Apply today for a FREE subscription to CIO Magazine!
Wed, Nov 12, 2008 20:47 EST
Vista's Slow Adoption Raises Security Concerns
|
Posted by: Smithline in Best Practices Topic: Applications
Current Rating: |
There seems to be no end to the news about Windows Vista and its slow adoption rate. The reasons often cited for the slow adoption rate include lack of new features, increased hardware requirements, reduced performance, early and positive marketing of Vista's successor, Windows 7, and, of course, cost. However, from the security viewpoint, the correctness of these reasons are irrelevent. All that matters is that Windows Vista is a new operating system that is not obtaining a large market share.
The problem is that Windows Vista is a complex system that contains a large amount of new code. Complexity and newness are always a security red flag. Figure 1 shows a typical pattern as how discovered vulnerabilities vary over the lifetime of a product. As a software product becomes popular, it becomes a bigger target for attacks. Continuing growth of the install base and success of previous attacks provides ongoing motivation for attackers to spend resources trying to find new attacks. Eventually, as the most obvious vulnerabilities are discovered and corrected, the rate of discovering new vulnerabilities slows to a point that the software can be patched faster than new vulnerabilities are discovered and the curve begins its downward swing.
But, if a system has an unusually slow adoption rate, the curve can become unpredictable. In particular, if a large percentage of users are delaying adoption, attackers can lose interest in searching for vulnerabilities and the curve can level off or even begin to drop. Then, as more users move to the new platform, it becomes a more attractive target and hence vulnerabilities are discovered at a faster rate and the curve begins its upward climb again.
Nothing in this analysis is specific to Vista, Microsoft, PCs, or operating systems. The security concern arises from the complexity of creating large systems and the market's desire for new functionality at the cost of security. At this time, it is impossible to predict when Vista will be relatively secure and ready for use in mission critical systems. In fact, if Vista does not see widespread adoption, it might not even be possible to retrospectively determine whether Vista ever reached a state of moderate security stability. Without the incentive of a widespread user base, there might never be enough motivation to attack Vista to be certain that it is secure.
While I cannot recommend for or against Vista in the long run, I think use of it in the immediate future should be for non-critical systems until it sees a longer and more serious adoption.
microsoft, Microsoft Windows Vista, vista
While I agree that the size of a target user base has an effect on the motivation of an attacker to attack one OS over another, when it comes to security research (actual discovery of security vulnerabilities, that are later used for attack) I think size of target user base plays less of a part.
For one, companies like iDefense and TippingPoint offer financial incentives to report exploits in popular operating systems like Vista. As a researcher myself, I've seen the security research game transition from a credibility building method to an actual revenue generation machine.
Lastly, you may see a drop in vulnerabilities in reported vulnerabilities for Vista and others, because Microsoft has significantly ramped up its security development/testing efforts internally -- so naturally there should be less and less vulnerabilities found externally. As a former full time employee on their security team, I can tell you this first hand. Also vulnerabilities found internally don't get reported which will affect the public facing reports.
Kevin
--
Kevin Lam
http://www.impactalabs.com
http://www.buildingsecurecode.com
Kevin,
I unintentionally omitted discussing how the pay-for-hack market
affects the discovery and publicity of vulnerabilities. Even the
infamous WabiSabiLabi has announced that they will likely move from
an auction to a pay-for-hack model, further signifying the growth of
this market. Thank you for pointing this out.
That being said, I believe that the main motivators for successful
exploits is financial and political. All too often a successful
attack exploits a vulnerability that was found by a researcher and
frequently patched by the software producer – sometimes months
earlier – but still exists on many deployed machines. As perhaps
the most shocking recent example, consider the slow patching of DNS
code after Dan Kaminsky discovered and publicized a serious
cache-poisoning problem (more
details).
Regarding Microsoft's efforts to improve security... I think that
is great. They have to do that. Unfortunately, I think it is clear
that whatever the software producer does is not enough. While
Microsoft may not have taken security seriously throughout their
lifetime, they certainly have taken it seriously for several years.
Despite that, vulnerabilities are frequently found in their code.
Furthermore, problems such as the Kaminsky DNS cache poisoning
vulnerability demonstrate that vulnerabilities can exist for years
before being discovered. It is simply not reasonable to expect
security researchers to find every vulnerability, nor for software
companies to produce timely patches nor for users to install the
patches in a timely manner. Apple, for example, did not release a
patch the Kaminsky vulnerability until 24 days after it was publicly
announced. That was nearly three months after they were told about it
privately. By the time they released the patch exploits were already
publicly available.
In summary, there are certainly many factors determining
vulnerability detection. The pay-for-hack market is definitely among
them. So too is financial motivation for hackers which is related to the adoption rate. In other words, both the pay-for-hack market and the adoption rate affect vulnerability discovery.
Once again, thanks for the comment Kevin. I always enjoy having my
thoughts stretched,
Neil Smithline
Senior Security Consultant & Founder, OneStopAppSecurity.com
Security Blog:
How Long Have You Been Looking for a Job?
Posted by Meridith Levinson in Questions | 4 comments
5 Myths of Data Center Power Usage Optimization
Posted by Michael Bullock in Best Practices | 1 comments
Microsoft Has Itself a Windows 7 Netbook Pricing Dilemma
Posted by Shane ONeill in News | 1 comments
What a CIO Says, and What He's Really Thinking
Posted by Thomas Wailgum in Soapbox | 11 comments
Android May Lose Netbook Battle to Windows, but Win the War
Posted by Shane ONeill in News | 2 comments
Got something to say? We want to hear it! Click the Post button to get started. GO»
Agile Techniques, Agile Hype and the Essence of Agile [in IT and Business]
5 Myths of Data Center Power Usage Optimization
How Long Have You Been Looking for a Job?
Microsoft Has Itself a Windows 7 Netbook Pricing Dilemma
iPhone 3G S: If You Can't Beat Apple, Join 'Em
A good time to wear more hats
How Do You Manage Information Overload?
iPhone 3G S: Blockbuster Weekend
Persevering in the face of Fear, Uncertainty and Doubt
Take Your Time Moving To Process Based Organizations.
Preparing for the Next Cyber Attack
Ensure you are up-to-speed on the latest security technologies available to keep your network safe in this Executive Guide. Get a thorough assessment of the corporate security threat landscape. Protect your network with data leakage protection, NAC and other technologies explained in this report.
Sponsored by Qwest
Read this Executive Guide »
Cloud Building: 8 Ingredients for Internal Clouds
Cloud computing: a fundamentally new way to deploy IT services and functions cost-effectively and quickly. Learn how the VMware vCloud initiative dramatically improves how consumers access their information and experience applications as well as the 8 ingredients to get you going.
Sponsored by VMWare
Read this White Paper »
Investing in Business Analytics Technology
You're thinking now is the time to take the plunge into business analytics, but you still have some unanswered questions. This research summary addresses the most common questions and concerns surrounding the successful launch of a business analytics initiative. It also includes real-world examples of organizations already getting return on their investment.
Sponsored by SAS
Read this White Paper »
Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.
Sign-up for the Blogs & Discussion Newsletter
