Should you worry about potential exploits in Windows Vista?

Decades ago, when I first became involved with computer technology, I must admit that part of the appeal was the fact that technology was "cool." And, while glowing letters and numbers on a cathode ray tube have given way to graphical user interfaces on LCD monitors, computers themselves really haven't changed much.

But these days, it seems that most technology companies focus more on appearance than reliability. I like to call this type of marketing the "decorative but not functional" selling tactic. Companies have used it effectively for years, and many otherwise intelligent companies and individuals have made decisions on computer products and services based on this form of emotional rationalization. But emotional rationalization can also scare people away.

For example, in late July, Microsoft released the beta version of its next major release of the Windows operating system—originally dubbed Longhorn and now christened Vista. I'm not involved with the Vista beta test, so I have limited information. But what I do know is that within a matter of hours, the Windows Vista beta made its way onto the Internet's P2P file-sharing networks.

About a week later, a wily hacker decided to release a couple of scripts—some news releases incorrectly identified these as "viruses"—that targeted a component of Windows Vista, the new command-line shell code-named Monad. (The next day, Microsoft announced that the targeted component would no longer be a part of Vista.)

More than a few people were almost gleeful in their observations that someone had already "broken" Windows Vista and that the OS itself is insecure. In discussion posts and blog entries across the Web, users discussed the potential, theorizing that, now that hackers had their hands on the Vista beta, it was only a matter of time before they released a worm. While that may be true, no real Windows Vista exploits have surfaced yet.

However entertaining it may be to speculate about Vista's security or lack thereof, let's be honest: Are potential exploits in Windows Vista really something to worry about? Personally, Vista exploits are at the bottom of my list of concerns at the moment.

First of all, Microsoft has yet to set a firm shipping date for the final product; the Windows Vista page on Microsoft's Web site only says "arriving 2006." In addition, the first beta hasn't been around long enough for beta testers to really use.

More important, the majority of corporations and existing Windows users won't bother upgrading until they have a compelling reason to do so. It's important to remember that the majority of Windows users are not early adopters; many continue using an older version of Windows until forced to make the switch.

I could list several more reasons why I don't think potential Vista exploits are cause for concern yet, but they're too speculative to be useful. But I can say without any doubt that hackers will target Vista, as they have with all other Windows versions.

In my opinion, what's more important to be concerned about with Vista is whether it will offer sufficient technology advancements to convince corporations to use it. And, at that point, potential vulnerabilities become more of a concern.

Maybe hackers will wait until Microsoft Vista ships and then release a combination worm such as Code Red or Nimda. On the other hand, maybe they'll continue to focus on exploits in existing Windows versions, such as the Windows 2000 worm that surfaced last month.

(Speaking of Windows 2000, remember that Windows 2000 is now on extended support; Microsoft ended mainstream product support on June 30, 2005. So don't expect Microsoft to release anything other than security fixes for Windows 2000.)

When it comes down to it, Windows Vista isn't something to worry about just yet—most corporations have much more pressing security concerns to address. Rather than worrying about Windows versions that haven't even shipped, companies need to worry about the versions they're currently using. Plenty of security concerns already exist for these OSes.

And, by all means, try to make rational, educated decisions about technology deployment. From what I can tell, Windows Vista looks like a mere facelift with a number of features that 99 percent of users probably won't even use anyway. Despite the marketing hype, Vista appears to be more decorative than functional at this point—and far from being a security risk to concern yourself with.

Miss an issue?

Check out the Internet Security Focus Archive, and catch up on the most recent editions of Jonathan Yarden's column.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.