I certainly applaud the efforts that Microsoft has made in improving the security in Windows. I don't know the other vendors well, but they're ahead of most other ISVs.
However, to think that means there won't be vulnerabilities in Vista is sort of silly. Simply stated, new or changed code means that there will be new vulnerabilities given the state of art of application security testing today.
For example, we just started a new initiative on our website today with a zero-day page where we record significant zero-day vulnerabilities that may be of interest to our customer base. We recently reported 5 such vulnerabilities to Microsoft in Vista.
I wonder what 2007 will bring. 2006 saw a significant increase in 0-days with IE being openly vulnerable for 284 days during the year as documented by Brian Krebs, and lots of Office 0-days that seemed timed to come just after 'Patch Tuesdays'.
However, to think that means there won't be vulnerabilities in Vista is sort of silly. Simply stated, new or changed code means that there will be new vulnerabilities given the state of art of application security testing today.
For example, we just started a new initiative on our website today with a zero-day page where we record significant zero-day vulnerabilities that may be of interest to our customer base. We recently reported 5 such vulnerabilities to Microsoft in Vista.
I wonder what 2007 will bring. 2006 saw a significant increase in 0-days with IE being openly vulnerable for 284 days during the year as documented by Brian Krebs, and lots of Office 0-days that seemed timed to come just after 'Patch Tuesdays'.
0 Comments:
Post a Comment
<< back