Next week I'll be attending the annual security professional/hacker summit known as Black Hat
, and this year Microsoft has one programming track dedicated to itself, discussing the security enhancements expected in next year's Windows Vista release. Given the schedule delays and the absence of a pending major software product release, Microsoft is sending its project managers into the field in full force to talk--at length--about the expected security enhancements within Internet Explorer 7, Windows Vista, and Office 2007. It's as if the more Microsoft says its new software will be secure, the more likely you'll believe it's true. Lately my Microsoft spin-detection meter has been operating well into the red.
OneCare, or not
One product that did ship on time is Windows Live OneCare, yet I thought the final release fell far short of expectations. Microsoft's spin patrol disagreed and asked that I not compare OneCare to McAfee's Falcon project (now known as McAfee Total Protection) or to the beta of Symantec's Norton 360, expected shortly. Microsoft says OneCare contains the tools that its customers have asked for--antivirus, firewall, and antispyware protection, plus a backup utility--and that the company has delivered on that promise. But Microsoft itself set the bar pretty high more than one year ago, suggesting that OneCare was to be a complete IT department for your home PC.
What a difference a year makes. Rising to the challenge of building a complete IT department for your PC, McAfee ditched its usual security software offerings and will instead present McAfee Total Protection in the fall. In addition to antivirus, firewall, antispam, and antispyware protection, the beta McAfee Total Protection includes home network managers, file shredders, and online backup options--more tools than you currently get from Microsoft's product. Even security newcomer AOL with its own all-in-one security and performance package, named AOL Total Care and currently in beta, bests OneCare by offering a more complete suite of diagnostic tools for your PC.
IE 7 for everyone … except you and you
After OneCare, Microsoft has no major paid consumer product releases scheduled for the rest of 2006. So the company now wants to migrate everyone--forcibly--to Windows XP by the end of the year. One way is to convince everyone to adopt Internet Explorer 7 when it becomes available in the fall, and this past week, the software giant announced IE 7 would be offered as a "high-priority update" via Automatic Updates. What Microsoft isn't saying is that only Windows XP SP2 customers will automatically receive IE 7 when it ships.
After OneCare, Microsoft has no major paid consumer product releases scheduled for the rest of 2006. So Microsoft now wants to migrate everyone (albeit forcibly) to Windows XP by the end of the year.
There are currently some 70 million people still using Windows 98 SE and Me, and many large businesses still use Windows 2000. Unfortunately, in order to get the latest security enhancements in IE 7, these customers will need to upgrade to Windows XP SP2 first. Microsoft will no longer support new versions of IE for legacy operating systems and, as of July 2006, won't issue new security patches for Windows 98 or Me systems; that's another way Microsoft wants to migrate people to XP SP2. As of October 2006, Microsoft won't be patching Windows XP SP1 systems either. But upgrading may not be a viable option for someone who has very old hardware--hardware that accesses the Internet just fine using Windows 98. For them, I say check out the relatively secure Firefox 1.5 browser.
All the talk in the world isn't going to erase Microsoft's lackluster security legacy from the public's mind. Actions will. Unless we see a dramatic decline next year in vulnerabilities affecting IE 7 and Vista, all this talk will be for nothing.
And, yet, a much more secure version of Internet Explorer 7, known as Internet Explorer 7+, won't be available until Windows Vista, which you'll also have to buy, ships sometime next year. The Vista-embedded browser will offer the infamous IE 7 protected mode ("what happens in IE 7+ stays in IE 7+") and an ActiveX opt-in console, where whole classes of ActiveX technology will be disabled by default, among other security enhancements missing from the XP version. IE 7 was to have been only bundled within Vista, but then Vista got delayed and Firefox was becoming incredibly popular, so Microsoft split the browser into two development teams. Why they don't just rename the browser embedded within Vista IE 8 is beyond me.
Vista security flaws already?
While Windows Vista promises to be one of the most thoroughly tested operating systems Microsoft has ever released, security researchers at rival Symantec have so far published two white papers detailing scores of vulnerabilities within the new operating system. To be fair, Symantec does say at the very end of their reports that almost all of the vulnerabilities have been patched in the public Beta 1 build available since June. But the sheer number of vulnerabilities found by Symantec doesn't bode well for Microsoft, which states that every line of code in Vista has to meet rigorous "trustworthiness" testing before being included. I guess the trustworthiness testing isn't so rigorous if a third-party security vendor can quickly find the holes. Imagine what a dedicated criminal hacker might do.
At the core of Vista's security model is the protected system kernel. Drivers and other applications that have traditionally altered the system kernel in Windows are now locked out. That sounds really good--and it'll certainly cut down on the Blue Screen of Death instances--but security vendor Agnitum released a report stating that Microsoft's kernel hardening in Vista will actually make the operating system less secure, in part because third-party security apps will no longer be able to work within the kernel.
My point is that if someone has to tell me over and over how great they are, chances are they're probably not that great to begin with. Microsoft's image has been sullied over the years because the company remains slow to patch, slow to respond to new vulnerabilities, and slow to truly innovate its software (IE 7 is just now adding tabbed browsing). Microsoft did this to itself, and all the talk in the world won't erase the company's lackluster security legacy from the public's mind. Actions will. Unless we see a dramatic decline next year in vulnerabilities affecting IE 7 and Vista, all this talk will be for nothing.
As for my time at Black Hat, I'm going to check out the competition. A few presenters will talk about new methods the criminal hackers might use to attack this "secure" Windows Vista universe. Note to Microsoft: Not everyone shares your rosy view of the world, so I hope some of you put down the bullhorn and check out the other presenters. You might learn something. How long do you think Microsoft will go without a major security flaw after the final version of Windows Vista? Talk back to me.