January 27, 2006 3:22 PM PST
Allchin: Buy Vista for the security
- Related Stories
FAQ: Getting a handle on Windows VistaNovember 29, 2006
Do Web filters protect your child?January 24, 2006
Faster Wi-Fi standard gets draft approvalJanuary 19, 2006
Microsoft to hunt for new species of Windows bugJanuary 9, 2006
Windows AntiSpyware becomes 'Defender'November 7, 2005
Vista's answer to PC power woesAugust 25, 2005
Longhorn's new name: Windows VistaJuly 22, 2005
An early peek at LonghornApril 14, 2005
Microsoft revamps its plans for LonghornAugust 27, 2004
After delays, Windows security update ready to goAugust 6, 2004
(continued from previous page)
Another security change at the operating system level involves Internet Explorer. In Vista, IE 7 will run in protected mode by default, Allchin said. This mode will prevent silent installs of malicious code by stopping the Web browser from writing data anywhere except in a temporary files folder without first seeking permission. "We sandboxed all of IE," he said.
On systems with 64-bit processors, Vista will require digital signatures to run kernel-mode software such as device drivers, Allchin said. This is an attempt to block unwanted software such as rootkits from nestling deep into the PC.
Microsoft also has updated the security software in Windows Vista to help fend off threats. The firewall has been updated and now looks at incoming as well as outgoing traffic--in XP SP 2 only incoming traffic was watched. Also, Microsoft has made its anti-spyware tool, Windows Defender, part of the operating system.
"The first step is protection from doing things inadvertently or warning you about the level of impact it could have," Allchin said. "Then, if you let something in, Defender is there to (warn you) and you can undo it. If the thing gets in and has really done some awful things, using the equivalent of System Restore in Windows XP you can back up time and undo it," he said. Microsoft doesn't yet have a new name for System Restore, he said.
Other security features in Vista include BitLocker Drive Encryption to protect data on computers when lost or stolen. The encryption feature is designed to work with a chip called the Trusted Platform Module, which offers protected storage of encryption keys, passwords and digital certificates. BitLocker is the one remnant of Microsoft's grand hardware-based security plan originally envisioned for Vista.
For businesses, Vista will offer tighter control over removable storage devices by letting administrators centrally block the installation of, for example, USB (universal serial bus) flash drives and external hard drives. This feature is designed to help prevent intellectual property or sensitive data from being compromised or stolen.
IDC analyst Al Gillen said that Microsoft has taken much-needed steps with the operating system, such as the USB-blocking abilities.
"Those kinds of things are incremental improvements that really were pretty important," Gillen said.
But, like any software, Vista isn't hack-proof. In fact, Microsoft has already had to issue a security update for the operating system. The patch fixed the same vulnerability related to the processing of Windows Meta File (WMF) images found in earlier versions of the operating system. "That torqued me," Allchin said.
Microsoft was in the process of checking the parsing of all kinds of files and hadn't made it down to WMF yet, according to Allchin. "We would have caught it. It was on the list; we didn't get to it" in time, he said.
"At no time am I saying this system is unbreakable," he added. "Security is going to be an issue for the industry in all pieces of software, not just the OS."
188 commentsJoin the conversation! Add your comment