Q&A: Microsoft's Fathi OK with number of Vista bugs so far

IDG News Service - SAN FRANCISCO -- Ben Fathi no longer runs Microsoft Corp.'s security technology unit. But in his new job as corporate vice president of development at Microsoft's Windows core operating system division, Fathi is still focused on keeping the bad guys away from your PC. Fathi is in charge of building the guts of Windows: its kernel, and technologies associated with security, networking and other aspects of the operating system. At last week's RSA Conference 2007 here, Fathi spoke with the IDG News Service about Windows security. And despite the fact that the first bugs are being reported in Windows Vista, he said it looks like the new client OS is on track to meet his stated goal of Vista having half the flaws that plagued Windows XP during its first year. Excerpts from the interview follow:

What's going to be the big security story this year? What we've done in previous OS releases and Vista, and what our security partners are doing, has treated security as a defensive measure. It's a way of stopping people from attacking you. What we want to do now is move to a world where we actually enable and simplify collaboration between different individuals by making sure that those connections are end-to-end, [and] that you can provide very fine-grained control over the people, the applications and the resources that you give access to.

So what are you doing to make that happen? There's a number of things we're working on. For example, isolation. We [currently] look at isolation in terms of network isolation, whether it's IPsec or putting in firewalls or SSL VPNs. What we want to do is provide a better layer of isolation at the operating system level. We're looking at putting hypervisors underneath the operating system and building a hardware root of trust on the machine.

What that means is that today, if a rootkit makes it onto your machine, it can do a hyperjacking. It can take over the OS, or it can even get underneath the OS so that any software you're running won't even know that it's being lied to by a piece of malware. What we want to do is put the hypervisor there and use things like the [Trusted Platform Module] chip to make sure that the entire boot path is protected and secure and that we can trust it.

This also gives you the ability to create isolation by creating partitions on the machine. Let's say you're running a server. If you consolidate your server