Monday, August 20, 2007

Vista's First Service Pack Coming Soon

Windows Vista's first service pack is arriving on August 14 through Windows Update, roughly six months after Microsoft released Vista. It is not yet clear whether the Windows Vista service pack will include security fixes or merely update certain Vista components to improve Vista's performance and compatibility.

News outlets have been touting the rumored release of two big Windows Vista patches to beta testers, but the releases have been confirmed this week by a leak of those patches to various Web sites.

The Vista performance and compatibility packs reportedly address issues that some Vista users have been complaining about. Among other things, the fixes are designed to improve Vista's performance when copying or moving large files or large directories. Issues with Vista's memory manager -- which can cause the system to lose its default gateway address -- are also reportedly addressed in the packs.

The running theme of the fixes is to improve the performance and reliability Relevant Products/Services of Vista, as well as compatibility issues with printers, digital cameras, and other devices.

The official updates are expected to be available to the general public on August 14 as a 45-MB download over Windows Update, but impatient Vista users can instead choose to visit any of several sites to download the packs.

However, while the downloads are widely available, they are not yet official releases. That means the software might not contain the same contents as the publicly released Service Pack 1 that will be available over Windows Update next month.

Six Months, 60 Million

The first service pack is arriving six months after Vista's initial release. Microsoft Relevant Products/Services has sold 60 million copies of the operating system since it was introduced, according to Microsoft Chief Operating Officer Kevin Turner, who said last week that during the first five weeks of sales, copies of Windows Vista exceeded the number of computers that Apple currently has as its total installed base.

According to Microsoft's Trustworthy Computing Group, the software giant's latest operating system is far more secure than competing platforms -- or even previous Windows iterations.

During Windows Vista's first six months on the market, Microsoft released four security Relevant Products/Services updates to address 12 total vulnerabilities in Vista. In the National Vulnerability Database, the National Institute of Standards and Technology rated 10 of these vulnerabilities as high severity, one as medium, and one as low.

By comparison, when Windows XP debuted, there were already three Internet Explorer vulnerabilities, which had been disclosed and fixed three weeks prior to market distribution. Consequently, new users had to apply an IE patch immediately to address them. In addition, Microsoft fixed a total of 36 vulnerabilities in the first six months Windows XP was available.

Security Fixes in the Works?

Will these packs contain security fixes? "At this point it isn't clear if the hotfixes actually contain any security patches or are restricted to performance issues, so it remains to be seen what the updates truly contain," said Michael Sutton, a security evangelist for SPI Dynamics.

However, he added, Microsoft tends to stick to a monthly patch cycle for security issues, so the hotfixes might not patch any vulnerabilities, and none appear to be clearly listed in the release notes.

"In general, it is not advisable to release security fixes only to a select group, as binary patches can be reverse engineered to reveal the issues that they address," Sutton concluded. "Once patches are publicly available, they can and will be used by both white and black hats."