Microsoft's recently released operating system, Windows Vista, will have up to 50 percent fewer Critical bugs and 30 percent fewer Important bugs as Windows XP Service Pack 2 over a two-year period, Michael Howard, security program manager for the software giant, predicted in a blog posting published last week.

There will undoubtedly be some "ouch" moments where Microsoft's developers wonder how they missed a particular vulnerability, but Vista will remain Microsoft's most secure operating system, Howard said. The severity of software flaws may be skewed because Microsoft will likely count any remotely exploitable bug as a Critical vulnerability, even if Windows Vista has some other protections in place to guard against exploitations, he added.

"The MSRC folks are, understandably, very conservative and would rather err on the side of people deploying updates rather than trying to downgrade bug severity," Howard wrote. "So don’t be surprised if you see a bug that’s, say, Important on Windows XP and Important on Windows Vista, even if Windows Vista has a few more defenses and mitigations in place."

Security researchers have started focusing on finding flaws in Windows Vista. A week after the launch of Vista, several security researchers found that a PC running the operating system could be commanded to do a variety of tasks using Vista's voice recognition software. At the end of February, Symantec, the owner of SecurityFocus, released a trio of papers on different aspects of the operating system's security.

Howard, who co-wrote Writing Secure Code 1 & 2, helped develop Microsoft's Secure Development Lifecycle (SDL) process for reducing the number of bugs in the software giant's programs. He later co-wrote a book on the topic as well.



http://www.securityfocus.com