Microsoft's Vista developers can't catch a break these days. After years of warnings from security researchers that old code in Windows was creating security risks, the software giant decided to rewrite key parts of the OS (operating system).

The result? Symantec recently published a report suggesting that all of this new code will introduce new security problems.

"The network stack in Windows Vista was rewritten from the ground up. In deciding to rewrite the stack, Microsoft has removed a large body of tried and tested code and replaced it," Symantec wrote, noting that it found vulnerabilities in the Windows Vista networking software.

"Despite the claims of Microsoft developers, the Windows Vista network stack as it exists today is less stable than the earlier Windows XP stack."

No-win situation

After years of being blamed for countless security problems, Microsoft may be in a no-win situation.

"You get beaten up if you modify the old code; you get beaten up if you write new code," said Russ Cooper, senior information security analyst at Cybertrust. "The historic complaint against Microsoft has been that its code is bloated with all this legacy stuff. Rewrite it and now [people say:] 'This is too new; this is untested.'"

The fact that Symantec was able to discover flaws in a beta release should not raise eyebrows, Cooper said. "There's a reason products are put into beta, and it isn't because people just want to see the default colours change," he said.

Reinventing product lifecycles

If customers do not ultimately see Vista as a more secure product than its predecessor, however, it will be a disaster for Microsoft – on an epic scale. Over the past few years, the company has reinvented the way it produces software, instituting a new set of software development practices known as the Security Development Lifecycle. It has retrained developers, built a suite of automated security testing tools and, most remarkably, invited scores of independent researchers to have unprecedented access to early versions of Vista.

"Vista is really the first release of the OS to go through our Security Development Lifecycle from beginning to end," said Ben Fathi, corporate vice-president of Microsoft's security technology unit. "That's fundamentally a different way of looking at building security into the platform."

Microsoft has gone to great lengths to publicise its Security Development Lifecycle, which was used in the development of Windows XP Service Pack 2.0 and SQL Server 2005. Company executives have said the strict development guidelines used for XP Service Pack 2.0 played a big role in eliminating the widespread worm and virus outbreaks that seemed so common just three years ago.

The emphasis on security is perhaps best illustrated by an event that Microsoft executives have declined to discuss in detail: the recent slip in Vista's ship date.

For more on this story, visit tomorrow.