"New code, whether it's been rewritten or added, needs to go through an aging process," said Oliver Friedrichs, the senior director of Symantec's security response group. "Virgin code is likely to contain more bugs and flaws. And that's particularly true in a network stack, which is one of the most complex pieces of code in an operating system."
In a just-released paper, two of Friedrich's researchers, Tim Newsham and Jim Hoagland, detailed research that began with a September 2005 build of Vista and wrapped up with May's public Beta 2.
Among Newsham's and Hoagland's conclusions: "The amount of new code present in Windows Vista provides many opportunities for new defects."
"It's true that some of the things we found were 'low-hanging fruit,' and that some are getting fixed in later builds," said Friedrichs. "But that begs the question of what else is in there?"
Vista, the first across-the-board Windows upgrade since the 2001 debut of XP, is touted by Microsoft as its most-secure operating system ever. And the stack is one of the OS's most important security components.
"It's the single point of exposure of the network," explained Friedrichs. "It's the first point of entry that an attacker takes. They have to pass through the stack to get to the core of the operating system."
Vista's stack adds support for IPv6, the next-generation IP protocol, for instance, and includes IPv6 tunneling to transition from the now-in-use technologies to IPv6. Dubbed "Teredo," the tunneling technology is enabled by default, and could, said Symantec, serve as a welcome mat to attackers.
"If it's not deployed or configured correctly, [Toredo] may actually provide an entry method for attackers through this tunneling," said Friedrichs. Symantec's researchers also spelled out stability shortcomings in the stack, and spotted undocumented behaviors that "require some explanation" according to Friedrichs.
But although he made it clear that the Vista team seemed to be on top of bug fixes, he warned that it might be years before the stack's quality is ultimately determined. In addition, Microsoft's developers have only about four months to wrap up the operating system if they're to make the November deadline to corporations that the company's sworn to.
"In deciding to rewrite the stack, Microsoft has removed a large body of tried and tested code and replaced it with freshly written code, complete with new corner cases and defects," wrote Newsham and Hoagland in their paper. "Despite the claims of Microsoft developers, the Windows Vista network stack as it exists today is less stable than the earlier Windows XP stack."
Friedrichs backed up his researchers. "This stack is very very complex," he said. "It's going to be tough to flush out all the bugs."
The Symantec paper can be downloaded in PDF format from the Cupertino, Calif. company's Web site.