Microsoft has announced that no security updates will be released in March.
Didier Stevens wonders if any zero-day exploit will be released this week:
It will be interesting to see if new zero-days will appear in the coming days. We often see new zero-days just after patch Tuesday. There’s a theory that states that exploit writers do this to maximize the life-time of the exploit. If this theory is correct, we should already see new zero-days appearing between now and Tuesday, because exploit writers won’t have to wait for Tuesday to maximize the life-time of the exploits.
Let’s see what happens. The fact that Microsoft won’t release patches this month doesn’t mean they are not working on the next batch for April. If they were aware of the existence of a zero-day exploit for any of the current unpatched vulnerabilities, they would have included the patch in this months release. Of course, the very definition of “zero-day exploit” means that it is unknown except to the guys using it (or those paying to use it).
Michael Howard, from Microsoft, comments about Vista security from a privileged point of view. He predicts that the number of security bugs for Vista will be smaller than those for XP SP2 or Windows Server 2003. And he is able to make this prediction based on his trust in the SDL (Security Development Lifecycle)
The security engineering effort applied to Windows Vista was staggering; I can’t begin to explain all the work we did. I stand by our view that Windows Vista is the most secure Windows we have released. And that translates into the only thing that really interests me: customers are more protected when using Windows Vista than any prior version of Windows.
Is Windows Vista perfect and utterly security bug free? Of course not! No software is bug free. Not even Macs or Linux :-)
My prediction for Windows Vista security bugs is pretty simple, and yes, I realize I am going out on a limb here. There will probably be a number of security bugs in the following months, I have no clue what that number will be. I am not going to judge Windows Vista security based on the first few months’ bugs. I will, however, look back two years from now and compare Windows Vista to Windows XP SP2 and Windows Server 2003. I do believe there will be a significant drop in both security bug quantity and severity when compared to prior Windows versions.
It is a reasonable prediction based on previous SDL experience, for example in the SQL Server 2005 case. Putting some numbers into it:
So here’s my prediction. We will see significantly less critical vulnerabilities in the operating system over the next 2 years, as compared to Windows XP, perhaps by a factor of as much as 50%, and a 30% reduction of important vulnerabilities. If we achieve this, I will be happy, because it means customers are more protected.
