Skip to main content
Sign In |
  Help (new window)
 
Go Search

 

 
  

Stepto.com > Posts > A crisis of confidence proportions? No.

 Posts

12/26/2006

A crisis of confidence proportions?  No.

Imagine my surprise when reading the New York Times that we're in a crisis of confidence around Windows Vista!  I imagine us looking like Paul Giamatti, nervously wringing our hands over a bunch of unshipped Vista boxes.  Don't worry, Windows Vista is on track for general availability.

The finding of vulnerabilities in any software is to be expected.  I've blogged about when the first vulnerabilities would be reported in Windows Vista, as have members of our SWI team.  This is all part of the process of creating complex software today, and no one is immune to it. It's not, as they say, big news to us in the security industry.

Windows Vista for instance, received an absolutely unprecedented level of input and review by security researchers.  We even took it to Black Hat Las Vegas this year to gather feedback.  In addition, it had an incredibly broad and wide Beta program which resulted in numerous changes to the product to help make it more secure.  These efforts, I firmly believe, resulted in this product being the most secure version of Windows we've produced to date.  That doesn't mean "zero vulnerabilities".  No one can claim that crown, software creation is too much a human endeavour.

Add to that fact: the review of a product like Windows Vista doesn't stop just because the product gets released.  Right now security researchers, having had the closest look yet at one of our operating systems, are still hard at work researching its capabilities, because any modern operating system is complex.  That means we're probably going to see a higher initial rate of reported vulnerabilities to us than with previous versions of our products, given the early view researchers have had into Vista.  This is going to help make the product stronger before many of the threats against it have a chance to emerge.

That's how the process works.  No one will ever get the software right 100% out of the gate.  What we've done as a company is build in defense in depth capabilities in the products themselves, as well as create good processes internally that prioritize reported vulnerabilities and get them into the update cycle, while also taking the root cause information and changing the way we create the software so we can learn from these situations. 

We encourage all security researchers to practice responsible disclosure and please report any vulnerabilities you discover to secure@microsoft.com.

Posted at 4:07 PM by | Permalink | Email this Post | Comments

 Comments