Vista security goal, pie in the sky? Experts weigh in


"I agree when he says that it's a 'great goal,' where 'great' implies tremendous luck and fortune. Whether it's a reasonable goal, it will remain to be seen, but I don't think so. I think that would be quite spectacular, if it came to pass.

"I think he's overconfident, but also speaking hopefully. They've put a tremendous amount of effort into improving things in Vista. I just think a few factors make that harder to come to pass. First, there is so much new code and new opportunity for vulnerabilities. Secondly, the ease, speed and ability of people to find flaws have really improved.

"I think the age of mass-proliferating Internet worms in waning, because the remote surface space is finally starting to diminish. This may partly be due to host-based firewalls and better enforcement of IT policy, but also -- in the case of Vista -- more standard OSs are starting with a more conservative approach to exposure. How this shifts the offensive tactics of malware and virus writers, I can't be completely sure, since it's incredibly hard to predict. But I think this will force them into continuing the trend toward browser, e-mail and parsing exploits.

"In the case of Vista, owning a box will now require multiple hoops or combining exploits, like a browser vulnerability and a local vulnerability that gives privilege escalation, for example. In any case, I believe this raising the bar will coincide with the trend of increased sophistication of attackers and balance out.

"I am not expecting a huge decrease in Microsoft vulnerabilities. My best guess is more likely a 20% decrease, if that."