Vista security goal, pie in the sky? Experts weigh in

Microsoft Corp. has been ballyhooing Windows Vista's security for years, saying that it will prove to be its strongest, toughest operating system ever.

But now that the long-awaited operating system is out, how will Vista really stack up? Ben Fathi, the former head of Microsoft's security group and now the chief of development in the Windows core operating system group, recently set the security bar.

"I made a statement six or nine months ago that I would like to see half as many vulnerabilities as XP [had] in the first year," Fathi said at the RSA Conference 2007 in San Francisco. "Obviously, I'd like less than that; I'd be happy with zero. But I think it's reasonable to say, given the additional complexity and the additional size of Vista, that half as many would be a great goal."

In the first year after Windows XP debuted in October 2001, Microsoft posted 30 security bulletin pegged to the Home version of the then-new operating system. (Unlike today, Microsoft didn't spell out the number of vulnerabilities in each bulletin.)

For Microsoft to meet Fathi's goal, that means 15 or fewer security updates will tag Vista before the end of January 2008 -- a year after the retail/consumer release. Is Fathi being overly optimistic, or is he being conservative in the hope that the first 12 months look even better than predicted? Computerworld asked a half-dozen security researchers and analysts for their take on Fathi's target. Not surprisingly, they don't all agree on whether the security objective is obtainable -- or out of the question.

Minoo Hamilton, senior security researcher, nCircle Network Security Inc.