Virgin Vista 'will be less stable than XP' - Symantec

Some of Microsoft's efforts to make Windows Vista its most stable and secure operating system ever could cause instability and new security flaws, according to a Symantec report.

Researchers at Symantec examined the new networking technology in recent test releases of Vista. They found several security bugs and determined that Vista's networking technology will be less stable, at least in the short term, than Windows XP's, the report said.

The researchers wrote in the report, scheduled for publication on Tuesday: "Microsoft has removed a large body of tried and tested code and replaced it with freshly written code, complete with new corner cases and defects. This may provide for a more stable networking stack in the long term but stability will suffer in the short term."

Vista, slated to be broadly available in January, will be the first major new version of Windows for PCs since XP, which was released in 2001. Microsoft has put a stronger emphasis on protecting PCs in the new operating system, as security has grown in importance over those five years. Symantec's report draws attention once again to Microsoft's goal of improved security and the hurdles it faces in getting there.

A Symantec representative said the company had provided Redmond with a copy of the paper.

Microsoft, in a statement provided to silicon.com sister site CNET News.com, said Vista is being developed with the highest attention to security. Highlighting issues in early builds of Windows Vista does not accurately represent the quality and depth of the networking features, the software maker said.

Microsoft said: "Given that Windows Vista is still in the beta stage of the development and not yet final, the claims made in this report are, at best, premature. And given the extensive work we are doing to make Windows Vista the most secure version of Windows yet, we believe the claims are also unsubstantiated."

Microsoft also noted Vista will be the first client-based operating system to go through the company's complete Security Development Lifecycle, a process designed to prevent flaws and vet code before it ships.

Traditionally allies, Microsoft and Symantec are now going head-to-head in the security arena. In late May, Microsoft introduced Windows Live OneCare, a consumer security package, and the software giant is readying an enterprise product. Symantec has also sued Microsoft, alleging misuse of data storage technology it licensed to the company.

In their paper, titled Windows Vista Network Attack Surface Analysis: A Broad Overview, Symantec researchers put the networking technology in Vista under a magnifying glass to determine its exposure to external attacks. The team said it found several flaws in build 5270 of Vista and even more in earlier test versions. However, these were all fixed by Microsoft in build 5384, the version of the operating system that was publicly released in May as Beta 2.

The researchers wrote: "While it is reassuring that Microsoft is finding and fixing these defects, we expect that vulnerabilities will continue to be discovered for some time. A networking stack is a complex piece of software that takes many years to mature."

Oliver Friedrichs, director of emerging technologies at Symantec Security Response, said in an interview on Monday: "We're not saying that Vista's network stack is going to be inherently insecure when it is released. Vista is one of the most important technologies that will be released over the next year, and people should understand the ramifications of a virgin network stack."

Aside from security flaws, features supported by Vista's new networking technology could expose a PC running the operating system, according to Symantec's report.

The technology that underlies Vista's peer-to-peer collaboration features, much ballyhooed by Microsoft, could also pose a security threat, Symantec said.

The Symantec paper said: "As these technologies see wider deployment, we expect IPv6 [version 6 of the internet protocol] and the new peer-to-peer protocols to play an increasing role in the delivery of malicious payloads. These features are critical to the success of Microsoft's peer-to-peer initiative but are also the same features that attackers need to deliver malicious content."

Although the Symantec report is one of the first more extensive looks at the security of Vista, the researchers looked at only a small part of the new operating system. Also, since Vista is still in development, much can still change.

The researchers wrote: "We expect many of our results to be invalidated by changes made prior to its public release."

But Friedrichs did underline the importance of networking technology in overall operating system security.

He said: "The network stack is the first line of defence for an operating system, it is the primary component that separates an attacker from the operating system. It is very critical that this component is as robust as it can possibly be."

Joris Evers writes for CNET News.com