Vista is 'more secure' says Gates

BBC ^ | Tuesday, 30 January 2007, 15:33 GMT | BBC Staff

[Ernest_at_the_Beach]

Vista is 'more secure' says Gates

Vista features

Windows Vista is "dramatically more secure than any other operating system released", Microsoft founder Bill Gates has told BBC News.

Mr Gates said the security features in the new operating system were reason enough to upgrade from Windows XP.

Microsoft launched Vista in London, with more than 100m computers predicted to be using it within 12 months.

Mr Gates also defended the pricing of Vista, which is twice as expensive in Europe compared to the US.

The technology leader called the launch a "big day" that would bring a new digital workstyle and lifestyle.

HAVE YOUR SAY I beta tested Vista and, yes, it pushes a few of my buttons Gordon MacDonald, Hawkinge Send us your experiences

The new operating system (OS) boasts an improved interface and security tools.

Mr Gates said security in Vista would mean it would be "much, much harder" for malicious hackers to attack computers running the operating system.

"For anybody worried about safety, whether it is phishing or malware or parental control type issues, Vista brings that to a whole new level of capability," he added.

Security analysts have praised the improved tools in Vista but many feel that holes in the operating system eventually will be exposed and that Microsoft will continue to need to update it through online patches.

	WHAT IS AN OPERATING SYSTEM? It is the program which manages the hardware and software resources on a computer. It also forms a platform on top of which other programs can run.

Microsoft will come under fire if Vista proves to be the popular target of malicious hackers exploiting flaws, said David Mitchell, the software practice leader at analysts Ovum.

"It's crucial for corporate reputation and revenue that Vista proves more secure and stable than XP," he said.

Not all PCs will be able to run Vista - Microsoft recommends machines have at least 512Mb of RAM, a 800Mhz processor and 15Gb of hard disk space.

Microsoft has pledged to continue support for XP users until 2011.

The company launched Vista for business users two months ago. Now Vista has been released to consumers, who can buy four home versions.

There is also a stripped down version of the OS, Vista Starter, which is aimed at customers in developing countries. It will be available in 70 languages and will run on slower and older PCs.

VISTA PC SPECIFICATIONS VISTA CAPABLE 800MHz processor 512Mb memory DirectX9 capable graphics processor PREMIUM READY 1Ghz processor 1Gb memory 128Mb graphics memory 40Gb hard drive DVD-ROM Internet access How to install Vista

But Microsoft could face a backlash from consumers over its pricing plans - with the cost of Vista versions in the US roughly half the price of equivalent versions in the UK.

Prices for the OS in the UK range from about £100 for an upgrade version of the Basic package to £249 for a copy of the upgrade to the Ultimate version of Vista.

In the US prices start from $100 (£52) for an upgrade of Vista Home basic to $249 (£127) for the equivalent Ultimate version.

Mr Gates defended Microsoft's pricing plans: "We try to keep our prices largely in line from country to country... but with price you do generally get some things that get a bit out of alignment as currencies go up and down.

"Our goal across our product line is to largely have a global way of looking at things."

Mr Mitchell said there was pent up consumer demand for Vista.

VISTA HOME VERSIONS Home Basic - improved search and security but no Aero interface (pictured) Home Premium - As above but with Aero, Media Center options, back-up tools, DVD burning software Vista Ultimate - All home and business features, plus a series of downloadable Ultimate Extras Your reviews of Vista and rivals Vista's security features

"In the consumer space there has not been any new release of a Windows operating system for five years," he said.

Ovum predicts that 15% of XP machines will be running Vista by the end of 2007.

"Part of the appetite is 'something new for something new's sake'," said Mr Mitchell.

Mr Mitchell predicted that the new graphical interface, called Aero, improved desktop search tools and a promise of more robust security would appeal to many users.

But he predicted some consumers could be confused by the minimum specifications for PCs to run Vista and by the different versions on sale.

Users can visit the Microsoft website to check if their hardware will run Vista and some new machines are being labelled Vista Capable or Premier Vista Ready, for those PCs with higher specifications.

"There's been an attempt to demystify what the minimum specifications are," said Mr Mitchell.

"Undoubtedly some people - as in any industry - won't read the instructions."

In his interview with the BBC Mr Gates also predicted that school children would be using tablet PCs rather than text books in 10 years time.

