Windows Vista Security At 90 Days: How's It Doin'?

Three months into a life that could one day see it become the most prevalent operating system used in business, time to assess whether Microsoft has kept its related to Vista's security. The answer depends upon which promises you remember and whether you believe Microsoft should be judged on how far it's come or how far it has yet to go.

The short answer: Windows Vista is a solid improvement over its predecessors. After 90 days and with a relatively small number of deployments upon which to judge Microsoft's success, that's the consensus from security researchers, third-party vendors that rely on (and even compete with) the operating system, and corporate security managers.

This assertion comes with caveats, however. In the three Patch Tuesdays since Vista's launch, there's been one patch, MS07-010, that affects Vista. The patch became available in February to defend users against a critical vulnerability related to the way the Microsoft Malware Protection Engine parses Portable Document Format, or .pdf, files. This vulnerability, while not within Vista itself, could nevertheless allow attackers to remotely execute code on a company's PCs running Vista.

Fewer patches was one of the goals that Microsoft has for Vista, "but let's be clear that there will be vulnerabilities found in Vista, which is why we took the defense-in-depth strategy that we did," says Stephen Toulouse, senior product manager in Microsoft's Trustworthy Computing Group. Early claims aside about just how much Vista would improve a company's security, Microsoft rightly recognizes now that security requires way more than a well-written operating system with some security features. Toulouse makes it clear that Microsoft never promised that Vista would signal the end of the monthly patch cycle. "One of the things that you knew from the outset is that no one can get the software code 100% right," he says.

With Vista, Microsoft touts new security features such as BitLocker full-disk encryption, User Access Control, and the Windows Defender anti-spyware software that ships with every copy of the new Windows operating system. Microsoft has also spoken, at Black Hat security conferences and elsewhere, about new, more secure design and development processes when creating Vista. This included inviting security researchers to speak with Microsoft programmers at its Redmond offices through the Blue Hat program. No security feature has elicited more of a response from security researchers, software makers, and users than User Access Control. UAC was designed with the dual goal of forcing Windows users to work in a fairly restricted environment and not allowing all applications running on a PC to have privileged access to the operating system that would let them install drivers or make other changes to the PC environment without a system administrator's permission. Every previous version of Windows by default configured most user accounts to designate each user as a member of the local administrator's group, granting users the administrative capabilities required to install, update, and run many software applications.

With Vista, if a user wants to install an application, the PC will first check to see if the user has the right level of privilege to authorize the installation. If the user doesn't, that user will prompted to enter an authorization code supplied by their administrator. This also means that malware, including rootkits, can't automatically install itself on a user's PC.

"Giving PCs standard -- rather than privileged access to the operating system -- is the biggest prevention against these drive-by software installations," Toulouse says.

Online payment service provider PayPal is testing Vista for a possible deployment in the coming months, and company chief information security officer Michael Barrett favors UAC. "It actually has a whole lot going for it, especially in preventing drive-by downloads," he agrees. One common way drive-by downloads of malware occur is when cyberthieves set up phishing sites that download malicious software onto unsuspecting PCs when users visit those sites. "With UAC, the application can't run in the background," he says. "An application can't install itself on someone's PC without them knowing it."

Microsoft said it would also be more discerning before allowing just any security vendor to integrate its products with the 64-bit version of Vista through Microsoft's kernel patch protection initiative, also known as PatchGuard. Of course, Microsoft had competitive reasons for not granting now-competing security companies like McAfee or Symantec universal access to Windows kernel code, but the company maintains this move would also keep malware writers from exploiting the same interfaces used to marry third-party security products with Vista. After a lot of squawking by those security vendors, Microsoft plans to by the end of the year grant API access to those software companies as part of Vista Service Pack 1.

Vista's PatchGuard controls can be disabled and removed, says Oliver Friedrichs, director at Symantec Security Response, the company's security research arm. But he also acknowledges that all software companies are working to improve the security of their products even as attackers come up with new ways to defeat them. "It's an arms race," he says.

Microsoft has addressed some of the security problems that have tormented IT shops for the past decade, most notably the scourge of buffer overflows that allow attackers to remotely gain control of a system. Vista includes a feature known as address space layout randomization that randomly arranges applications in a system's memory so that attackers have a harder time creating a buffer overflow that would shut them down. "That is by far the most significant improvement," Friedrichs said.

Still, Symantec doesn't foresee Vista having much of an impact on security threats as a whole, largely because attackers are beginning to pay more attention to breaking the applications that run atop the operating system. This is particularly true of Web applications, which are notorious for having weak security. "Attackers are moving on to Web-based attacks, which is where 78% of all application flaws are seen today," Friedrichs says.

Toulouse says he isn't surprised when other software companies look at Vista security features and say, "We can improve that." In fact, he says, Microsoft solicited this type of advice during Vista's development process. One of the greatest changes in Microsoft in recent years is its willingness to listen more carefully to the outside world, and Toulouse promises that Microsoft will continue to take into consideration concerns raised about Vista security. That doesn't mean that Microsoft will take all criticism lying down. The company questions the testing methodologies of security researchers that scrutinize its products. Since Vista's launch, Enex Test Labs in Australia published a study finding that Windows Defender blocked only 46.6% of spyware and found 53.4% during a full computer scan. Meanwhile, anti-spyware vendor Webroot released the results of what it said was a two-week study of Windows Defender that showed the product missed 84% of a sample set of 25 spyware and malicious code samples. Toulouse wonders whether Enex and Webroot are using the same methodology to classify spyware that Microsoft uses, and he also notes that the accuracy of a spyware product depends largely on the types of spyware included in the sample tested.

Yet the true test of Vista's strength can only play out over time, once the operating system begins to pervade corporate desktops and become a legitimate target for malicious hackers. "Many of our customers say they don't plan to deploy Vista for six to 12 months," says Don Leatham, director of solutions and strategy for PatchLink, a provider of patch and vulnerability management software. "A lot of shops are SP1 shops; they'll wait for the first service pack before migrating. Hackers are in this business for money, and they get paid by getting rootkits and malware onto as many computers as possible."

Some security researchers, including Joanna Rutkowska, a security researcher for Singapore-based IT security firm Coseinc, and Mark Shavlik, president and CEO of Windows patch facilitator Shavlik Technologies, have seen Microsoft back off some of its claims about how much Vista would improve IT security. "This was the security release that was going to change the world," says Shavlik, who worked for Microsoft as a developer on Windows NT in the late 1980s and early '90s. Shavlik's not so sure Vista will change the world. "It's better," he acknowledges.

For now Vista's greatest enemy will be companies that fail to implement it properly. For UAC to be effective, administrators must make sure they don't give out authorization codes that allow users to download software indiscriminately. For BitLocker to encrypt data, users have to make sure it's running and their companies have to invest in PCs that contain a Trusted Platform Module chip, a microcontroller that can store secured information such as encryption keys. While the jury is out on whether Vista is a world beater, now's a good time for those intrepid early adopters to adopt some good security habits.