Q&A: Microsoft's Fathi OK with number of Vista bugs so far

Windows development chief says 'less than a handful' of flaws have been found in new OS

SAN FRANCISCO -- Ben Fathi no longer runs Microsoft Corp.'s security technology unit. But in his new job as corporate vice president of development at Microsoft's Windows core operating system division, Fathi is still focused on keeping the bad guys away from your PC. Fathi is in charge of building the guts of Windows: its kernel, and technologies associated with security, networking and other aspects of the operating system. At last week's RSA Conference 2007 here, Fathi spoke with the IDG News Service about Windows security. And despite the fact that the first bugs are being reported in Windows Vista, he said it looks like the new client OS is on track to meet his stated goal of Vista having half the flaws that plagued Windows XP during its first year. Excerpts from the interview follow:

What's going to be the big security story this year? What we've done in previous OS releases and Vista, and what our security partners are doing, has treated security as a defensive measure. It's a way of stopping people from attacking you. What we want to do now is move to a world where we actually enable and simplify collaboration between different individuals by making sure that those connections are end-to-end, [and] that you can provide very fine-grained control over the people, the applications and the resources that you give access to.

So what are you doing to make that happen? There's a number of things we're working on. For example, isolation. We [currently] look at isolation in terms of network isolation, whether it's IPsec or putting in firewalls or SSL VPNs. What we want to do is provide a better layer of isolation at the operating system level. We're looking at putting hypervisors underneath the operating system and building a hardware root of trust on the machine.

What that means is that today, if a rootkit makes it onto your machine, it can do a hyperjacking. It can take over the OS, or it can even get underneath the OS so that any software you're running won't even know that it's being lied to by a piece of malware. What we want to do is put the hypervisor there and use things like the [Trusted Platform Module] chip to make sure that the entire boot path is protected and secure and that we can trust it.

This also gives you the ability to create isolation by creating partitions on the machine. Let's say you're running a server. If you consolidate your server workloads onto a single big machine, you have a Web workload and a file server workload and a database workload. You want to protect that database workload because you're running your line-of-business apps on it. Just because somebody broke into your Web server doesn't mean they should be getting access to your database or your file server.

Are you surprised by the number of Vista bugs that have been reported since the launch? I made a statement six or nine months ago that I would like to see half as many vulnerabilities as XP [had] in the first year. Obviously, I'd like less than that -- I'd be happy with zero. But I think it's reasonable to say, given the additional complexity and the additional size of Vista, that half as many would be a great goal. Am I surprised with the number? No, I think it's been a relatively small number of vulnerabilities in the three months we've been out.

And given the fact that we proactively went out to the Black Hat conference [last August] and handed out copies of [Vista], and that a couple million people have been using Vista in test versions for the past year or so, that tells me there are already hackers out there that are trying to attack it. So given that there are less than a handful of vulnerabilities discovered, I think that's good progress.

And you're on track to meet that goal of having half as many bugs? I think so. Ask me again in six months.

Related Articles and Opinion

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon