Reports of Vista's security weakness 'overblown'

Sophos says its report that three of last month's top 10 malware attacks could have penetrated Microsoft Vista wasn't meant to degrade the operating system, but rather to shed light on the fact that no matter how secure an OS is, it still needs help from third-party security vendors.

Reports of its vulnerability to malware were greatly exaggerated.

Last week, U.K.-based security vendor Sophos PLC released a report that three of today's top 10 forms of malware -- Mydoom, Netsky and Stration -- are capable of penetrating Vista security.

More on Windows security
Vista security will drive adoption, Allchin says

Top five Windows threats
Sophos senior security analyst Ronald O'Brien said the reaction to this news was overblown.

"If you read the news coverage the report received, it would appear that you were intent on creating doubt about the security of Vista," O'Brien said. "But the intent was to show that Microsoft is an operating system provider, not a security provider. Their efforts to make Vista more secure than Windows XP have been realized, but it doesn't negate the need for a third-party security vendor."

Indeed, the company, a third-party security vendor, was attempting to show that Vista customers will still need vendors like Sophos, McAfee Inc., Symantec Corp., etc., even if Vista is more secure than its predecessor operating systems.

"I do think Vista is more secure," O'Brien reiterated. "There are functions and features built into Vista that make computing systems more secure. But I don't think it's something that can run without the benefit of a third-party security vendor."

Last month a Sophos researcher installed Vista on a PC and tried to introduce the top 10 malware threats for November to it, O'Brien said. First, the researcher introduced the malware through the Windows Mail Client, the new version of Outlook Express. Vista successfully defended against all 10 attacks.

But then the researcher tried to penetrate Vista with the malware by introducing it through a Web-based personal email account. Vista resisted seven of them, but Mydoom, Netsky and Stration all succeeded in their attacks.

Microsoft said Sophos' findings did not demonstrate a security vulnerability in Vista.

"Based on our initial investigation, Microsoft can confirm that these [malware] variants do not take advantage of a security vulnerability," a Microsoft spokesman said. "Rather, they rely on social engineering to infect a user's system.

Mydoom, Netsky and Stration do rely on social engineering. Stration, for instance, usually reaches victims via a spam email sent from a bogus mail server administrator. The message informs the victim that his or her computer has been infected by a virus and instructs the user to open an attached file in order to install an update to scrub out the virus. Of course, the attached file actually launches a worm attack that hijacks the computer.

The Microsoft spokesman said Vista includes aggressive protections against social engineering attacks, such as improved attachment blocking in the Windows Mail Client and the User Account Control (UAC) feature, which allows Vista users to run on limited-privilege accounts.

"In those cases where other email clients may not have made the same aggressive security design decisions as Microsoft did with Windows Mail Client, other protections such as UAC can apply still to help provide better protections against email-based social engineering attacks," the spokesman said.

Pete Lindstrom, senior analyst at Midvale, Utah-based consultancy Burton Group, said, "All the client security software vendors are caught between a rock and a hard place because it's very clear that Vista is providing more security and Microsoft has said it is going to compete with them on software."

Lindstrom agreed that automated social engineering attacks are different than an exploit of flaws in code. He said malware can trouble Vista when users have weaker-than-optimal security configurations.

"Everyone is trying to pig-pile on Microsoft for Vista because it gets the press blazing and because Microsoft came out with guns blazing saying it was going to compete against antivirus vendors," Lindstrom said.

He said Vista will need a lot less protection from worms and viruses than past Windows versions. But, he added, there will always be a need for third-party software that can repel malware that runs abusive processes parallel to legitimate processes.

"Right now we're debating [with Microsoft] whether it's purely a social engineering technique or whether there needs to be a third-party security partner in place," O'Brien countered. "We're going to be watching this [malware] behavior as Vista becomes more widely distributed and work closely with Microsoft."

Let us know what you think about the story; email: Shamus McGillicuddy, News Writer

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.