Vista hardly more secure than XP?

Found this article to be worth a read: http://www.crn.com/software/199701019?pgno=1

 

It doesn't surprise me a bit as Vista in it's released form is nothing more than XP with a shiny coat of paint and DX10. The original plans for Longhorn were shelved in order to get this bloatware on the market.

 

As they say, no software is truely secure. And no PCs are truely secure too.

 

Well, I think we can wait for the Vista Service Pack #1 and see what Vista will perform then.

 

But no one claimed, or expected, Vista to be truly secure. The question is whether it is significantly more secure than XP.

 

No, it's not significantly more secure. Unless all users leave UAC on all the time and understand what they're agreeing to install. At least at this point.

And, from the article Jalf posted, it sounds like UAC may not be that effective. But they said they were running the systems with no defenses apps turned on, only the default security settings.

I think it shows, more than anything, that computer users need some education on the safety of surfing the net with/without security programs and keeping their systems secure.

 

READ THIS COMMENT IN RESPONSE TO THAT ARTICLE



RogerAGrimes
Sr. Security Consultant
commented on Jun 3, 2007 1:53:07 PM

I would like to respond to this article. First, let me start off by saying that although I'm a full-time Microsoft employee (as of a few months ago), this is not an "official" Microsoft response. I'm responding as a 20-year Windows security veteran, author of 7 books on computer security, and long-time user of several other OSs besides Windows (e.g. OpenBSD, Linux, AS/400, etc.). Overall, the conclusion of the article is not supported by itself or the facts of every other independent review, even by people who dislike Microsoft.

This article stated that Windows Vista is no more secure than Windows XP. Ignoring for the moment that your own tests and printed rating system showed otherwise, there are huge reasons why I know your conclusions and tests are grossly inaccurate-and your readers should know so they can make an informed decision.

First, there is no doubt that you either disabled User Account Control (UAC), ignored its warnings, or refused to report on it. 99% of Windows malware requires elevated permissions in order to infect Windows. Vista, by default, doesn't allow elevated sessions without a secondary "in your face" consent by the logged in user. Windows XP, on the other hand, does not give such a warning.

So in order for most of your malware tests to work, you intentionally ignored one or more (in most cases it would be two or three) warnings to intentionally execute the malware. Windows XP would either give no warnings (because it doesn't have UAC), or just one or two (depending on the default warnings given by Internet Explorer).

How about reporting how often malware silently installed without the user receiving one or more warnings (the most serious security problem)? I know the improved delta between XP to Vista is significant, and was by your own observations. Why not share that with your readers?

I've run similar tests against my personal collection of over 16,000 malware programs, and I know the results. Windows Vista is significantly more resistant to malware than previous Windows versions. But this isn't only my conclusion, it is the statement of every anti-malware vendor, dozens of world-wide hacker experts, and hundreds of other demonstrated, documented tests. Talk to H.D. Moore (of Metasploit fame), talk to Foundstone (my previous employers), talk to Joanna Rutkowska (of Blue Pill fame), or another other Windows security professional who doesn't work for Microsoft. Some may even extremely dislike Microsoft, but to a person they will ALL tell you the same thing. Windows Vista is more secure than XP-in theory and in practice. Have you ever asked yourself why your tests are the only ones to the contrary? I suggest that it was not well conceived or implemented.

Your tests essentially measure, "If I ignore multiple warnings, how well does Windows run a program designed to run for Windows?". Or was it how well Windows does as an anti-malware program, by itself, even though it is not designed to be a stand-alone anti-malware program? Although Windows Vista does come with some anti-malware defenses (e.g. Windows Defender), Microsoft does not recommend running Windows, any version, without additional anti-malware program installed. If Microsoft thought Vista didn't need additional anti-malware software installed, they would say so.

Your article ignore hundreds of other new security features and settings that stop existing malware programs (disabled LM hashes, stronger buffer overflow protection, improved NetBIOS security, session isolation, mandatory integrity controls, Internet Explorer-Protected Mode, BitLocker, 800 new group policy settings, portable media control, stronger default encryption, improved EFS, IPv6, file and registry virtualization, built-in RMS client, and more). And these aren't just some theoretical increase in security. They improve security in practical, ease to see ways. But if you ignore multiple warning prompts, malware designed for your system will always be able to exploit regardless of the OS (albeit my hat is off to OpenBSD and VAX for their stellar records).

The real answer is that all of today's operating systems, no matter who the vendors are, are significantly more secure than the ones we used in the past. It's still saddening that we live in such a malicious world, but that is more due to the default anonymity that underpins the Internet than any particular product. Malicious hackers wouldn't hack near as much if we could catch them. And they are no easier to catch using Windows than they are using any other OS. Till we improve the Internet, hackers will continue to take advantage of vulnerabilities.

If you look at the number of found vulnerabilities in Windows XP (28) vs. Vista (11) this year, Vista wins again. If that seems like a lot, don't forget Mac OS X has had 101 in the same time period. Cute commercials, but not necessarily a stellar reason to dog Microsoft about.

In conclusion, I’m not sure why you choose to run a store that paints Windows Vista as no better security-wise than Windows XP?

Sincerely,

Roger A. Grimes, Sr. Security Consultant
Microsoft ACE Team
Author of Windows Vista Security: Securing Vista Against Malicious Attack