Reports of its vulnerability to malware were greatly exaggerated.
Last week, U.K.-based security vendor Sophos PLC released a
report that three of today's top 10 forms of
malware -- Mydoom, Netsky and Stration --
are capable of penetrating Vista security.
Sophos senior security analyst Ronald O'Brien said the reaction to
this news was overblown.
"If you read the news coverage the report received, it would
appear that you were intent on creating doubt about the security of
Vista," O'Brien said. "But the intent was to show that Microsoft is
an operating system provider, not a security provider. Their
efforts to make
Vista more secure than Windows XP have been
realized, but it doesn't negate the need for a third-party
security vendor."
Indeed, the company, a third-party security vendor, was
attempting to show that Vista customers will still need vendors
like Sophos, McAfee Inc., Symantec Corp., etc., even if Vista is
more secure than its predecessor operating systems.
"I do think Vista is more secure," O'Brien reiterated. "There
are functions and features built into Vista that make computing
systems more secure. But I don't think it's something that can run
without the benefit of a third-party security vendor."
Last month a Sophos researcher installed Vista on a PC and tried
to introduce the top 10 malware threats for November to it, O'Brien
said. First, the researcher introduced the malware through the
Windows Mail Client, the new version of Outlook Express. Vista
successfully defended against all 10 attacks.
But then the researcher tried to penetrate Vista with the
malware by introducing it through a Web-based personal email
account. Vista resisted seven of them, but Mydoom, Netsky and
Stration all succeeded in their attacks.
Microsoft said Sophos' findings did not demonstrate a security
vulnerability in Vista.
"Based on our initial investigation, Microsoft can confirm that
these [malware] variants do not take advantage of a security
vulnerability," a Microsoft spokesman said. "Rather, they rely on
social engineering to infect a user's system.
Mydoom, Netsky and Stration do rely on social engineering.
Stration, for instance, usually reaches victims via a spam email
sent from a bogus mail server administrator. The message informs
the victim that his or her computer has been infected by a virus
and instructs the user to open an attached file in order to install
an update to scrub out the virus. Of course, the attached file
actually launches a worm attack that hijacks the computer.
The Microsoft spokesman said Vista includes aggressive
protections against social engineering attacks, such as improved
attachment blocking in the Windows Mail Client and the User Account
Control (UAC) feature, which allows Vista users to run on
limited-privilege accounts.
"In those cases where other email clients may not have made the
same aggressive security design decisions as Microsoft did with
Windows Mail Client, other protections such as UAC can apply still
to help provide better protections against email-based social
engineering attacks," the spokesman said.
Pete Lindstrom, senior analyst at Midvale, Utah-based
consultancy Burton Group, said, "All the client security software
vendors are caught between a rock and a hard place because it's
very clear that Vista is providing more security and Microsoft has
said it is going to compete with them on software."
Lindstrom agreed that automated social engineering attacks are
different than an exploit of flaws in code. He said malware can
trouble Vista when users have weaker-than-optimal security
configurations.
"Everyone is trying to pig-pile on Microsoft for Vista because
it gets the press blazing and because Microsoft came out with guns
blazing saying it was going to compete against antivirus vendors,"
Lindstrom said.
He said Vista will need a lot less protection from worms and
viruses than past Windows versions. But, he added, there will
always be a need for third-party software that can repel malware
that runs abusive processes parallel to legitimate processes.
"Right now we're debating [with Microsoft] whether it's purely a
social engineering technique or whether there needs to be a
third-party security partner in place," O'Brien countered. "We're
going to be watching this [malware] behavior as Vista becomes more
widely distributed and work closely with Microsoft."
Let us know what you think about the story; email:
Shamus McGillicuddy,
News Writer