In a show of its changed approach to the security of its operating system, and in an effort to reach out to those who might be likely to poke through holes in its proprietary code, Microsoft handed out beta copies of its new Vista operating system and outlined its security features at the Black Hat hacker conference in Las Vegas this week.
Bearing the cynicism and scrutiny of some of the world’s top software security researchers, Microsoft managed to earn some amount of respect and praise at the show, at the very least getting some credit for showing up.
While there is still plenty of doubt over whether the next-generation Windows operating system, expected for sale next year, will stand up to security challenges, Microsoft has at least put itself at a better starting point and will be better able to respond as a result of its investments in security, Arbor Networks Product Manager and Black Hat attendee Sunil James told TechNewsWorld.
“Really, what it was about is education,” he said. “They’re really, really trying to show the industry they’re listening to us. They put a good foot forward.”
Microsoft Opens Up
There has been much attention on Microsoft’s moves toward interoperability and more openness, especially in the face of competitive threats from open source software. However, nowhere is Microsoft opening up more of its code, procedure and policy than in security, according to James.
He said a Black Hat conference track dedicated to Microsoft’s Vista, a first at the annual Vegas hacker convention, did not provide hard, detailed technical information. However, Microsoft did manage to convey its changes for the good in security, including operating system kernel-layer and application-layer measures to weed out bugs and vulnerabilities.
More importantly, James said, Microsoft is listening to the criticisms and concerns of outside code experts, something the company has never done substantially with the release of its software before.
“I think they’ve learned from others in the past,” he said. “They’re really using the community as a vetting process to scope it out.”
There is still plenty of skepticism when it comes to the actual code inside Vista, and Microsoft may still be struggling with security when Vista is released, according to IT-Harvest Founder and Chief Research Analyst Richard Stiennon, who has predicted that a critical vulnerability fix will be required on the first regular, monthly patch cycle following Vista’s release.
“I can’t fault them for jumping right in, and they’re hiring security geeks and sending them to these conferences, but I don’t think it’s helping them,” IT-Harvest founder and chief research analyst Richard Stiennon told TechNewsWorld.
Stiennon said while Microsoft’s outreach efforts, which were long overdue, are the right thing to do, Redmond does not have the resources to secure and patch its new operating system efficiently.
“It still doesn’t address the fact they created a monster,” he said.
Stiennon said fear built up around the security issues Vista is expected to face may help slow adoption, which will give Microsoft time to respond and to harden its OS with a service pack or update.