS/2. The NTLM authentication service hasn’t significantly changed in over 10 years because of the need for backward compatibility.

Some other patches were tangentially OS-related. Three were for software that ships with the operating system: The Kodak Image Viewer, Windows Mail (and Outlook Express on older versions of the OS), and Internet Explorer. All three of these were critical fixes that addressed potential remote code execution–the Internet Explorer patch fixed four such holes.

In the case of Windows Mail, it was a Network News Transfer Protocol exploit–probably the oldest Internet application protocol supported by default in Windows. The IE vulnerabilities were in relatively well-known areas as well–file downloads and URL navigation. And the vulnerabilities were applicable to all of Microsoft’s currently supported operating systems,

So, despite the fact that Vista stops me every time I click an administrative tool, dramatically darkens my screen and asks me if I really meant to do that, vulnerabilities that have existed in at least the last two versions of Windows–if not the last three or four–managed to find their way into Vista despite the Security Development Lifecycle and thousands upon thousands of hours of software testing. The rate of patches has slowed some–60 so far this year, versus 65 by this time last year–but not significantly, and the majority have affected Vista as much as earlier operating systems.

This is not to say that Vista hasn’t fixed a lot of potential security problems. But it seems that for the number it didn’t fix, it might at least not annoy the hell out of me so much when I launch something useful from its own user interface. And it’s disingenuous to suggest that Vista’s code is any more clean than that of other previous operating systems that have suffered the test of time and assault just because it followed some sort of new software methodology. The fact is, because Vista is new, yet carries so much of old Windows OS baggage with it, Vista will be getting patched with as much frequency as XP was for some time.