[ISN] Windows Vista Security At 90 Days: How's It Doin'?

From: InfoSec News (alerts@private)
Date: Thu Mar 08 2007 - 01:09:24 PST


By Larry Greenemeier
March 7, 2007

Three months into a life that could one day see it become the most 
prevalent operating system used in business, time to assess whether 
Microsoft has kept its related to Vista's security. The answer depends 
upon which promises you remember and whether you believe Microsoft 
should be judged on how far it's come or how far it has yet to go.

The short answer: Windows Vista is a solid improvement over its 
predecessors. After 90 days and with a relatively small number of 
deployments upon which to judge Microsoft's success, that's the 
consensus from security researchers, third-party vendors that rely on 
(and even compete with) the operating system, and corporate security 

This assertion comes with caveats, however. In the three Patch Tuesdays 
since Vista's launch, there's been one patch, MS07-010, that affects 
Vista. The patch became available in February to defend users against a 
critical vulnerability related to the way the Microsoft Malware 
Protection Engine parses Portable Document Format, or .pdf, files. This 
vulnerability, while not within Vista itself, could nevertheless allow 
attackers to remotely execute code on a company's PCs running Vista.

Fewer patches was one of the goals that Microsoft has for Vista, "but 
let's be clear that there will be vulnerabilities found in Vista, which 
is why we took the defense-in-depth strategy that we did," says Stephen 
Toulouse, senior product manager in Microsoft's Trustworthy Computing 
Group. Early claims aside about just how much Vista would improve a 
company's security, Microsoft rightly recognizes now that security 
requires way more than a well-written operating system with some 
security features. Toulouse makes it clear that Microsoft never promised 
that Vista would signal the end of the monthly patch cycle. "One of the 
things that you knew from the outset is that no one can get the software 
code 100% right," he says.

With Vista, Microsoft touts new security features such as BitLocker 
full-disk encryption, User Access Control, and the Windows Defender 
anti-spyware software that ships with every copy of the new Windows 
operating system. Microsoft has also spoken, at Black Hat security 
conferences and elsewhere, about new, more secure design and development 
processes when creating Vista. This included inviting security 
researchers to speak with Microsoft programmers at its Redmond offices 
through the Blue Hat program. No security feature has elicited more of a 
response from security researchers, software makers, and users than User 
Access Control. UAC was designed with the dual goal of forcing Windows 
users to work in a fairly restricted environment and not allowing all 
applications running on a PC to have privileged access to the operating 
system that would let them install drivers or make other changes to the 
PC environment without a system administrator's permission. Every 
previous version of Windows by default configured most user accounts to 
designate each user as a member of the local administrator's group, 
granting users the administrative capabilities required to install, 
update, and run many software applications.

With Vista, if a user wants to install an application, the PC will first 
check to see if the user has the right level of privilege to authorize 
the installation. If the user doesn't, that user will prompted to enter 
an authorization code supplied by their administrator. This also means 
that malware, including rootkits, can't automatically install itself on 
a user's PC.

"Giving PCs standard -- rather than privileged access to the operating 
system -- is the biggest prevention against these drive-by software 
installations," Toulouse says.

Online payment service provider PayPal is testing Vista for a possible 
deployment in the coming months, and company chief information security 
officer Michael Barrett favors UAC. "It actually has a whole lot going 
for it, especially in preventing drive-by downloads," he agrees. One 
common way drive-by downloads of malware occur is when cyberthieves set 
up phishing sites that download malicious software onto unsuspecting PCs 
when users visit those sites. "With UAC, the application can't run in 
the background," he says. "An application can't install itself on 
someone's PC without them knowing it."

Microsoft said it would also be more discerning before allowing just any 
security vendor to integrate its products with the 64-bit version of 
Vista through Microsoft's kernel patch protection initiative, also known 
as PatchGuard. Of course, Microsoft had competitive reasons for not 
granting now-competing security companies like McAfee or Symantec 
universal access to Windows kernel code, but the company maintains this 
move would also keep malware writers from exploiting the same interfaces 
used to marry third-party security products with Vista. After a lot of 
squawking by those security vendors, Microsoft plans to by the end of 
the year grant API access to those software companies as part of Vista 
Service Pack 1.

