Vista Avoiding Bugs, Microsoft Exec Claims

SAN FRANCISCO -- Ben Fathi is corporate vice president of development in Microsoft Corp.’s Windows core operating system division. In an interview with IDG News Service at the RSA Conference 2007 here this month, Fathi discussed Microsoft’s operating system security plans and the number of bugs being found in Windows Vista. Excerpts follow:

What’s going to be the big security story this year? What we’ve done in previous OS releases and in Vista, and what our security partners are doing, has treated security as a defensive measure. It’s a way of stopping people from attacking you. What we want to do now is move to a world where we enable and simplify collaboration between different individuals by making sure that those connections are end to end, [and] that you can provide very fine-grained control over the people, the applications and the resources that you give access to.

Ben Fathi

Ben FathiSo, what are you doing to make that happen? There’s a number of things we’re working on. For example, isolation. We [currently] look at isolation in terms of network isolation, whether it’s IPsec or putting in firewalls or SSL VPNs. What we want to do is provide a better layer of isolation at the operating system level. We’re looking at putting hypervisors underneath the operating system and building a hardware root of trust on the machine.

What that means is that today, if a rootkit makes it onto your machine, it can do a hyperjacking. It can take over the OS, or it can even get underneath the OS so that any software you’re running won’t know that it’s being lied to by a piece of malware. What we want to do is put the hypervisor there and use things like the [Trusted Platform Module] chip to make sure that the entire boot path is protected and secure and that we can trust it.

Are you surprised by the number of Vista bugs that have been reported since the launch? I made a statement six or nine months ago that I would like to see half as many vulnerabilities as Windows XP [had] in the first year. Obviously, I’d like less than that — I’d be happy with zero. But I think it’s reasonable to say, given the additional complexity and the additional size of Vista, that half as many would be a great goal. Am I surprised with the number [so far]? No, I think it’s been a relatively small number of vulnerabilities in the three months we’ve been out.

And given the fact that we proactively went out to the Black Hat conference [last August] and handed out copies, and that a couple million people have been using Vista in test versions for the past year or so, that tells me there are already hackers out there trying to attack it. So given that there are less than a handful of vulnerabilities discovered, I think that’s good progress.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon