How Tough Is Vista's Defensive Lineup?
"In Vista, it is too early to say what the actual weaknesses might be. It is fairly safe to say that weaknesses do exist, that more will be uncovered over time and that even some of what Microsoft has touted as security enhancements have already proven to be vulnerable," said Kaspersky Lab's Shane Coursen.
Mar 3, 2007 1:30 AM PT
It's open season on Windows Vista for hackers, crackers and virus and malware propagators.
As any IT manager will recall, malware incursions and zero-day exploits of Windows, Internet Explorer and Office applications were all too common in 2006.
Therefore, security providers and IT staff across organizations large and small have continued to vet, test and analyze Vista to uncover possible security weaknesses.
Point of Departure
"There are many Vista security enhancements, but only time will tell if they are effective," Kaspersky Lab Senior Technical Consultant Shane Coursen told TechNewsWorld. "For the short term, we can assume that all will be effective to a certain degree. For the long-term, we know that malicious hackers are never satisfied to sit back and admit defeat."
"The primary reason for our taking as long as we did to develop and release Vista is security," Jonathan Hatchuel, Business Group Executive for Windows Clients at Microsoft South Africa, told TechNewsWorld. "We focused on trying to secure the core of the operating system by building a shield around it that provides a level of security beyond anything that the industry has seen.
"The point of departure is the recognition that we have substantial numbers of both individuals and businesses using our software," he continued. So we've invested a huge amount of resources to make Vista as secure as possible, while at the same time making it easy to use as possible for individuals -- and with the configuration capabilities and level of granularity required for businesses to implement across their networks."
Microsoft software engineers have used a number of methods and mechanisms to accomplish this, he added. These include the following:
- A "limited user-account" feature that prompts end users for authentication when attempts are made to access the core of the OS;
- Vista runs in a "protected mode" when running core applications, such as IE and Windows Media Player, which more effectively seals off the core OS from these applications, as well as ActiveX controls from Web sites and Web services applications;
- The inclusion of Windows Defender, an anti-malware security package that provides real-time system monitoring for spyware, adware and other forms of malware that have been used to hijack user information remotely; and
- Upgraded versions of the security features included in Windows XP Service Pack 2, such as a built-in firewall and Security Center feature.
When it comes to antivirus protection, Microsoft still recommends running an up-to-date antivirus product, said Hatchuel.
Color-Coded Real-Time Risk Assessments
In protected mode, Vista employs a system of color-coded security alerts within IE's information bar, to either block a range of known and identifiable security threats, prompt users for authentication or prompt them to allow the incoming message traffic through its security perimeter.
Microsoft has taken the safe, conservative road, erring on the side of too much security when it comes to those default settings. "If the user doesn't know or cannot decide what to do, it will be automatically blocked," Hatchuel noted. In this way, "the technophobe is automatically protected while the more tech-literate individual is given additional information and asked to make a choice as to whether or not to allow the Web site or software code" to download.
One additional security risk feature is an estimate of probable risk. "This is the case when a user visits a known or potential phishing site," Hatchuel continued. Under the default settings, the site would be blocked automatically.
The same security risk display and presentation mechanism is used for incoming ActiveX controls, a particular concern for exploits of Word, Excel and Internet Explorer.
"We've done an enormous amount of research on this and have tried to provide as much in the way of protection and security features that give the end user what he or she needs to make an informed decision," Hatchuel said.
Potential Weak Points
Time will tell whether Vista's new security defense features will consistently be able to detect and prevent the increasing -- and increasingly organized -- number of hacker and virus attacks.
"Microsoft has highly touted Vista as the most secure operating system ever. Some of the changes, such as driver signing may be helpful, but other changes will not be as effective as Microsoft hopes," commented ESET's Randy Abrams.
"Much noise has been made about Kernel Patch Protection (KPP). In reality, this only applies to 64-bit versions of Vista," Abrams noted. There are not that many 64-bit applications in widespread use, he added, which explains why KPP will not be a significant factor for a few years, at least.
"Companies such as ESET have not had any significant issues working around KPP. Fundamentally, it is a good idea and all arguments against it have smelled suspiciously of marketing endeavors," he said.
Another new Vista security feature that may prove better in theory than in practice, at least in the near-term, is User Access Control (UAC), Abrams said. "It will be fairly useless to the average user and the implementation is horrendously broken for the users who understand the prompts.
"Microsoft tried UAC back in the days of Office 1997. After making the mistake of allowing macros to run unchecked in Office 1995, Microsoft added an option to allow or deny macros. If a user was smart enough to turn on the feature and leave it on then it provided decent protection against macro viruses.
"The sad fact was that most users looked at the dialog with a blank stare and assumed that 'Yes' meant 'It works" and 'No' meant 'It won't work.' Fundamentally, there is no difference between Office 1997 macro protection and UAC," Abrams claimed.
Later versions of Office offered far superior protection, he added. "Knowledgeable users could digitally sign macros and allow trusted macros to run while silently disabling all others. Inexperienced users simply did not see anything and made no wrong choices.
"With UAC, experienced users are forced to run installers in the risky administrator context instead of being given the option to run an installer in a lower class mode. UAC, through unreasonable inflexibility, is an enabler of social engineering attacks that a slightly different approach would have avoided," he noted.
All Eyes on Vista and Security
"The forecast for 2007 directly depends on what exploits are found in Windows Vista and MS Office 2007," Kaspersky Lab stated in a recent report.
By Kaspersky Lab's count, the total number of malicious programs grew 41 percent between year-end 2005 and year-end 2006.
In addition to UAC, antiphishing capabilities and better IE protection, Kaspersky Lab's Coursen noted that Vista also comes with improved protection from buffer overflow attacks, also known as ASLR (address space layout randomization).
While in general supportive of Microsoft including its Windows Defender anti-malware protection, Coursen is also a bit skeptical. "I don't want to downplay the importance of Windows Vista shipping with a built in antivirus-firewall solution. Something is always better than nothing. But if trusted implicitly, that something -- in this case, it would be a flawed or badly managed antivirus solution -- may actually act as a hindrance to implementing truly good security.
"Until it has proven itself, I see Windows Defender as a stop-gap measure for those users who do not consider a comprehensive software or hardware security solution an absolute necessity.
"In Vista, it is too early to say what the actual weaknesses might be. It is fairly safe to say that weaknesses do exist, that more will be uncovered over time and that even some of what Microsoft has touted as security enhancements have already proven to be vulnerable," Coursen added.
Time Will Tell
As to Vista's uptake since its release, at least in the growing South African market, "Vista sales are coming in ahead of expectations thus far, particularly in the retail space," said Microsoft's Hatchuel.
Although he declined to provide specific numbers, Hatchuel claimed, "We still have a significant base of Windows 95 and even DOS systems out there. We don't expect OEMs (original equipment manufacturers), systems developers, etc., to shift overnight, but we anticipate that by July or August 65 to 70 percent of all PCs shipped in South Africa will be running Vista."