Windows Vista Security At 90 Days: How's It Doin'? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Business & Finance

Windows Vista Security At 90 Days: How's It Doin'?

Security firms say it depends on whether you believe Microsoft should be judged on how far it's come or how far it has yet to go.

No security feature has elicited more of a response from security researchers, software makers, and users than User Access Control. UAC was designed with the dual goal of forcing Windows users to work in a fairly restricted environment and not allowing all applications running on a PC to have privileged access to the operating system that would let them install drivers or make other changes to the PC environment without a system administrator's permission. Every previous version of Windows by default configured most user accounts to designate each user as a member of the local administrator's group, granting users the administrative capabilities required to install, update, and run many software applications.

With Vista, if a user wants to install an application, the PC will first check to see if the user has the right level of privilege to authorize the installation. If the user doesn't, that user will prompted to enter an authorization code supplied by their administrator. This also means that malware, including rootkits, can't automatically install itself on a user's PC.

"Giving PCs standard -- rather than privileged access to the operating system -- is the biggest prevention against these drive-by software installations," Toulouse says.

Online payment service provider PayPal is testing Vista for a possible deployment in the coming months, and company chief information security officer Michael Barrett favors UAC. "It actually has a whole lot going for it, especially in preventing drive-by downloads," he agrees. One common way drive-by downloads of malware occur is when cyberthieves set up phishing sites that download malicious software onto unsuspecting PCs when users visit those sites. "With UAC, the application can't run in the background," he says. "An application can't install itself on someone's PC without them knowing it."

Microsoft said it would also be more discerning before allowing just any security vendor to integrate its products with the 64-bit version of Vista through Microsoft's kernel patch protection initiative, also known as PatchGuard. Of course, Microsoft had competitive reasons for not granting now-competing security companies like McAfee or Symantec universal access to Windows kernel code, but the company maintains this move would also keep malware writers from exploiting the same interfaces used to marry third-party security products with Vista. After a lot of squawking by those security vendors, Microsoft plans to by the end of the year grant API access to those software companies as part of Vista Service Pack 1.

Vista's PatchGuard controls can be disabled and removed, says Oliver Friedrichs, director at Symantec Security Response, the company's security research arm. But he also acknowledges that all software companies are working to improve the security of their products even as attackers come up with new ways to defeat them. "It's an arms race," he says.

Microsoft has addressed some of the security problems that have tormented IT shops for the past decade, most notably the scourge of buffer overflows that allow attackers to remotely gain control of a system. Vista includes a feature known as address space layout randomization that randomly arranges applications in a system's memory so that attackers have a harder time creating a buffer overflow that would shut them down. "That is by far the most significant improvement," Friedrichs said.

Still, Symantec doesn't foresee Vista having much of an impact on security threats as a whole, largely because attackers are beginning to pay more attention to breaking the applications that run atop the operating system. This is particularly true of Web applications, which are notorious for having weak security. "Attackers are moving on to Web-based attacks, which is where 78% of all application flaws are seen today," Friedrichs says.

Toulouse says he isn't surprised when other software companies look at Vista security features and say, "We can improve that." In fact, he says, Microsoft solicited this type of advice during Vista's development process. One of the greatest changes in Microsoft in recent years is its willingness to listen more carefully to the outside world, and Toulouse promises that Microsoft will continue to take into consideration concerns raised about Vista security.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2 of 3
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Rethinking IT: Tech Investments that Drive Business Growth
Jessica Davis, Senior Editor, Enterprise Apps,  10/3/2019
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
Six Inevitable Technologies and the Milestones They Unlock
Guest Commentary, Guest Commentary,  10/3/2019
Register for InformationWeek Newsletters
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll