I have to give Microsoft some credit: Last week, the company invited hackers at the Black Hat USA 2006 security conference in Las Vegas to hack into Windows Vista after giving them a tour of the upcoming OS's new security features. Hackers at the show came away impressed with both Microsoft's candor and some of the new security features, although many of them added that the improvements were long overdue. But the real news from the show is that Vista was actually successfully hacked the very day that Microsoft made its Black Hat presentation. And that news has to have Microsoft's customers worried.
Sure, Vista's still in beta, but we're in the release candidate (RC) phase of development now and that supposedly means that the next potential Vista milestone is a build of the product that Microsoft considers a candidate for the final release version. (Reality update: In a bit of name bending, the Vista RC1, still expected this month, will have more in common with a beta release than the final shipping version.)
Here's the thing. Vista is feature complete and has been since early this year. Microsoft will no doubt change Vista's security features to prevent the kind of hack that was demonstrated during Black Hat (in which a Polish security researcher used virtualization technologies to bypass Vista's security). But this is exactly the kind of reactive security measure that Microsoft's newly minted and much-ballyhooed security code review was supposed to prevent. It's not hard to imagine other security flaws being exposed after Vista is finalized. What happens then? A monthly deluge of security updates, just like happened with Windows XP.
Joanna Rutkowska, the researcher who demonstrated how to bypass Vista's security, made an interesting comment that pretty much sums up my expectations. "The fact that this mechanism was bypassed does not mean that Vista is completely insecure," she said. "It's just not as secure as advertised. \[But\] it's very difficult to implement a 100 percent-efficient kernel protection." In other words, Vista will be more secure than XP, but will still face security problems. Thus, the status quo is likely to continue. That's a bad sign.
Rutkowska calls her hack Blue Pill, and it uses AMD's Pacifica virtualization technologies, plus a bit of user interaction--bypassing User Account Protection (UAP) by pressing the Accept button in a dialog box--to pull off its magic. Some people might argue that such a complex series of steps speaks well of Vista's security. But in my experience, most of the best hacks are bootstrapped by user error. Humans are pretty much the weakest link in the security chain. It's no wonder, when you think about it, that many of Vista's security features--such as Microsoft Internet Explorer 7 Protected Mode, UAC, and Address Space Layer Randomization (ASLR)--are ultimately designed to help protect us from ourselves.
Security aside, Vista is nowhere near the shape it needs to be in at this stage in the game. Thus, I'm recommending that Microsoft hold off on releasing Vista until the product is really ready rather than releasing it in October to meet an arbitrary release to manufacturing (RTM) date. Microsoft, you can always grandfather in Software Assurance (SA) customers who were counting on getting Vista licenses this year. Do the right thing.
I've also written a tongue-in-cheek overview of my feelings about the readiness of Vista in an article called "Is Windows Vista Ready?" You can find it on the SuperSite for Windows.