Symantec: Vista Beta Code Could Pose Security Risks

After kicking the tires on beta versions of Microsoft's upcoming Windows Vista operating system, Symantec researchers reported that the large amount of new code in the next-generation OS could lead to security vulnerabilities.

In a report issued this week, Symantec provided results of its evaluation of three public, prerelease versions of Vista, which includes a completely rewritten TCP/IP network stack.

The network stack is inherently a very complex component in the OS, and that likely will lead to some security-related growing pains for Vista as bugs are identified and fixed, said Oliver Friedrichs, director of emerging technologies in Symantec's Security Response division.

Though it's too early to conclude that the Vista network stack will be insecure, Microsoft may find it difficult to flush out all the bugs before Vista's expected release in January, according to Friedrichs. "Writing a network stack from scratch involves some challenges that will present themselves while the stack matures, before and after Vista is released," he said.

Symantec researchers found a number of areas where the Vista's stack was susceptible to stability issues and vulnerable to malformed data and input, Friedrichs said, adding that he believes Microsoft will find and fix many of these flaws before releasing Vista.

In examining Vista, the Symantec researchers also discovered undocumented protocols that aren't Internet standards, such as the Link Layer Topology Discovery protocol (LLTD), Friedrichs said. "Without indication of what services these protocols represent, they represent a security challenge for locking down the network perimeter," he said.

Vista supports IPv6 as well as new Windows collaboration technologies such as Peer Name Resolution Protocol (PNRP) and People Near Me (PNM), but the code behind those protocols could become a target for attackers because it hasn't been battle-tested, according to Friedrichs.

"The challenge of these new protocols is that they represent a number of areas where invasions can occur in a corporate network environment," he said. Intrusion detection and prevention systems will have to be equipped to analyze the traffic from the new protocols to continue protecting networks, he added.

Given that Windows Vista is still in the beta stage of the development, the claims made in Symantec's report are premature and unsubstantiated, a Microsoft spokesperson said. "Highlighting issues in early builds of Windows Vista does not accurately represent the quality and depth of the networking features," the spokesperson said.