"We will have an inexpensive tablet-like device that lets the teachers customise things.

We enjoy having them in the business Bill Gates on Apple's iPhone

"Hopefully the cost of that isn't much more than textbooks have been so that's a big change."

He also welcomed the arrival of Apple's iPhone into the market calling it "a great new entrant"

"What we are seeing for all these products is that software is increasingly important. If you look at a phone of five years ago it was really about the hardware only.

"But now as you are browsing and managing your calendar and having lots of music or photos, the software is the thing that counts and there are very few companies to do great software."

Microsoft produces software which runs on millions of mobile phones and portable devices.

He added: "We enjoy having them [Apple] in the business."

[Ernest_at_the_Beach]

I like your statement beter.....was just reading about this newest Linus distro this morning:

Review: Trustix Secure Linux lives up to its name

This is not a desktop distro...however...

Trustix Secure Linux is an interesting distro for servers that is designed to be all about security. While Linux, in general, is fairly secure, a distro that focuses on security and stability from the ground up should be a good choice for Internet servers. In our testing, we found Trustix lives up to its intentions.

*********************************

Trustix concentrates on keeping it simple. You won't get a GUI or the latest bells and whistles. What you do get with Trustix is a small and secure distribution that incorporates IBM's Stack Smash Protection, which protects the system and applications from stack-smashing attacks. This is one of the major forms of attacks, and many secure Linux distros have this turned on by default.

[Hydroshock]

Vista = Bloatware

[capt. norm]

I've always liked the Microsoft languages and they once had a great flight simulator (possibly still do), but their op-systems, starting with the original MS-DOS (almost entirely ripped off from Gary Killdal's CP/M....they made no effort to hide it) they just continue to get worse with each release.

[goldstategop]

Linux is going to be available to run older computers when Microsoft stops support for XP.

"Show me just what Mohammed brought that was new, and there you will find things only evil and inhuman, such as his command to spread by the sword the faith he preached." - Manuel II Palelologus

[Hydroshock]

I like linux, would use it if I could, but my wife will not let me load it on her machine. My laptop is a company one so I am limited on what I can tweak.

[Ernest_at_the_Beach]

I wonder what Vista has implemended for this issue:

**********************************************

stack-smashing attacks

Some detail:

**************************************************

Protecting from stack-smashing attacks
Introduction
Attack Scenarios and their Classification

****************************AN EXCERPT *************************************88

The buffer overflow vulnerability appears where an application needs to read external information such as a character string, the receiving buffer is relatively small compared to the possible size of the input string, and the application doesn't check the size. The buffer allocated at run-time is placed on a stack, which keeps the information for executing functions; such as local variables, argument variables, and the return address. The overflowing string can alter such information. This also means that an attacker can change the information as he wants to. For example, he can inject a series of machine language commands as a string that also leads to the execution of the attack code by changing the return address to the address of the attack code. The ultimate goal is usually to get control of a privileged shell by such methods.

Figure 1 shows a typical stack structure after a function is called. The stack pointer points at the top of stack, which is at the bottom in the figure. The programming language C uses the area from the top of the stack in the following order: local variables, the previous frame pointer, the return address, and arguments of the function. This data is called the frame of the function, which represents the status of the function. The frame pointer locates the current frame and the previous frame pointer stores the frame pointer of the caller function.

The function foo (see Figure 2) is a vulnerable function, which produces the stack structure such as shown in Figure 1. It reads the content of the environment variable ``HOME'' into the ``buffer'' which has a size of 128 bytes. Since the function strcpy doesn't check the size of the output, it can copy more than 128 bytes of data to the ``buffer''. Imagine the ``HOME'' variable has this string: 128 bytes of 41, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, and 3. This will assign 128 character 'A's, 0x01010101, 0x02020202, and 0x03030303 into the ``buffer'', ``lvar'', the previous frame pointer, and the return address respectively. (We assume that 32-bit variables are used by default and that C language notation is used.) When the function foo finishes it's operations and returns to the caller based on this memory arrangement, it will go back to the address 0x03030303, which isn't the caller address. If malicious code is located at the address, it is executed with the same privilege level as the application.

We will now introduce a classification of attack methods, how an attacker acquires control of the application. In the first category the target of the attack is to show in the stack. The following lists the data stored in this area and describes the attack method used.

