Microsoft Previews Security Features Of Upcoming Windows Vista - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:57 PM
Connect Directly

Microsoft Previews Security Features Of Upcoming Windows Vista

The company plans to beef up protection for Internet Explorer, firewalling, and anti-spyware, as well as hardening the operating system so that some tasks require administrator-level privileges to execute.

Microsoft Thursday provided some incremental insight into the security features it's planning for its upcoming Windows Vista operating system, via a public, online chat on its MSDN developer network. The chat was hosted by Mike Nash, the vice president of the software giant's security business unit.

"We’re doing a number of things in Windows Vista to help protect users from malware," Nash told the chat audience. "One of the most innovative is protected mode in Internet Explorer. Protected mode reduces the severity of threats to IE and add-ons running in the IE process by eliminating the silent install of malicious code through software vulnerabilities. This is done by automatically running IE in isolation from any other application or process in the operating system and limiting the IE process from writing to any location beyond Temporary Internet Files without explicit user consent."

Nash characterized protected mode as just one of many the software giant is applying to deal with Web-based threats. "We’re also doing work to reduce the attack surface area by disabling by default most ActiveX controls and COM objects that can be instantiated as ActiveX controls. We’re also doing a number of things to reduce phishing attacks and other forms of spoofing users into making a bad trust decision," Nash added.

In addition, Microsoft is currently working to improve the firewalling in Windows to provide bi-directional filtering, Nash said. He reiterated a Microsoft pledge to equip all Vista users with anti-spyware technology. Microsoft released the beta version of its AntiSpyware 1.0 program this past January, using technology it acquired through its purchase in late 2004 of Giant Software.

Early on in the chat, Nash fielded a question that amounted to a criticism of the tactic common throughout the software world of limiting the ability to perform certain tasks to users with administrative privileges. The question was keyed to Microsoft's CRM program, but Nash expanded his answer to encompass software in general.

"Frankly the issue is less about Microsoft CRM and more of a general issue where we did not do a good enough job of creating clear security levels in Windows," Nash wrote to the chat audience. "Starting With Windows Server 2003, we started to look hard at exactly what features [and] services required what privilege levels. This is part of our secure-by-default strategy. We were able to reduce a lot of privileges which reduced attack surface area. We call this 'least privilege' ".

That strategy is being carried through to Windows Vista, Nash said. "For Windows Vista we created a new capability called user account protection. This feature enables you to use your desktop system without being an admin."

In Vista, administrative protection will be handled in part via a user-account protection services. Though billed as a colloquial, give-and-take chat with online participants, at least one of Microsoft's responses appears to have been drawn directly from a previous public statements. Nash was asked why Microsoft had not gone ahead with a security update that it had planned to issue on Sept. 13.

"No bulletins were released on September 13," Nash told the chat audience. "For the update that we were planning on shipping, late in the testing process, we encountered a quality issue that we decided was significant enough that it required some more testing and development before releasing it. We have made a commitment to only release high quality updates that fix the issues at hand, and therefore we felt it was in the best interest of our customers to not release this update until it undergoes further testing."

Most of that answer was a repeat of a blog entry posted on Friday, Sept. 9 by Mike Reavey, a member of Microsoft's Security Response Center.

On the developer front, one chat participant told Nash that, while Microsoft seemed to be very responsive in providing end-user security updates, it seemed slower in coming up better tools for software developers. "We hope that the upcoming release of Visual Studio 2005 in November will help address that this," Nash answered. "We have done a lot to help developers write secure code with this release. It includes the integration of PREfast, FxCop, the secure CRT, and other improvements that enable developers to write more secure applications. This release makes available many of the same technologies we are using within Microsoft to improve the security of our own code."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
10 Cyberattacks on the Rise During the Pandemic
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/24/2020
IT Trade Shows Go Virtual: Your 2020 List of Events
Jessica Davis, Senior Editor, Enterprise Apps,  5/29/2020
Study: Cloud Migration Gaining Momentum
John Edwards, Technology Journalist & Author,  6/22/2020
Register for InformationWeek Newsletters
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll