Wednesday, June 04, 2008
Is Vista Really More Secure?
First, I’ll admit as much as I’d like to be, I’m not a fan of Vista. I do find myself saying that Vista is more secure and that’s not a bad thing. I’ve noticed that most people associate the increase in security to User Account Control. There’s actually more to Vista security than UAC.
Everyone loves to hate User Account Control because it’s so annoying. Ars technica recently referred to WinPatrol as being UAC for Windows XP which motived me to create some new annoy-proof features. (Coming soon). I was pleased to see that even Vista evangelist Ed bott recently wrote “How Microsoft can fix UAC”. Ed pointed to comments by Sunbelts Software’s Alex Eckelberry who shares my own “cry wolf” fears with UAC. “Since over 80% of all infections are based on social engineering, the popups should focus on that weak point.”
Social engineering is when users are tricked into doing something and end up installing malware that they never wanted. I’ve mentioned many examples of social engineering but my favorite is the hacker who would leave a floppy disk with a virus/worm on it laying around at a company he wanted to infiltrate. On the label of the floppy disk, he hand wrote the words “Employee Salaries”.
Since social engineering isn’t addressed in Vista, is Vista really more secure?
Symantec recently published a number of papers on Vista security. While their work was balanced they weren’t shy pointing out some problems. For instance, most of the code that makes up Vista includes a compiler feature called GS Stack Protection which prevents a popular hack called “Buffer Overflow”. According to Symantec researcher Ollie Whitehouse “~150 binaries under the C:\Windows directory that do not contain GS protected code.”
According to AV-test.org, UAC stops many rootkits from being installed, and I know Microsoft takes these infiltrations seriously. One of my friends at Microsoft once told me, “They(root kits) scare the bejebers out of us”. Kernel Patch Protection prevents programs from hooking into the guts of Windows and is critical in the prevention of root kit infiltrations. Unfortunately, KPP only works with Vista x64 and breaks attempts at protection from many other security vendors. Thankfully, it’s not a problem for WinPatrol.
Microsoft also considers Windows Auto Update to be a security feature. They recommend users allow auto updates and when new security patches are available on Tuesdays, Windows users are automatically saved from possible threats by newly discovered vulnerabilities. If you’re a regular Bits from Bill reader you’ll know how I feel about auto updates. They’re just plain evil.
Vista Ultimate includes a feature called BitLocker. Essentially, this feature encrypts all data stored on your hard drive. This method has already been hacked by researchers at Princeton and sadly reminds me how much success I had with early Microsoft disk compression. I’ll pass for now.
Microsoft’s Strategy Director Jeff Jones recently published his “Windows Vista One Year Vulnerability Report” and the results show “Windows Vista has an improved security vulnerability profile over its predecessor.”
Windows Vista had 30% fewer Security Bulletins than Windows XP
Windows Vista had 20% fewer vulnerabilities than Windows XP
Windows Vista had 28% fewer Critical and Important vulnerabilities than Windows XP
26 vulnerabilities on Windows Vista are less severe for any users running as standard user.
So, it appears for the 20% of non-Social Engineered vulnerabilities Vista has an advantage. Unfortunately, it’s still not enough for me. As long as any vulnerabilities are being found I’ll continue to be on watch using my favorite protection programs.