Security In Microsoft Vista? It Could Happen

Microsoft claims, “Windows Vista is engineered to be the most secure version of Windows yet.” Security is so important to Vista that it is listed near the top of 12 features advertised to users, second only to “User Experience.” Microsoft is even publishing books on its internal practices, like The Security Development Lifecycle by Michael Howard and Steve Lipner; Hunting Security Bugs by Tom Gallagher, et al; and The Practical Guide to Defect Prevention by Marc McDonald, et al. What will be the net effect of this focus on security?

The single most important aspect of Vista from a security standpoint may be the introduction of User Account Control. In a nutshell, users are by default not given admin privileges. They will not be allowed to install software without elevating their powers—something centralized IT shops will probably not enable. If a user can’t install software, neither can malicious “drive-by downloads.” This feature will limit the effectiveness of client-side attacks against patched Vista systems, although privilege escalation zero-day attacks will still cause havoc.

Internet Explorer 7, now also available for Windows XP SP2, will be the default Web browser and will better withstand client-side attacks. Vista’s integration of Windows Defender, a sort of antimalware service, will also help. On the server side, Vista will ship with an improved version of the Windows Firewall popularized by Windows XP SP2. Vista also sports various hardened versions of exposed network services, further decreasing opportunities for remote attack.

Next to these security enhancements, certain new features of Vista may be worrisome. Vista introduces Microsoft’s Next Generation TCP/IP Stack, a “complete redesign of TCP/IP functionality for both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6).” The first issue with the stack is its newness; code written from scratch isn’t always better than old code, assuming the old code has been subjected to attacks and subsequently fixed to withstand them. A new TCP/IP stack may introduce vulnerabilities, permitting magic packets to crash or compromise Vista.

Vista ships with IPv6 enabled by default. IP Security (IPSec) is a

mandatory component of any IPv6 stack, but IPv6 doesn’t require activating

IPSec. Therefore, any “security enhancements” of IPv6 are not likely to

be deployed in production. IPSec on IPv6 is as complicated to operate as

it is on IPv4, and complexity results in misconfiguration and exposure.

Beyond issues with IPSec, IPv6 leverages a set of new Internet Control

Message Protocol Version 6 (ICMPv6) neighbor discovery messages. It tends to rely heavily on ICMPv6, so paranoid security administrators comfortable with blocking ICMP everywhere will find such a model no longer tenable with IPv6. Network administrators will need to be trained to understand IPv6, and system administrators will have to understand how to properly configure IPv6-enabled hosts. Unfamiliarity will breed misconfiguration, opening holes that could be exploited.

The biggest security problem with Windows Vista will probably not involve the operating system at all. Rather, third-party applications and drivers will continue to be the bane of Microsoft’s existence. Security researchers often report that it’s becoming increasingly difficult to find vulnerabilities in the core Microsoft operating system components. That experience won’t keep legitimate researchers and illegitimate underground criminals from finding holes in Vista. However, it’s far more likely that applications loaded on Vista will continue to be problematic.

Third-party programs are not kept up to date using a centralized mechanism like Microsoft Update, which handles the operating system and Microsoft products like Office. In this respect, Windows is about a decade behind an operating system like FreeBSD, an open-source UNIX-like OS that lets administrators manage all installed packages with a single set of tools. These programs report on new versions and also automatically notify administrators if installed packages suffer security problems—regardless of who wrote the software. Microsoft will need to introduce this sort of capability to keep the variety of Flash players, Adobe readers, chat clients and other third-party applications up to date.

The best patch for Windows XP is Vista. However, improvements in core OS components will not prevent continuous attacks on applications running on Vista.

–Richard Bejtlich is a security consultant and instructor. He blogs regularly on Microsoft at TaoSecurity.com.

Keep checking in at our Security Feed page for updated news coverage.