Vista is no panacea for security - Symantec

 

Gallery

By Matt Whipp

Posted on 1 Mar 2007 at 12:24

Symantec has issued a report on the state of security within Microsoft's flagship operating system Vista, claiming that the platform is far from the panacea for all security ills that many had hoped.

The security company said that Vista's new plumage has been mainly plucked from the open-source community, rather than being new security developments in themselves.

'Most are derived from the groundwork originally laid by open source operating systems such as Linux and OpenBSD, the PaX and Stackguard projects, as well as numerous academic publications,' it claims.

And much of the rest was already in place in Windows XP SP2. 'The majority of these technologies first appeared in Windows XP SP2. These technologies, which are now integrated in Windows Vista, include driver signing, SafeSEH, DEP [data execution prevention], pointer obfuscation, PatchGuard (Windows XP x64), UAC [user account control], code signing, Windows Defender, and Windows Update.'

This has meant that some attacks written for Windows XP SP2 will readily operate unchanged on Vista. 'The results showed that 3 per cent of backdoors can successfully execute and survive a system restart on Windows Vista without modification. Other categories include keyloggers, of which 4 per cent can successfully execute and survive a system restart, mass mailers (4 per cent), Trojans (2 per cent), spyware (2 per cent), and adware (2 per cent).'

There are other issues, too. Symantec says that the new features only add to security as they are implemented in third-party applications. But it seems that Microsoft too can fall foul of this, and Symantec's investigation showed that DEP has been deployed in a limited fashion in Vista, restricted to the core operating system.

It also discovered that the randomising of an application's memory footprint was not functioning properly. This randomising should provide a huge amount of protection against attacks, as each instance of a running application differs, making it difficult for generic attacks targeting the same point in memory space to be successful. Symantec says Microsoft will fix the component which is failing to randomise properly in SP1 for Vista.

Symantec also unleashed its security experts on Vista to try and break down the kernel defences driver signing, Code Integrity, and PatchGuard and successfully did so in a one 'man week'. 'A potential victim need make only one mistake to become infected by a threat that does the same. The result: All new security technologies are stripped from Windows Vista in their entirety,' it said.

Symantec also believes the new technologies written into Vista are as yet uncharted waters both for vulnerabilities to emerge and attack vectors.

Microsoft has completely rewritten the network stack - a task requiring a great deal of time and code. Symantec believes that this amount of code and the new protocols it has introduced will need some time to bed in. Microsoft was fixing bugs and issues right up to the launch, it claims, and concludes there are likely more to be found in the future.

Vista's Gadgets feature may also be an avenue for attacks, claims the company. While these mini-apps are subject to the same controls as any other software installed on Vista, their ability to communicate via the Internet could lead to socially-engineered attacks that result in innocuous looking Gadgets harvesting sensitive information from a user's hard drive.

The company recognised Vista as 'a more secure version of Microsoft Windows,' to the point at which attackers are more likely to target third-party applications and web services as the easiest route in. It also sees the user as the weakest link, either through a lack of information leading to wrong decisions or as a victim of socially engineered attacks.