Subscribe to this site’s feedThis was originally published on the CIO website and is reprinted with their permission.
There seems to be no end to the news about Windows Vista and its slow adoption rate. The reasons often cited for the slow adoption rate include lack of new features, increased hardware requirements, reduced performance, early and positive marketing of Vista's successor, Windows 7, and, of course, cost. However, from the security viewpoint, the correctness of these reasons are irrelevent. All that matters is that Windows Vista is a new operating system that is not obtaining a large market share.
The problem is that Windows Vista is a complex system that contains a large amount of new code. Complexity and newness are always a security red flag. Figure 1 shows a typical pattern as how discovered vulnerabilities vary over the lifetime of a product. As a software product becomes popular, it becomes a bigger target for attacks. Continuing growth of the install base and success of previous attacks provides ongoing motivation for attackers to spend resources trying to find new attacks. Eventually, as the most obvious vulnerabilities are discovered and corrected, the rate of discovering new vulnerabilities slows to a point that the software can be patched faster than new vulnerabilities are discovered and the curve begins its downward swing.
But, if a system has an unusually slow adoption rate, the curve can become unpredictable. In particular, if a large percentage of users are delaying adoption, attackers can lose interest in searching for vulnerabilities and the curve can level off or even begin to drop. Then, as more users move to the new platform, it becomes a more attractive target and hence vulnerabilities are discovered at a faster rate and the curve begins its upward climb again.
Nothing in this analysis is specific to Vista, Microsoft, PCs, or operating systems. The security concern arises from the complexity of creating large systems and the market's desire for new functionality at the cost of security. At this time, it is impossible to predict when Vista will be relatively secure and ready for use in mission critical systems. In fact, if Vista does not see widespread adoption, it might not even be possible to retrospectively determine whether Vista ever reached a state of moderate security stability. Without the incentive of a widespread user base, there might never be enough motivation to attack Vista to be certain that it is secure.
While I cannot recommend for or against Vista in the long run, I think use of it in the immediate future should be for non-critical systems until it sees a longer and more serious adoption.
Leave a comment