http://arstechnica.com/news.ars/post/20070530-windows-vista-no-more-secure-than-xp-report.html By Ken Fisher Ars Technica May 30, 2007 The strength of Windows Vista's security model is easily the biggest question facing the nascent operating system. While sales will be strong simply on account of the way OEMs have adopted Vista on their midrange and high-end offerings, the place of Vista in the enterprise is not yet clear. Microsoft must demonstrate that its approach to security with Vista is indeed effective; otherwise, IT managers will see little benefit to moving to the new OS anytime soon. Windows Vista only offers "marginal security advantages over XP" according to tests completed by CRN [1]. "Vista remains riddled with holes, despite its multilayer security architecture and embedded security tools." The report's findings are mixed and at times a little unfair, but it does demonstrate the problems that Microsoft has to face—technical and otherwise. The report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software—something the reviewer fails to mention. Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted. Any business that is deploying Vista (or XP) without an antivirus solution is, of course, out of its mind. What Vista does have built in is Windows Defender and User Account Control, which should both help stop forms of malware other than viruses. And CRN found that Vista does have an "edge" over XP when detecting spyware and adware. It wasn't perfect though: some malware slipped though. Here, though, we run into the issue of deciding what counts as "stopping" malware. For instance, CRN says that Vista "missed" Trojan-Spy.Win32.Goldun.ms, when in fact UAC warns a user when it is accessed (I can confirm that). CRN faults Windows Defender for not identifying and blocking the Trojan outright (it did block others), while Microsoft will tell you that UAC did its job by throwing up a warning and asking for user intervention. In testing some remote data exploits, the reviewers were unable to determine if all of the exploits they tested actually target Vista, making their findings rather questionable. IE7 did stop one RDS exploit while missing four others that may have been only targeted at XP. Notably, XP did not stop any of the RDS exploits. Vista is better here, but the jury is out on how well it did or did not do since the reviewers were unable to determine the full threat of the exploits they were using. Vista and XP both failed miserably at finding scripting exploits in the HTTP stream, and this remains a big problem for both operating systems. Vista failed to flag the exploits as they came down the pipe, though the firewall did detect when the exploits attempted to communicate over the 'net. This is what we've found in our testing as well (the results of which we hope to publish next month). CRN doesn't tell the whole story with such exploits, however. IE7 in protected mode forces such scripts to run at a very restricted user privilege level, unlike XP which will allow those same scripts to run at the same privilege level as a user. Vista may let some of those scripts through, but the damage they do is also mitigated to a certain extent. This is why Microsoft believes such threats will have to evolve [2] to survive with fewer rights and less access to the system: if they get through, they will find a very limited sandbox to play in. CRN's coverage complete ignores this point and fails to test for its effectiveness. It was also disappointing to see CRN completely ignore the issue of buffer overflows, which has been addressed well in Vista by most accounts. This was a major weak spot with XP, and so far, Vista looks strong in this area, strong enough that Vista may never get its own "SQL Slammer." Why CRN didn't address this is a mystery, as it is no minor matter. Indeed, while the CRN report is informative, it lacks much critical information to support its judgment that Vista is only a minor improvement. For instance, it's not enough to know if an exploit "got through" IE. What happened afterward? Did it modify system files, corrupt the registry, or deliver some other payload? CRN doesn't report on the effects it observed. We cannot know if the scripting exploits really bypassed Vista because CRN doesn't tell us what the scripts did. There's a big difference between 1) a script exploit running and then installing a rootkit in XP and 2) a script exploit running in Vista but failing at installing that same rootkit. CRN makes no distinction. In all, the CRN report finds that Vista was as good as XP in seven categories and better in four others (notably, Spyware/Adware, Obfuscated Code Exploits, RDS Exploits, and Trojans). Importantly, it was never outperformed by XP, and just as importantly, these tests were carried out using default settings. The scripting exploits, for instance, are largely defanged by tweaking IE7's zone settings, and there are other moves that a competent IT shop would undertake to make Vista more secure before releasing it to Joe User. And again, CRN didn't measure the effect of these exploits, which ignores a big piece of the overall security overhaul in Vista. Still, Vista's security is most certainly not a "slam dunk," and that should worry Microsoft. The mantra that Vista is an evolutionary step in security should be met with better results than this. As one IT contact told me recently, some shops view Windows security primarily as an issue of aggressive filtering at the corporate firewall, and Vista doesn't look poised to change that. All the reviews in the world probably won't change that, either. Time, coupled with a relatively clean record for Vista, is probably the only thing that will change skeptical minds. [1] http://www.crn.com/software/199701019 [2] http://arstechnica.com/news.ars/post/20070430-microsofts-guru-malware-and-viruses-will-evolve-on-vista.html Copyright © 1998-2007 Ars Technica, LLC _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Fri Jun 01 2007 - 00:56:33 PDT