Vista (in)security - It's all your fault

Windows Vista is, apparently, less secure than Windows 2000. An analysis of threat data collected over a six month period by security software developer PC Tools suggests that despite a bottom-up code rewrite and the uber-annoying User Account Control feature, Vista isn’t doing as good a job as some of its predecessors in keeping hackers at bay. By PC Tools’ calculations, based on analysis of 1.4 million computers which accessed its online ThreatFire community, 639 unique threats were found for each 1,000 Vista machines. For Windows 2000, the figure was 586, while for Windows 2003, it was 478

The response from Microsoft to this news is that “in some cases its the user and their lack of knowledge and their implicit “it-wont-happen-to-me” complacency.” Michael Kleef goes on to say that we need to do more to educate users about security. “If I, despite all prompting and consent behaviour, choose to go to a (probably dodgy) website, accept the ActiveX control prompts to download (probably dodgy) code and I actually choose to execute that code then I’m hosed” he says.

I disagree with Michael. Vista is far too complex for most home users. I’m willing to bet that few people really understand the implications of most of the security settings or security related messages they are bombarded over the course of a browsing session.

I don’t doubt Michael’s statement that “Vista’s actual vulnerabilities are significantly less than Windows 2000” but if the operating system is more vulnerable because people using it are more likely to allow malicious code to execute then nothing good has been accomplished. It’s a bit like driving a car in which every time you try to accelarate asks you “are you sure you want to go faster?” Sure I do, if only I can switch off the annoying message – now, what did it say?