Symantec spots potential instability in Vista

Some of Microsoft's efforts to make Windows Vista its most stable and secure operating system ever could cause instability and new security flaws, according to a Symantec report.

Researchers at Symantec examined the new networking technology in recent test releases of Vista, Microsoft's next major operating system release, according to the report. They found several security bugs and determined that Vista's networking technology will be less stable, at least in the short run, than Windows XP's, the report said.

"Microsoft has removed a large body of tried and tested code and replaced it with freshly written code, complete with new corner cases and defects," the researchers wrote in the report, scheduled for publication on Tuesday. "This may provide for a more stable networking stack in the long term, but stability will suffer in the short term."

Vista, slated to be broadly available in January, will be the first major new version of Windows for PCs since XP, which was released in 2001. Microsoft has put a stronger emphasis on protecting PCs in the new operating system, as security has grown in importance over those five years. Symantec's report draws attention once again to Microsoft's goal of improved security and the hurdles it faces in getting there.

A Symantec representative said Symantec had provided Microsoft with a copy of the paper.

In a statement, Microsoft said Vista is being developed with the highest attention to security. Highlighting issues in early builds of Windows Vista does not accurately represent the quality and depth of the networking features, the software maker said.

"Given that Windows Vista is still in the beta stage of the development and not yet final, the claims made in this report are, at best, premature," Microsoft said. "And given the extensive work we are doing to make Windows Vista the most secure version of Windows yet, we believe the claims are also unsubstantiated."

Microsoft also noted that Vista will be the first client-based operating system to go through the company's complete Security Development Lifecycle, a process designed to prevent flaws and vet code before it ships.

Traditionally allies, Microsoft and Symantec are now going head-to-head in the security arena. In late May, Microsoft introduced Windows Live OneCare, a consumer security package, and the software giant is readying an enterprise product. Symantec has also sued Microsoft, alleging misuse of data-storage technology it licensed to the company.

In their paper, titled "Windows Vista Network Attack Surface Analysis: A Broad Overview," Symantec researchers put the networking technology in Vista under a magnifying glass to determine its exposure to external attacks. The team said it found several flaws in build 5270 of Vista and even more in earlier test versions. However, these were all fixed by Microsoft in build 5384, the version of the operating system that was publicly released in May as Beta 2.

"While it is reassuring that Microsoft is finding and fixing these defects, we expect that vulnerabilities will continue to be discovered for some time," the researchers wrote. "A networking stack is a complex piece of software that takes many years to mature."

Hunting bugs
With each build, Microsoft seeks to make the code more stable. On Monday, it released build 5472 of Vista to selected testers, which is likely to have put right more bugs.

For maintenance purposes and to improve performance and stability, the company is building much of Vista's networking technology from the ground up. The clean-slate approach also lets it add features such as support for version 6 of the Internet Protocol (IPv6).

"We're not saying that Vista's network stack is going to be inherently insecure when it is released," Oliver Friedrichs, director of emerging technologies at Symantec Security Response, said in an interview on Monday. "Vista is one of the most important technologies that will be released over the next year, and people should understand the ramifications of a virgin network stack."

Friedrichs noted that in the Linux networking stack, vulnerabilities and stability issues continue to surface well over five years after it was first released.

Aside from security flaws, features supported by Vista's new networking technology could expose a PC running the operating system, according to Symantec's report.

For example, Vista will be the first Windows version to support IPv6, the next update of the technology standard used to send information over computer networks, by default. To help transition to the new protocol and for peer-to-peer networking features, Microsoft has functionality called IPv6 tunnelling in Vista. This functionality could expose PCs that otherwise would be invisible behind a firewall, Symantec said.

"IPv6 and its accompanying transition technologies allow an attacker access to hosts on private internal networks outside of the (purview) of the administrator," the researchers wrote. As Vista becomes available, businesses should update security systems, such as firewalls and intrusion detection systems, to prevent that, they added.

The technology that underlies Vista's peer-to-peer collaboration features could also pose a security threat, Symantec said. To provide these features, Microsoft has added support for server-less name-resolution protocols, such as Peer Name Resolution Protocol (PNRP), that allow a Vista PC to operate in a network of Vista machines without a central server.

"As these technologies see wider deployment, we expect IPv6 and the new peer-to-peer protocols to play an increasing role in the delivery of malicious payloads," the Symantec paper said. "These features are critical to the success of Microsoft's peer-to-peer initiative but are also the same features that attackers need to deliver malicious content."

Although the Symantec report is one of the first more extensive looks at the security of Vista, the researchers looked at only a small part of the new operating system. Also, since Vista is still in development, much can still change.

"We expect many of our results to be invalidated by changes made prior to its public release," the researchers wrote.

But Friedrichs did underline the importance of networking technology in overall operating system security.

"The network stack is the first line of defence for an operating system, it is the primary component that separates an attacker from the operating system," he said. "It is very critical that this component is as robust as it can possibly be."