So Microsoft held their biannual BlueHat security gathering last week, as they've been doing for a couple of years now, inviting outside security researchers to have a chit chat with Microsoft developers on security. The press aren't invited to these (officially it's an internal Microsoft event), and so what details emerge is usually from the blogs of researchers who were involved.
Halvar Flake, from Sabre Security was invited to write up his thoughts on the BlueHat blog. He makes a few good points, which I feel is generally the concenus out there after seeing Windows Vista out there for nearly a year.
Microsoft did do a good job at addressing the issues of previous Windows versions. Progress on all fronts has been achieved, and MS is probably better than any other closed-source software vendor when it comes to the the security of their products.
I've been saying this for a while now, this is Microsoft's security investment at work.
As a result, I think that most of the security researchers will move on to greener pastures for a while. Why try to chase a difficult overflow out of Vista when you have Acrobat Reader installed, some Antivirus software with shoddy file parsing, and the latest ITunes?
No surprise there judging on Adobe's and Apple's non-rapid release of patches for QuickTime, iTunes, Reader and the like, they're popular, and in the case of Reader rarely updated. You won't find any of that software on my machines, not only due to their poor history record in addressing security, but for how bloated and buggy they are.
This is one of the key reasons I tell people NOT to disable UAC, nor to elevate programs which don't work as standard user - better to replace those programs with ones that work properly, Microsoft issued these guidelines in 2000, things shouldn't assume they have full rights to the box, nor should they be saving data all over the place, it's about time Microsoft forced the 3rd parties to clean up their act.
UAC ensures these programs are running as standard user, so if there is a vulnerability it seriously limits the damage that they can do. Leave it on people.
Secretly, all attackers are hoping that Vista will be a failure, security spending will be scaled back and nobody will attempt to build a secure mainstream OS again.
No doubt at all they're going to be in for a harsh time for the next few years, with Windows Vista taking a majority share on the client, and Windows Server 2008 rolling out, they're going to have to save their pennies.