THE SECURITY QUESTION

In the three months since Vista's business release, there's been only one patch to the operating system. Patch MS07-010 was issued in February to fix a critical vulnerability related to the way the Microsoft Malware Protection Engine parses Portable Document Format, or PDF, files. The vulnerability, while not within Vista itself, could allow an attacker to remotely execute code on a Vista PC.

For a company that's been pounded relentlessly for vulnerabilities in its software, a single patch over three months is cause for celebration, though Microsoft knows better than to call attention to its success. "There will be vulnerabilities found in Vista," says Stephen Toulouse, senior product manager in Microsoft's Trustworthy Computing Group. But no news is good news, and Microsoft, remarkably, has no patches planned for March.

The consensus among security researchers, third-party vendors, and corporate security managers is that Vista is a solid improvement over its predecessors. Vista's security features include BitLocker full-disk encryption, Windows Defender anti-spyware, and a feature known as address space layout randomization that arranges applications in memory to protect against buffer overflows.

	Windows Vista's Grades
	Security	B+	No showstopper bugs or viruses; only one patch
	Application Compatibility	C-	Only 1,000 apps have compatibility been certified
	Device Drivers	B-	90% coverage means 10% breakage
	Stability	B	A service pack will be necessary this year
	Wow Factor	D	IT pros don't see the business case

No security feature has elicited more of a response than User Access Control. If a user wants to install an application, Vista checks to see if the user has the appropriate privileges to do so, making it harder for malware to trick the system. Some early users have found it annoying, but others--particularly managers--see the benefit. "It actually has a whole lot going for it," says Michael Barrett, chief information security officer of PayPal.

The true test of Vista's strength will come as it gets more exposure and becomes a larger target for malicious hackers. If Vista security holds up, Microsoft will find it easier to convince slow-moving customers like the Department of Transportation to upgrade. Despite its Vista moratorium, CTO Tim Schmidt says the agency hasn't ruled out upgrading its computers to Vista if all of its concerns are resolved. "We have more confidence in Microsoft than we would have 10 years ago," he says.

Vista may be slow getting out of the gate. But if improved security holds up over time and trans- lates into a higher level of customer confidence, slow and steady could still win the race for Microsoft.

--with Larry Greenemeier AND Paul McDougall