• return address

  It is the most popular point of attack by changing the value of the return address to the address of malicious code.

• local variables
• argument variables

  The function pointer variable is a another target for acquiring the control. Assigning the function pointer variable of an argument or a local variable to the attack code is a typical attack method. In this case, the vulnerable place can be found by checking the source program.

  There is a third attack method using redirection. Assume that a variable is declared as the pointer of the structure that holds a function pointer. This is vulnerable to attack, but it is hard to find it without traversing the pointer. However , an attacker can create a fake structure that has the same contents as the original except for the function pointer.

  There is a possibility that changing a pointer variable which is not a function pointer variable will acquire the control of the application. In the case of the function foo from Figure 2, the pointer variable ``lvar'' can be changed to point to the location of the return address. If there is a statement that modifies the value pointed to by ``lvar'' after the ``strcpy'' statement, changing the return address may be possible.

• previous frame pointer

  Attacking the previous frame pointer can also take the control of the application. The connection between the previous frame pointer and the return address is based on the following dependencies:

  • the location of the return address is determined by the frame pointer.
  • the frame pointer is assigned to the value of the previous frame pointer at the time of function return.
  An attacker can create a fake frame that has the return address pointed to attack code. He can also change the previous frame pointer to the address of the fake frame. When the function returns to the caller function, the frame pointer will point to the fake frame according to the second dependency. It means that the return address could be changed by the attacker.

[Marine_Uncle]

MSDOS with a few more wrinkles in the GUI layer interfaces.

[DalcoTX]

I am sure I am not the only one that can envision a scenario where flaws in XP/2000 are released and exploited in order to sell more copies of Vista.

[CertainInalienableRights]

"Vista is 'more secure' says Gates"

My 8-year-old used car is 'more new' than my 9-year-old used car.

[Little Ray]

I suppose it depends your definition of "secure." If it means secure from files unapproved by RIAA and Microsoft, this is probably the case...

[Still Thinking]

Secure as in keeps ME safe from crooks and software companies or secure as in Bill can do whatever the heck he wants to me?

[goldstategop]

The latter. If you have several thousand dollars worth of fancy audiovisual equipment, it won't work with Vista - not unless it complies with content restrictions. That sucks.

"Show me just what Mohammed brought that was new, and there you will find things only evil and inhuman, such as his command to spread by the sword the faith he preached." - Manuel II Palelologus

[Still Thinking]

I know. The question was somewhat rhetorical. I have no intention of "upgrading" to Vista. I'm not entirely sure I won't chuck XP and revert to 2K.

[RegulatorCountry]

"dramatically more secure than any other operating system released"

Now THAT'S a statement begging to be parsed, lol. Released by whom? Microsoft?

[Ernest_at_the_Beach]

Reference Link:

Protecting from stack-smashing attacks
Hiroaki Etoh and Kunikazu Yoda
IBM Research Division, Tokyo Research Laboratory,
1623-14 Shimotsuruma, Yamato, Kanagawa 242-8502, Japan
June 19, 2000

**********************EXCERPT****************************

Abstract:

This paper presents some new ideas for improving the state of the art in buffer overflow detection. The main ideas are (1) the reordering of local variables to place buffers after pointers to avoid the corruption of pointers that could be used to further corrupt arbitrary memory locations, (2) the copying of pointers in function arguments to an area preceding local variable buffers to prevent the corruption of pointers that could be used to further corrupt arbitrary memory locations, and the (3) omission of instrumentation code from some functions to decrease the performance overhead.

[Ernest_at_the_Beach]

Prompted me to post this....wonder if they have implemented the techniques published in 2000 or something even more recent....see post # 35.

[E. Pluribus Unum]

Vista is "dramatically more secure than any other operating system released", Microsoft founder Bill Gates has told BBC News.

Translation: "Vista is 'dramatically more secure than any other MICROSOFT operating system released,' Microsoft founder Bill Gates has told BBC News."

[Squawk 8888]

Golden rule of IT: NEVER upgrade a stable platform unless a new business requirement calls for it. I will not be going to Vista until it's time to replace my current PC.

[Wyatt's Torch]

"Vista is so wonderful that when my current PC craps out I'm getting a Mac."

Ditto. Waiting on Leapard to drop and the Mini's to be updated to C2D and I'll buy.

[Ernest_at_the_Beach]

It's here! Introducing Windows Vista