Wed, Nov 12, 2008 20:47 EST

Vista's Slow Adoption Raises Security Concerns

Topic: Applications

Current Rating: Comments: 2

There seems to be no end to the news about Windows Vista and its slow adoption rate. The reasons often cited for the slow adoption rate include lack of new features, increased hardware requirements, reduced performance, early and positive marketing of Vista's successor, Windows 7, and, of course, cost. However, from the security viewpoint, the correctness of these reasons are irrelevent. All that matters is that Windows Vista is a new operating system that is not obtaining a large market share.

The problem is that Windows Vista is a complex system that contains a large amount of new code. Complexity and newness are always a security red flag. Figure 1 shows a typical pattern as how discovered vulnerabilities vary over the lifetime of a product. As a software product becomes popular, it becomes a bigger target for attacks. Continuing growth of the install base and success of previous attacks provides ongoing motivation for attackers to spend resources trying to find new attacks. Eventually, as the most obvious vulnerabilities are discovered and corrected, the rate of discovering new vulnerabilities slows to a point that the software can be patched faster than new vulnerabilities are discovered and the curve begins its downward swing.

But, if a system has an unusually slow adoption rate, the curve can become unpredictable. In particular, if a large percentage of users are delaying adoption, attackers can lose interest in searching for vulnerabilities and the curve can level off or even begin to drop. Then, as more users move to the new platform, it becomes a more attractive target and hence vulnerabilities are discovered at a faster rate and the curve begins its upward climb again.

Nothing in this analysis is specific to Vista, Microsoft, PCs, or operating systems. The security concern arises from the complexity of creating large systems and the market's desire for new functionality at the cost of security. At this time, it is impossible to predict when Vista will be relatively secure and ready for use in mission critical systems. In fact, if Vista does not see widespread adoption, it might not even be possible to retrospectively determine whether Vista ever reached a state of moderate security stability. Without the incentive of a widespread user base, there might never be enough motivation to attack Vista to be certain that it is secure.

While I cannot recommend for or against Vista in the long run, I think use of it in the immediate future should be for non-critical systems until it sees a longer and more serious adoption.

You do not have flash or javascript support.

Average (1 vote)

All Comments Comments

Fri, Nov 28, 2008 5:04 EST

Financial Incentives for Security Research for Vista

Posted by: Kevin Lam (IMPACTA)
Rating:

While I agree that the size of a target user base has an effect on the motivation of an attacker to attack one OS over another, when it comes to security research (actual discovery of security vulnerabilities, that are later used for attack) I think size of target user base plays less of a part.

For one, companies like iDefense and TippingPoint offer financial incentives to report exploits in popular operating systems like Vista. As a researcher myself, I've seen the security research game transition from a credibility building method to an actual revenue generation machine.

Lastly, you may see a drop in vulnerabilities in reported vulnerabilities for Vista and others, because Microsoft has significantly ramped up its security development/testing efforts internally -- so naturally there should be less and less vulnerabilities found externally. As a former full time employee on their security team, I can tell you this first hand. Also vulnerabilities found internally don't get reported which will affect the public facing reports.

Kevin

--
Kevin Lam
http://www.impactalabs.com
http://www.buildingsecurecode.com

You do not have flash or javascript support.

Reply to this comment | Post new comment | Report as spam

Tue, Dec 2, 2008 15:24 EST

Re: Financial Incentives for Security Research for Vista

Posted by: Smithline
Rating:

Kevin,

I unintentionally omitted discussing how the pay-for-hack market
affects the discovery and publicity of vulnerabilities. Even the
infamous WabiSabiLabi has announced that they will likely move from
an auction to a pay-for-hack model, further signifying the growth of
this market. Thank you for pointing this out.

That being said, I believe that the main motivators for successful
exploits is financial and political. All too often a successful
attack exploits a vulnerability that was found by a researcher and
frequently patched by the software producer – sometimes months
earlier – but still exists on many deployed machines. As perhaps
the most shocking recent example, consider the slow patching of DNS
code after Dan Kaminsky discovered and publicized a serious
cache-poisoning problem (more
details).

Regarding Microsoft's efforts to improve security... I think that
is great. They have to do that. Unfortunately, I think it is clear
that whatever the software producer does is not enough. While
Microsoft may not have taken security seriously throughout their
lifetime, they certainly have taken it seriously for several years.
Despite that, vulnerabilities are frequently found in their code.

Furthermore, problems such as the Kaminsky DNS cache poisoning
vulnerability demonstrate that vulnerabilities can exist for years
before being discovered. It is simply not reasonable to expect
security researchers to find every vulnerability, nor for software
companies to produce timely patches nor for users to install the
patches in a timely manner. Apple, for example, did not release a
patch the Kaminsky vulnerability until 24 days after it was publicly
announced. That was nearly three months after they were told about it
privately. By the time they released the patch exploits were already
publicly available.

In summary, there are certainly many factors determining
vulnerability detection. The pay-for-hack market is definitely among
them. So too is financial motivation for hackers which is related to the adoption rate. In other words, both the pay-for-hack market and the adoption rate affect vulnerability discovery.

Once again, thanks for the comment Kevin. I always enjoy having my
thoughts stretched,

Neil Smithline

Senior Security Consultant & Founder, OneStopAppSecurity.com

Security Blog:

You do not have flash or javascript support.

Reply to this comment | Post new comment | Report as spam

Post new comment

* Subject:

* Username:

* E-mail:

The content of this field is kept private and will not be shown publicly.

Homepage:

* Body:

Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img> <blockquote> <strike> <p> <br>
Lines and paragraphs break automatically.

More information about formatting options

Are you a person?: *