http://www.eweek.com/article2/0,1895,2084631,00.asp By Matt Hines January 16, 2007 News Analysis: Microsoft maintains that by addressing the social aspect of IT attacks, the portion that can dupe even the smartest users into launching malware-laden attachments or clicking unknown URLs, Vista will improve PC security significantly. Microsoft says the Windows operating system software is not the weakest link in desktop security, and contends that Windows Vista will help limit the greatest vulnerability of allusers' bad decision-making. While previous iterations of Microsoft's dominant operating system hit the market with an abundance of security loopholes that left users open to many different forms of attack, Microsoft officials said new features offered in Vista will not only make it harder for malware writers attack the OS, but will also make it more difficult for users to hang themselves out to dry. Executives pointed to Microsoft's SDL (Security Development Lifecycle) program as an attempt to root out many of the coding flaws that have left gaping security holes in previous versions of Windows during development, and said the primary thrust of the security tools added in Vista has been to help customers help themselves. >From its UAC (User Account Control) feature, which is meant to limit the ability of viruses to gain access to administrator status on desktops, to the anti-phishing filters built into the newly released Internet Explorer 7 browser, Microsoft has attempted to give users the mechanisms they need to do a better job of watching their own backs, said Ben Fathi, the Redmond, Wash., company's vice president for the Windows core operating system. Microsoft doesn't expect that Vista will be tight enough to evade all forms of malware, despite all the work done to shut holes via the SDL program, Fathi said, but it does believe it has given users the right set of warnings and tools to help better police their own habits. "The weakest link in the security of any system is the end user. It seems like we're putting them down, but, realistically, there's a lot we can do in technology to secure our products, but as long as user can be tricked into clicking a link or going to an unknown Web site, we're at risk," Fathi said. "We think that by helping users protect themselves better, we can make a big dent in the current methods of attacks being used by hackers." Zero-day exploits and self-cloaking rootkits may be all the rage at the most complex end of the malware spectrum, but most users encounter PC security issues because they fall for social engineering tactics and make mistakes such as opening malware e-mails sent from spoofed domains of familiar sources and following links to Web pages that offer viruses and other attacks along with their advertised content, Fathi said. UAC promises to help users prevent viruses from spreading within a machine by prompting the user to approve nearly every change to the system such a program might try to make. Whereas programs that tap into a machine's administrative controls to advance their reach largely operated in secret before Vista, users will now have the ability to shut the attacks down as they try to proliferate, Microsoft claims. The anti-phishing technologies in IE 7 utilize onboard heuristics, as well as site-blocking capabilities based on traditional black- and whitelists, to give users an idea of the security status of every site they attempt to access. Known malware and phishing sites are automatically blocked, whereas every other site gets a red, yellow or green rating, based on the characteristics it exhibits to the browser. Other security features integrated into Vista include Microsoft's Windows Defender spyware scanning and removal tool, and its BitDefender drive encryption system, which aims to help protect data in the case of stolen devices. In the past, even users with great technical expertise or aggressive IT administrators looking out for them still often ended up falling for the most convincing forms of online fraud, but the additional layer of protection will stop most criminal efforts before malware can land on the desktop, according to Microsoft. If users allow themselves to be drawn into a phishing site that has the browser flashing red around the edges, they should place much of the blame on themselves, not the operating system, Fathi said. Some security vendors are already criticizing Vista's onboard security components, with anti-virus market leader Symantec calling UAC too chatty to have a significant impact on safety, predicting that users will come to ignore the many warnings the system produces. Since the volume and complexity of the UAC security warnings will overwhelm most users, and potentially leave enterprise IT administrators drowning in a sea of related help tickets, many users will simply opt to run with the system off, Symantec officials said. In order to maximize the usefulness of UAC, Symantec said it is currently developing products that will manage UAC and the other Vista security tools to make them less obtrusive. However, some experts say they believe the attempt to limit the social aspect of IT threats will strike many people as positive, useful and adequate. Lee Nicholls, global solutions director for consultant firm Getronics, said he believes that all but the most demanding customers will be encouraged by the work that Microsoft has done. Part of Nicholls' job is helping to select the products that Getronics recommends to its customers, and he said the firm will encourage businesses to utilize Vista's onboard protections. Nicholls works at Microsoft's Redmond, Wash., campus, where he studies all of the software maker's latest technologies. "We've seen all this technology provided for Windows before by third-party vendors, but customers were forced to figure out numerous processes for troubleshooting between applications, which created some additional security issues," Nicholls said. "Now all the management is there in the product, which makes it easier for end users, and for us, to try to solve problems as they arise." While Getronics will continue to work with aftermarket security vendors and consider products such as Symantec's that promise to improve Vista's protections, he said that most users will be satisfied with the onboard tools, and that this may shift buying patterns when companies formulate their future IT security budgets. "At the client security level, I honestly believe that Vista will probably provide enough protection for most companies to feel sufficiently safe, and move away from traditional third-party tools," Nicholls said. "This will encourage companies to spend more money on their perimeter solutions as client security becomes less of an issue; whereas before companies spent a lot of time and money integrating anti-virus, with Vista they can shift their focus to adding security services at the edge of their operations." Even analysts who have been critical of Vista's security features during their development said the IT market landscape will change as a result of all the work Microsoft has done. Andrew Jaquith, an analyst for Yankee Group Research, said UAC and other features may be seen as an obstruction by some users, but he believes that anti-virus software makers and other vendors will need to rethink their own product strategies as a result of Vista. "Obviously there will still be a lot of opportunities for third-party companies to make improvements to the security capabilities in Vista, and to lend additional tools that Microsoft hasn't yet included in the OS," he said. "But I think these third parties should focus on building those products that help, instead of nitpicking what Microsoft has already done; the Vista world will be very different for Windows users and for the security industry, it's new footing for everyone." _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Wed Jan 17 2007 - 22:27:13 PST