[ISN] Windows Vista no more secure than XP: report

From: InfoSec News (alerts@private)
Date: Fri Jun 01 2007 - 00:39:16 PDT


http://arstechnica.com/news.ars/post/20070530-windows-vista-no-more-secure-than-xp-report.html

By Ken Fisher  
Ars Technica
May 30, 2007

The strength of Windows Vista's security model is easily the biggest 
question facing the nascent operating system. While sales will be strong 
simply on account of the way OEMs have adopted Vista on their midrange 
and high-end offerings, the place of Vista in the enterprise is not yet 
clear. Microsoft must demonstrate that its approach to security with 
Vista is indeed effective; otherwise, IT managers will see little 
benefit to moving to the new OS anytime soon.

Windows Vista only offers "marginal security advantages over XP" 
according to tests completed by CRN [1]. "Vista remains riddled with 
holes, despite its multilayer security architecture and embedded 
security tools." The report's findings are mixed and at times a little 
unfair, but it does demonstrate the problems that Microsoft has to 
face—technical and otherwise.

The report faults Vista for "providing no improvement in virus 
protection vs. XP," but of course Windows Vista does not ship with 
antivirus software—something the reviewer fails to mention. Faulting an 
AV-less Vista for not stopping viruses is a bit like faulting a door 
without a lock for opening when the handle is twisted. Any business that 
is deploying Vista (or XP) without an antivirus solution is, of course, 
out of its mind.

What Vista does have built in is Windows Defender and User Account 
Control, which should both help stop forms of malware other than 
viruses. And CRN found that Vista does have an "edge" over XP when 
detecting spyware and adware. It wasn't perfect though: some malware 
slipped though. Here, though, we run into the issue of deciding what 
counts as "stopping" malware. For instance, CRN says that Vista "missed" 
Trojan-Spy.Win32.Goldun.ms, when in fact UAC warns a user when it is 
accessed (I can confirm that). CRN faults Windows Defender for not 
identifying and blocking the Trojan outright (it did block others), 
while Microsoft will tell you that UAC did its job by throwing up a 
warning and asking for user intervention.

In testing some remote data exploits, the reviewers were unable to 
determine if all of the exploits they tested actually target Vista, 
making their findings rather questionable. IE7 did stop one RDS exploit 
while missing four others that may have been only targeted at XP. 
Notably, XP did not stop any of the RDS exploits. Vista is better here, 
but the jury is out on how well it did or did not do since the reviewers 
were unable to determine the full threat of the exploits they were 
using.

Vista and XP both failed miserably at finding scripting exploits in the 
HTTP stream, and this remains a big problem for both operating systems. 
Vista failed to flag the exploits as they came down the pipe, though the 
firewall did detect when the exploits attempted to communicate over the 
'net. This is what we've found in our testing as well (the results of 
which we hope to publish next month).

CRN doesn't tell the whole story with such exploits, however. IE7 in 
protected mode forces such scripts to run at a very restricted user 
privilege level, unlike XP which will allow those same scripts to run at 
the same privilege level as a user. Vista may let some of those scripts 
through, but the damage they do is also mitigated to a certain extent. 
This is why Microsoft believes such threats will have to evolve [2] to 
survive with fewer rights and less access to the system: if they get 
through, they will find a very limited sandbox to play in. CRN's 
coverage complete ignores this point and fails to test for its 
effectiveness.

It was also disappointing to see CRN completely ignore the issue of 
buffer overflows, which has been addressed well in Vista by most 
accounts. This was a major weak spot with XP, and so far, Vista looks 
strong in this area, strong enough that Vista may never get its own "SQL 
Slammer." Why CRN didn't address this is a mystery, as it is no minor 
matter.

Indeed, while the CRN report is informative, it lacks much critical 
information to support its judgment that Vista is only a minor 
improvement. For instance, it's not enough to know if an exploit "got 
through" IE. What happened afterward? Did it modify system files, 
corrupt the registry, or deliver some other payload? CRN doesn't report 
on the effects it observed. We cannot know if the scripting exploits 
really bypassed Vista because CRN doesn't tell us what the scripts did. 
There's a big difference between 1) a script exploit running and then 
installing a rootkit in XP and 2) a script exploit running in Vista but 
failing at installing that same rootkit. CRN makes no distinction.

In all, the CRN report finds that Vista was as good as XP in seven 
categories and better in four others (notably, Spyware/Adware, 
Obfuscated Code Exploits, RDS Exploits, and Trojans). Importantly, it 
was never outperformed by XP, and just as importantly, these tests were 
carried out using default settings. The scripting exploits, for 
instance, are largely defanged by tweaking IE7's zone settings, and 
there are other moves that a competent IT shop would undertake to make 
Vista more secure before releasing it to Joe User. And again, CRN didn't 
measure the effect of these exploits, which ignores a big piece of the 
overall security overhaul in Vista.

Still, Vista's security is most certainly not a "slam dunk," and that 
should worry Microsoft. The mantra that Vista is an evolutionary step in 
security should be met with better results than this. As one IT contact 
told me recently, some shops view Windows security primarily as an issue 
of aggressive filtering at the corporate firewall, and Vista doesn't 
look poised to change that. All the reviews in the world probably won't 
change that, either. Time, coupled with a relatively clean record for 
Vista, is probably the only thing that will change skeptical minds.

[1] http://www.crn.com/software/199701019 
[2] http://arstechnica.com/news.ars/post/20070430-microsofts-guru-malware-and-viruses-will-evolve-on-vista.html

Copyright © 1998-2007 Ars Technica, LLC



_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Fri Jun 01 2007 - 00:56:33 PDT