By Matt Hines
January 16, 2007
News Analysis: Microsoft maintains that by addressing the social aspect
of IT attacks, the portion that can dupe even the smartest users into
launching malware-laden attachments or clicking unknown URLs, Vista will
improve PC security significantly.
Microsoft says the Windows operating system software is not the weakest
link in desktop security, and contends that Windows Vista will help
limit the greatest vulnerability of allusers' bad decision-making.
While previous iterations of Microsoft's dominant operating system hit
the market with an abundance of security loopholes that left users open
to many different forms of attack, Microsoft officials said new features
offered in Vista will not only make it harder for malware writers attack
the OS, but will also make it more difficult for users to hang
themselves out to dry.
Executives pointed to Microsoft's SDL (Security Development Lifecycle)
program as an attempt to root out many of the coding flaws that have
left gaping security holes in previous versions of Windows during
development, and said the primary thrust of the security tools added in
Vista has been to help customers help themselves.
>From its UAC (User Account Control) feature, which is meant to limit the
ability of viruses to gain access to administrator status on desktops,
to the anti-phishing filters built into the newly released Internet
Explorer 7 browser, Microsoft has attempted to give users the mechanisms
they need to do a better job of watching their own backs, said Ben
Fathi, the Redmond, Wash., company's vice president for the Windows core
Microsoft doesn't expect that Vista will be tight enough to evade all
forms of malware, despite all the work done to shut holes via the SDL
program, Fathi said, but it does believe it has given users the right
set of warnings and tools to help better police their own habits.
"The weakest link in the security of any system is the end user. It
seems like we're putting them down, but, realistically, there's a lot we
can do in technology to secure our products, but as long as user can be
tricked into clicking a link or going to an unknown Web site, we're at
risk," Fathi said. "We think that by helping users protect themselves
better, we can make a big dent in the current methods of attacks being
used by hackers."
Zero-day exploits and self-cloaking rootkits may be all the rage at the
most complex end of the malware spectrum, but most users encounter PC
security issues because they fall for social engineering tactics and
make mistakes such as opening malware e-mails sent from spoofed domains
of familiar sources and following links to Web pages that offer viruses
and other attacks along with their advertised content, Fathi said.
UAC promises to help users prevent viruses from spreading within a
machine by prompting the user to approve nearly every change to the
system such a program might try to make. Whereas programs that tap into
a machine's administrative controls to advance their reach largely
operated in secret before Vista, users will now have the ability to shut
the attacks down as they try to proliferate, Microsoft claims.
The anti-phishing technologies in IE 7 utilize onboard heuristics, as
well as site-blocking capabilities based on traditional black- and
whitelists, to give users an idea of the security status of every site
they attempt to access. Known malware and phishing sites are
automatically blocked, whereas every other site gets a red, yellow or
green rating, based on the characteristics it exhibits to the browser.
Other security features integrated into Vista include Microsoft's
Windows Defender spyware scanning and removal tool, and its BitDefender
drive encryption system, which aims to help protect data in the case of
In the past, even users with great technical expertise or aggressive IT
administrators looking out for them still often ended up falling for the
most convincing forms of online fraud, but the additional layer of
protection will stop most criminal efforts before malware can land on
the desktop, according to Microsoft.
If users allow themselves to be drawn into a phishing site that has the
browser flashing red around the edges, they should place much of the
blame on themselves, not the operating system, Fathi said.
Some security vendors are already criticizing Vista's onboard security
components, with anti-virus market leader Symantec calling UAC too
chatty to have a significant impact on safety, predicting that users
will come to ignore the many warnings the system produces. Since the
volume and complexity of the UAC security warnings will overwhelm most
users, and potentially leave enterprise IT administrators drowning in a
sea of related help tickets, many users will simply opt to run with the
system off, Symantec officials said.
In order to maximize the usefulness of UAC, Symantec said it is
currently developing products that will manage UAC and the other Vista
security tools to make them less obtrusive.
However, some experts say they believe the attempt to limit the social
aspect of IT threats will strike many people as positive, useful and
adequate. Lee Nicholls, global solutions director for consultant firm
Getronics, said he believes that all but the most demanding customers
will be encouraged by the work that Microsoft has done.
Part of Nicholls' job is helping to select the products that Getronics
recommends to its customers, and he said the firm will encourage
businesses to utilize Vista's onboard protections. Nicholls works at
Microsoft's Redmond, Wash., campus, where he studies all of the software
maker's latest technologies.
"We've seen all this technology provided for Windows before by
third-party vendors, but customers were forced to figure out numerous
processes for troubleshooting between applications, which created some
additional security issues," Nicholls said. "Now all the management is
there in the product, which makes it easier for end users, and for us,
to try to solve problems as they arise."
While Getronics will continue to work with aftermarket security vendors
and consider products such as Symantec's that promise to improve Vista's
protections, he said that most users will be satisfied with the onboard
tools, and that this may shift buying patterns when companies formulate
their future IT security budgets.
"At the client security level, I honestly believe that Vista will
probably provide enough protection for most companies to feel
sufficiently safe, and move away from traditional third-party tools,"
Nicholls said. "This will encourage companies to spend more money on
their perimeter solutions as client security becomes less of an issue;
whereas before companies spent a lot of time and money integrating
anti-virus, with Vista they can shift their focus to adding security
services at the edge of their operations."
Even analysts who have been critical of Vista's security features during
their development said the IT market landscape will change as a result
of all the work Microsoft has done.
Andrew Jaquith, an analyst for Yankee Group Research, said UAC and other
features may be seen as an obstruction by some users, but he believes
that anti-virus software makers and other vendors will need to rethink
their own product strategies as a result of Vista.
"Obviously there will still be a lot of opportunities for third-party
companies to make improvements to the security capabilities in Vista,
and to lend additional tools that Microsoft hasn't yet included in the
OS," he said. "But I think these third parties should focus on building
those products that help, instead of nitpicking what Microsoft has
already done; the Vista world will be very different for Windows users
and for the security industry, it's new footing for everyone."
Subscribe to InfoSec News