Microsoft\u2019s Vista developers can\u2019t catch a break these days. After years of warnings from security researchers that old code in Windows was creating security risks, the software giant decided to rewrite key parts of the operating system.The result? Last week, Symantec published a report suggesting that all of this new code will introduce new security problems."The network stack in Windows Vista was rewritten from the ground up. In deciding to rewrite the stack, Microsoft has removed a large body of tried and tested code and replaced it," Symantec wrote, noting that it found vulnerabilities in the Windows Vista networking software. Symantec\u2019s report can be found\u00a0online."Despite the claims of Microsoft developers, the Windows Vista network stack as it exists today is less stable than the earlier Windows XP stack," the company said after examining a beta release of the software.After years of being blamed for countless security problems, Microsoft may be in a no-win situation."You get beaten up if you modify the old code; you get beaten up if you write new code," said Russ Cooper, a senior information security analyst at Cybertrust. "The historic complaint against Microsoft has been that their code is bloated with all this legacy stuff. Rewrite it and now, \u2018this is too new; this is untested.\u2019 "The fact that Symantec was able to discover flaws in a beta release should not raise eyebrows, Cooper said. "There\u2019s a reason products are put in to beta, and it isn\u2019t because people just want to see the default colors change," he said.If customers do not ultimately see Vista as a more secure product than its predecessor, however, it will be a disaster for Microsoft\u2014on an epic scale. Over the past few years, the company has literally reinvented the way it produces software, instituting a new set of software development practices known as the Security Development Lifecycle. It has retrained developers, built a suite of automated security testing tools and, most remarkably, invited scores of independent researchers to have unprecedented access to early versions of Vista."Vista is really the first release of the operating system to go through our Security Development Lifecycle from beginning to end," said Ben Fathi, corporate vice president of Microsoft\u2019s Security Technology Unit. "That\u2019s fundamentally a different way of looking at building security into the platform."\n\n\n\n\n\n\n\n\n\nMicrosoft\u2019s Ben FathiMicrosoft has gone to great lengths to publicize its Security Development Lifecycle, which was used in the development of Windows XP Service Pack 2, and SQL Server 2005. Company executives say the strict development guidelines used for XP Service Pack 2 played a big role in eliminating the widespread worm virus outbreaks that seemed so common just three years ago.The emphasis on security is perhaps best illustrated by an event that Microsoft executives have declined to discuss in detail: the recent slip in Vista\u2019s ship date.Last March, Microsoft grabbed headlines by announcing that Vista would not be available in time for the 2006 holiday shopping season, as expected. Microsoft never gave specific reasons for the miss, but it was a major setback for a product that had already been five years in the works. Microsoft immediately reorganized the Platforms & Services Division division responsible for the delay, putting a new executive, Steve Sinofsky, in charge of Windows development.Privately, several sources familiar with Vista\u2019s development say that concerns over Vista\u2019s security caused the widely publicized slip in the product\u2019s ship date. In fact, T-shirts reading "I caused Vista to slip," soon became a common site at Microsoft\u2019s Building 27, home to the Secure Windows Initiative group. The group is responsible for securing Microsoft\u2019s software. "The shirt became very popular on campus," to the chagrin of management, said one source who asked not to be identified. Fathi isn\u2019t saying how much money it has spent on making Vista secure, but judging by the contract work available for penetration testers\u2014hacking professionals who specialize in poking and prodding systems to unearth vulnerabilities\u2014it hasn\u2019t come cheap.Although Microsoft will be sponsoring a Vista track at this year\u2019s Black Hat USA hacker conference, many of the most prominent Windows security experts are now under nondisclosure agreements, according to Jeff Moss, the show\u2019s director. "They\u2019ve hired pretty much all of the bright people," he said. "So the number of speakers who can actually go out and publicly talk about Windows Vista security has rapidly dwindled."For Fathi, this is a good thing."We believe that we have the largest group of penetration testers ever assembled," Fathi said. "It\u2019s costing me a lot of money. ... It\u2019s worth every penny, of course."Microsoft\u2019s design choices will have a big effect on Vista\u2019s security as well.Developers have changed the way Vista runs applications, scaling back the types of things that users can do by default in order to limit the damage that malware can wreak on a system. And they have also changed the way Vista works with the computer\u2019s memory\u2014by fencing off parts of memory and shuffling around the location of Windows functions\u2014in order to make it harder for hackers to trick the PC into running malicious software."When you put all that stuff together, you end up making it a lot harder to write exploits," said Alex Stamos, a researcher who has worked with Microsoft in the past and is a founding partner of Information Security Partners.This will make life harder for hackers, but it will also present challenges to users and legitimate software developers as well, who may suddenly have problems running their Windows XP code on Vista. "They\u2019re basically breaking binary compatibility with a lot of things," Stamos said. "[This] really does mark a watershed change in thinking, from \u2018binary compatibility over all,\u2019 to security being the most important thing."As for Symantec\u2019s paper, Microsoft downplayed its importance last week. "The issues they discovered were all addressed in Beta 2," said Stephen Toulouse, a security program manager with Microsoft\u2019s security response center.But it appears that other important parts of Windows are being rewritten. Microsoft plans to talk further about some of the changes to "legacy functionality" at the Black Hat conference, which kicks off next week in Las Vegas, Toulouse said. He declined to say what, exactly, would be discussed, however. "I\u2019m not going to spoil the content so close to presenting," he said.-Robert McMillan, IDG News Service (San Francisco Bureau)This article is posted on our Microsoft Informer page.\u00a0For more news on the Redmond, Wash.-based powerhouse, keep checking in.Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.