Microsoft's Windows 7 will include several security
upgrades over Vista and XP, but it's too early to say how dramatic the improvements will be, according to analysts. Andrew Storms, director of security operations of nCircle Network Security, said three specific items are expected in the new operating system due to be released Thursday.
Storms said Microsoft took a "big hit" when it loaded Vista with intrusive prompts asking people if they intended to perform a requested action. "In Windows 7 they are giving the user more fine controls over that," he said. "That makes it a little less annoying."
The second upgrade in Windows 7 is the capability of encrypting at the USB and FOB drive level. When Vista was designed, the amount of data that these portable drives could hold was comparatively small. That, of course, has changed and Microsoft will enable these drives to be more safely used.
Integrated Fingerprint Readers
The third advance focuses on mobile devices. In earlier versions of Windows, Storms said, fingerprint reading capability for notebooks was added through vendor software. In Windows 7, he said, it is integrated into the OS and looks "like another device."
Storms also pointed to two general changes. In Vista, two important security features were introduced into the OS kernel: Data randomization and data execution prevention. Functionality has been added around these features in Windows 7, he said.
Finally, he pointed out that Windows 7 is the first of a new breed of products from Microsoft. "They live and breathe by the new security life cycle management program," he said. "Windows 7 is the first release that is built from the ground up using the new system." He said the program focuses on writing secure code.
However, Storms said the significance of the upgrades is hard to assess before the OS is released. "The reason I am hesitant is that we heard a lot of the same stories when Vista came out," he said. "It proved to be more secure, but the jury is still out on whether it lived up to everything they said intended to be done."
In general, however, Storms said he is encouraged by the reaction of the company during the past decade, and that it's likely the improvements will continue. "They have shown this time and time again on multiple fronts, whether it's to be more communicative with the general public or the general decline in the number of bugs. There are enough data points to show they have come a long way in the last decade."
No Silver Bullets
David Perry, global director of education for Trend Micro, said there are improvements, but there are no sure things in the security world. "Windows 7 has a vast number of differences in security," he said. "It's a mature product of the company's security life cycle management program. Microsoft spent a lot of time securing all kinds of stuff. The kinds of things you would usually tweak later."
The problem is that to a great extent, the security focus is off the OS, Perry said. "These days most of the vulnerabilities and exploits we see are not operating system-based, but application-based. They are on things like Python, Adobe Flash, and AJAX. Nothing is a silver bullet, partly because the OS has inherent vulnerabilities from the programming languages used to write them. But Microsoft has done a lot of fantastic work. But it's not possible to make a silver bullet. Over half of the patches for the most recent patch Tuesday were for Windows 7."