Vista's PatchGuard controls can be disabled and removed, says Oliver 
Friedrichs, director at Symantec Security Response, the company's 
security research arm. But he also acknowledges that all software 
companies are working to improve the security of their products even as 
attackers come up with new ways to defeat them. "It's an arms race," he 

Microsoft has addressed some of the security problems that have 
tormented IT shops for the past decade, most notably the scourge of 
buffer overflows that allow attackers to remotely gain control of a 
system. Vista includes a feature known as address space layout 
randomization that randomly arranges applications in a system's memory 
so that attackers have a harder time creating a buffer overflow that 
would shut them down. "That is by far the most significant improvement," 
Friedrichs said.

Still, Symantec doesn't foresee Vista having much of an impact on 
security threats as a whole, largely because attackers are beginning to 
pay more attention to breaking the applications that run atop the 
operating system. This is particularly true of Web applications, which 
are notorious for having weak security. "Attackers are moving on to 
Web-based attacks, which is where 78% of all application flaws are seen 
today," Friedrichs says.

Toulouse says he isn't surprised when other software companies look at 
Vista security features and say, "We can improve that." In fact, he 
says, Microsoft solicited this type of advice during Vista's development 
process. One of the greatest changes in Microsoft in recent years is its 
willingness to listen more carefully to the outside world, and Toulouse 
promises that Microsoft will continue to take into consideration 
concerns raised about Vista security. That doesn't mean that Microsoft 
will take all criticism lying down. The company questions the testing 
methodologies of security researchers that scrutinize its products. 
Since Vista's launch, Enex Test Labs in Australia published a study 
finding that Windows Defender blocked only 46.6% of spyware and found 
53.4% during a full computer scan. Meanwhile, anti-spyware vendor 
Webroot released the results of what it said was a two-week study of 
Windows Defender that showed the product missed 84% of a sample set of 
25 spyware and malicious code samples. Toulouse wonders whether Enex and 
Webroot are using the same methodology to classify spyware that 
Microsoft uses, and he also notes that the accuracy of a spyware product 
depends largely on the types of spyware included in the sample tested.

Yet the true test of Vista's strength can only play out over time, once 
the operating system begins to pervade corporate desktops and become a 
legitimate target for malicious hackers. "Many of our customers say they 
don't plan to deploy Vista for six to 12 months," says Don Leatham, 
director of solutions and strategy for PatchLink, a provider of patch 
and vulnerability management software. "A lot of shops are SP1 shops; 
they'll wait for the first service pack before migrating. Hackers are in 
this business for money, and they get paid by getting rootkits and 
malware onto as many computers as possible."

Some security researchers, including Joanna Rutkowska, a security 
researcher for Singapore-based IT security firm Coseinc, and Mark 
Shavlik, president and CEO of Windows patch facilitator Shavlik 
Technologies, have seen Microsoft back off some of its claims about how 
much Vista would improve IT security. "This was the security release 
that was going to change the world," says Shavlik, who worked for 
Microsoft as a developer on Windows NT in the late 1980s and early '90s. 
Shavlik's not so sure Vista will change the world. "It's better," he 

For now Vista's greatest enemy will be companies that fail to implement 
it properly. For UAC to be effective, administrators must make sure they 
don't give out authorization codes that allow users to download software 
indiscriminately. For BitLocker to encrypt data, users have to make sure 
it's running and their companies have to invest in PCs that contain a 
Trusted Platform Module chip, a microcontroller that can store secured 
information such as encryption keys. While the jury is out on whether 
Vista is a world beater, now's a good time for those intrepid early 
adopters to adopt some good security habits.

Copyright 2006 CMP Media LLC

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Thu Mar 08 2007 - 01:23:01 PST