[ISN] Windows Vista Deemed 'Most Secure'

From: InfoSec News (alerts@private)
Date: Wed Jan 23 2008 - 22:34:23 PST


http://www.informationweek.com/news/showArticle.jhtml?articleID=205917444

By Thomas Claburn 
InformationWeek 
January 23, 2008 

Windows Vista gets high marks for security, from Microsoft at least.

"I think that it's fair to say that Windows Vista is proving to be the 
most secure version of the Windows to date," said Austin Wilson, 
director in Microsoft's Windows client group, in a blog post on 
Wednesday. "Our investments in the SDL [Security Development Lifecycle] 
and our defense in depth approach to building Windows Vista seem to be 
paying off."

Windows Vista also exhibited fewer vulnerabilities than other operating 
systems over a one year period, according to a report published by Jeff 
Jones, security strategy director in Microsoft's Trustworthy Computing 
group. The report claims that there were 36 vulnerabilities fixed in 
Windows Vista during its first year, compared to 65 in Windows XP, 360 
in Red Hat RHEL4 reduced, 224 in Ubuntu 6.06 LTS reduced, and 116 in Mac 
OS X 10.4, also known as Tiger.

"My analysis found that researchers found and disclosed significantly 
fewer vulnerabilities in Windows Vista than either it predecessor 
product, Windows XP, or other operating systems such as Red Hat 
Enterprise Linux, Ubuntu, and Apple Mac OS X 10.4," said Jones in his 
report.

Eric Schultze, chief technology officer of St. Paul, Minn.-based Shavlik 
Technologies, considers such metrics to be apples-to-oranges 
comparisons. "When you start counting vulnerabilities, it's a matter of 
defining vulnerabilities," he said. "For example, if a bulletin is 
released for Internet Explorer, that's one patch for IE. Microsoft may 
have broken it out to say there are five distinct issues fixed in this 
patch. Is that five vulnerabilities or is that one vulnerability because 
it's one patch?"

Setting aside questionable comparisons to other operating systems, 
Vista's superiority to its Windows ancestors may not seem particularly 
surprising or noteworthy. But Wilson makes the case that Vista's 
security features like User Account Control and Internet Explorer 
Protected Mode reduce the risk and severity of security vulnerabilities 
and give companies more time to deploy patches.

Wilson points out that Windows Vista makes it easier to run standard 
user accounts rather than administrative accounts, which are more 
dangerous when compromised. This, he says, diminishes the impact of 
vulnerabilities.

"Of the 23 security bulletins that have been released for Windows Vista 
through January 2008, 12 specifically call out a lower impact for those 
running without administrative privileges: MS07-033, 034, 040, 042, 045, 
047, 048, 050, 057, 064, 068, and 069," explained Wilson. "This is a 
great illustration of the importance of User Account Control and why we 
included it in the product. It's also the reason I personally run as a 
standard user on every machine I use."

Wilson also singles out Internet Explorer Protected Mode as a reason 
that Vista is more secure than XP. Protected Mode in Vista prevents 
Internet Explorer 7 from altering user or system files, and various 
settings, without consent from the user. This diminishes the 
effectiveness of malicious Web sites, if the user is paying attention.

As evidence of the impact of Protected Mode, Wilson cites the MS07-056 
security bulletin from October 2007. It was rated "Important" on Windows 
Vista and "Critical" on Windows XP. He also notes that IE 7 and Vista 
are blocking almost 1 million phishing attempts every week. One metric 
where Vista seems to shine is in terms of patch days.

"During Windows XP's first year, updates were released on 26 separate 
days," said Wilson. "Through a combination of the move to a predictable 
monthly release schedule, and decreased vulnerabilities, Windows Vista 
had updates released on just nine days in its first year. To the average 
security professional, this is one of the most relevant metrics: how 
many times did I have to activate my internal patch management process 
due to vendor update releases over the course of a year?"

Schulze remains skeptical about Wilson's claims. "What he states is 
accurate, but he's only presenting the numbers that come out in a 
favorable light," he said. "He's not presenting the numbers that come 
out in an unfavorable light. For example, he claims that there are a 
certain number of vulnerabilities for which, on Vista, there was lower 
severity than on Windows XP. But he's not telling you about the number 
of patches which were more critical on Vista than on Windows XP."

Dave Marcus, security research and communications manager of McAfee 
Avert Labs, gives Wilson credit for some good points but believes it's 
still too early to declare victory for Vista. "Wilson put forth a very 
good argument," he said. "His stats are valid, but I think he fails to 
take into account that most businesses have not deployed Vista, nor have 
most consumers."

Marcus said that while Vista was superior to Microsoft's previous 
operating systems from a security standpoint, many of the security 
features were only available in 64-bit versions of the operating system 
and many organizations would be disinclined to purchase new hardware to 
use those features.

Once Microsoft officially deploys Vista SP1, Marcus expects more 
corporate Vista deployments and a clearer picture of Vista's security 
profile. Like other security vendors, McAfee has predicted a surge in 
malware in 2008 for Vista as more people install the new operating 
system.

"We think 2008 will be the year that Vista finally joins the malware 
party," said Marcus.

In a phone interview, Wilson countered that Windows Vista already is 
widely deployed, noting that Microsoft has already shipped 100 million 
copies of the software. And he expressed skepticism about a surge in 
malware, given that security researchers have been looking for holes in 
Vista since the Black Hat Conference in 2006, when Microsoft distributed 
beta copies of the operating system to help identify security flaws.

"It's safe to say that the security research community has had a strong 
focus on Windows Vista," said Wilson.

But that focus has yet to offer much clarity. "This is a matter of 
Microsoft bending the statistics for their own purposes," said Schulze. 
"We could just as easily create the same number of statistics that puts 
Windows Vista security in a negative light."

Copyright 2007 CMP Media LLC


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Wed Jan 23 2008 - 22:50:21 PST