Gallery

Security

Posted on 13 Nov 2007 at 11:21

With more than nine out of every ten PCs worldwide running Windows, XP and Vista aren't just targets for malware - they're pretty much the only targets. Vista was famously written with security in mind but, ten months on from its launch, has it really stood up to Microsoft's claims?

Windows XP has been plagued by security issues, and continues to be so. Even in its infancy, Vista has also suffered from security flaws: regardless of how effective Microsoft's security measures are, any Windows OS is going to be the subject of sustained attack due to its popularity.

Bug fixing

Given Microsoft's strenuous efforts to address security, it's perhaps surprising to discover that Vista suffered more known security issues in its first five months than XP did, according to Microsoft's own figures. It's even more shocking to discover that fewer fixes have been issued for Vista.

While this sounds bad, Vista's had fewer fixes because the early security issues were relatively trivial compared to the early XP ones. However, after six months, Vista still contained one known and unfixed security vulnerability that was categorised as High severity. Unknown exploits are also freely traded online.

Firewalls

Both XP and Vista include a firewall. XP's original offering was disabled by default, but with SP2 Microsoft introduced the Windows Firewall, and enabled it automatically. Vista's firewall is also enabled by default. However, both firewalls are limited. XP's firewall blocks only incoming connections and doesn't monitor the outgoing network traffic, which means that any malware running on the system is able to connect to the internet undetected.

Vista's firewall does have the capability to block outgoing connections, but the default setting allows all outgoing traffic, so it's no more secure than XP out of the box. There's a tool to configure the firewall to block certain outgoing traffic, but this facility involves blocking specific ports rather than allowing or denying certain applications.

User Access Control

XP's poorly implemented account controls mean most people are permanently logged in as administrators, allowing all kinds of malware to wreak havoc with your PC. Vista does exercise some control over apps, however. The User Access Control (UAC) system forces users to confirm they want to run certain programs, install software or make other important changes to Windows. This means that, if malware attempts to execute on your PC in the background, you should see a box asking you to confirm or block the file. XP lacks this feature, which is why it's advisable to run a personal firewall with the capability to block applications.

However, UAC is no panacea: we threw 126 executable items of malware at a naked Vista machine and, of the 42% that ran on the system, fewer than half caused Vista to present a UAC prompt or firewall alert.

XP's default security lacks sophistication.

UAC also relies on users having some idea about what's normal and abnormal system behaviour. Market research from Symantec has discovered that inexperienced users normally click OK, regardless of the context. So, while UAC may add security from a technical standpoint, users may accidentally subvert it. There's also a possibility that people who find themselves clicking OK constantly will deliberately sabotage the security: UAC is easily disabled, and even experienced users can be tempted to switch it off without realising that doing so also disables Internet Explorer's protected mode, parental controls and file/Registry virtualisation.