Windows Vista will solve many, but not all of the security woes plaguing PC users, according to some experts evaluating the Microsoft operating...

Share story








Windows Vista will solve many, but not all of the security woes plaguing PC users, according to some experts evaluating the Microsoft operating system going on sale in late 2006.

One analyst said the software — introduced yesterday in a test version — has vastly improved security that may offer a sort of road map for people trying to attack the current Windows XP, which will continue to be used by tens of millions of people for years.

“As they document the shortcomings in Windows XP that Vista fixes, as is always the case, virus writers will take that documentation and use it as a template,” said Rob Enderle, a Santa Clara, Calif., analyst who is testing Vista and has advised Microsoft on security issues.

Most Read Stories

Unlimited Digital Access. $1 for 4 weeks.

That may be a mixed blessing for Microsoft.

The company will have to continue investing in XP fixes and customer support if Vista reveals new vulnerabilities in XP. But the company will benefit if security concerns push customers to rapidly upgrade to Vista.

Either way security will probably be the focal point as consumers, companies and investors weigh the promises of Vista, which will be Microsoft’s biggest product release since Windows XP launched in October 2001.

The software, formerly code-named Longhorn, is also Microsoft’s first major new operating system since Chairman Bill Gates ordered the company in 2002 to make security and reliability its top priority. It’s also the product of a re-engineering effort to simplify the underlying structure of Windows and unsnarl the tangled set of features added to the system over the past decade.

Microsoft spokesman Lou Gellos said security updates will continue for XP after Vista ships, and XP users with updated systems won’t be less secure than they are now.

“If you buy a brand new car this year, that doesn’t mean the car you had last year is not safe, but there are improvements,” he said.

Vista is scheduled to go on sale in fall 2006 after a review process that began in earnest yesterday when the company released a “beta” test version to software developers. A second test version with more features could come in September or October, Enderle said.

Vista-based PCs will start at about $499 for a basic desktop or $599 for a machine powerful enough to take advantage of its new features, Enderle said. He said PC makers are already working on prototypes, including small machines similar to the Mac Mini, a computer slightly smaller than a Harry Potter book that Apple released in January.

Research firm IDC expects Microsoft will increase its market share even more after Vista’s debut. It predicts the company’s share of all operating-system revenues worldwide will grow from 70 percent in 2004 to 77 percent in 2009, said Dan Kusnetzky, vice president of system software research.

Security advances or not, operating systems will be upgraded at the same pace as in the past, he said.

“I suspect that the adoption rate of this software will mirror the adoption rate of other versions of Windows,” he said. “It’s very likely to take maybe a year, a year and a half, before it’s the predominantly shipping product.”

Others who have tinkered with Vista aren’t so sure about the XP risk that Enderle described. But none thinks Vista’s improvements will stifle attacks on PCs altogether.

“Once this is finally released, I envision that within the first 60 days there will be reports of issues,” said Eric Schultze, a former Microsoft engineer now chief security architect at security consultant Shavlik Technologies in Minneapolis.

Vista’s improvements will make it much harder to attack, however. Among the features he cited are a bidirectional firewall that restricts outbound and inbound traffic, and a built-in monitoring system that watches for abnormal activities and would automatically stop some infections.

“Certainly the low-hanging fruit is no longer available — it’s a lot tougher for the average hacker to figure out a way to get in,” he said.

Sometimes it’s more than a technical challenge for Microsoft to secure its products.

Within the company there can be pressure to add snazzy features or make changes that degrade a product’s security, Schultze said. He remembers kvetching with other security engineers when Windows XP was shipped with its firewall turned off. Now, “the security team probably has more clout to say, ‘No, you can’t do that,’ ” he said.

Vista is also likely to not work with some older, less-secure software applications. That’s a departure for Microsoft.

“Back when I was at Microsoft on the security team, we referred to Longhorn as the ‘security OS’ that would finally break application compatibility,” Schultze said. “Now in Longhorn, or now Vista, they would ensure that if your application doesn’t conform to specific requirements it might break, ‘but we don’t care.’ “

Enderle said Vista’s biggest security improvement is that it makes it easier to use PCs with administrative privileges turned off. That capability stops some viruses from being able to install and run.

Vista is also designed so that it can be more easily upgraded and responsive to threats, he said.

“This one,” he said, “is going to be designed like a tank.”

Brier Dudley: 206-515-5687 or bdudley@seattletimes.com