The BBC reports that a senior Microsoft executive has promised that its new operating system will be more secure than ever.
Jean-Philippe Courtois, president of Microsoft International, said that beefing-up security was one reason behind delays to Windows Vista.
I think Microsoft should be applauded for their relatively recent commitment to the subject of security in their products particularly given their laissez-faire attitude to it up until a few years ago. But Microsoft promised the same thing about their previous Operating System release and Windows XP proved to be their least secure system ever until they beefed up the security with the Service Pack 2.
The thing about software security though is that it’s effectiveness can only be judged in retrospect because modern software is now so complicated particularly operating systems that the process used to create it inevitably introduces bugs and security holes.
So the Microsoft engineers may well have patched all the security flaws that had been exposed through previous releases and the testing of this release of Windows Vista, but there will no doubt be new holes that have been inadvertantly created that no one has even conceived of yet.
One such newly introduced security hole has been discovered by researcher Joanna Rutkowska and it’s a biggie. She describes it a blue pill a reference to the movie The Matrix and would allow a malicious hacker to completely compromise a system and the user would have no indication at all that their syetm had been compromised.
Rutkowska’s Vista kernel attack did not rely on any known bugs in Vista, which is still in beta testing. She stressed that her demonstration did not rely on any implementation bug nor any undocumented Windows Vista functionality. She characterized her approaches as “legal,” using documented SDK features.
As she says it did not rely on any known bug within Windows Vista so who knows what other security problems might have been engineered into the operating system that haven’t yet been uncovered by Microsoft’s own testers or by third party researchers.
