Vista security goal, pie in the sky? Experts weigh in


"But 15 doesn't sound unreasonable to me, given the amount of new code."

John Pescatore, analyst, Gartner.

"We saw definite improvement [in security] from Windows Server 2000 to Windows 2003 Server, not only many fewer vulnerabilities, but many fewer critical ones. Gartner believes we will see a similar improvement from Windows XP to Vista.

"Half as many critical vulnerabilities would be a conservative goal, [though] I would hope for much fewer than those, given all of Microsoft's investment in, and marketing of, its Security Development Life Cycle. I'd say a better success measure would be more like [a] 25% [reduction], not 50%.

"Vista does have more 'stuff' jammed in. Microsoft just had to announce a critical vulnerability in the malicious software detection engine, which is now built into Windows because of the [integrated] Defender antispyware. That works against security. Late in Vista's development, Microsoft ripped out a lot of other stuff (like new file systems and virtualization and the like), which reduced the complexity a good deal (a good thing) but always raises the worry that the late modifications may have opened up security holes. Also, many of those functions will come back to Vista later on. ... Vista will change much more continuously than any previous Windows OS, and that has to be done very, very rigorously or there are more security worries.