News
How Much Will Windows Security Matter?
As Windows Vista becomes more secure against known threats, it's what hackers and cybercriminals devise in the next generation of attacks that keeps Microsoft on its toes.
- By The Associated Press
- December 10, 2006
(New York) Microsoft Corp. took great pains to improve security
in its newly released computer operating system, Windows Vista, redesigning
it to reduce users' exposure to destructive programs from the Internet.
Outside researchers commend the retooled approach -- yet they also say
the changes won't make online life much safer than it is now.
Why not? Partly because of security progress that Microsoft already had
made in its last operating system, Windows XP. Also because a complex
product like Vista is bound to have holes yet to be discovered. And mainly
because of the rapidly changing nature of online threats.
Sure, Microsoft appears to have fixed the glitches that used to make
it easy for viruses, worms and other problems to wreck PCs. But other
avenues for attack are always evolving.
"Microsoft has made the core of the operating system more secure,
but they've really solved, by and large, yesterday's problems," said
Oliver Friedrichs, director of emerging technologies at antivirus vendor
Symantec Corp.
That claim would not please Microsoft, which touts Vista's improved security
as a big reason why companies and consumers will want to upgrade to the
new operating system.
In fact, Microsoft's effort to tighten security in Vista was one reason
the software was delayed past the crucial holiday shopping season. It's
now available for businesses and will be available to consumers Jan. 30.
"It is an incremental improvement -- it is a reasonably large increment,"
said Jon Callas, chief technology officer at PGP Corp., a maker of encryption
software. "I don't think it's a game-changer."
Some of Vista's security enhancements require computers with the latest
microprocessors -- which are known as 64-bit chips, in reference to how
much data they process at once. That won't improve things on today's standard
32-bit computers, which will stick around for a long time.
However, most of the improvements are available in all editions of Vista,
including a stronger firewall and a built-in program known as Defender
that alerts users if Vista believes spyware is being installed.
"Windows is going to talk to you a lot more and make sure you're
a lot more aware of what you're doing," said Adrien Robinson, a director
in Windows' security technology unit. "It's going to help consumers
be more savvy."
One of Vista's biggest changes is more control over computer management.
With previous versions of Windows, users were given by default great control
over the computer's settings -- a situation that opened the door to nefarious
manipulation by outsiders. In Vista, users are prompted to supply a password
when they make significant changes -- a security feature long available
on Apple Computer Inc.'s Macintosh and computers running the Linux operating
system.
At the same time, the software gives corporate PC administrators new
security powers, such as the ability to turn off the USB ports that employees
might use to remove data or bring in troublesome programs on flash drives.
(Some network administrators had told Microsoft they were so desperate
to stop that practice that they were filling the PC ports with glue.)
Even with all the changes, Vista does not promise a total cure for security
headaches. Microsoft, after all, is also selling security add-ons, competing
more directly with antivirus companies than in the past.
"Rather than having all the doors unlocked, you now have locks on
the doors. It doesn't mean it's a silver bullet," Robinson said.
"If they really wanted to get in, they could get through. They could
throw a rock through the window. But it's harder. Our goal is to make
it harder, to raise the bar."
Still, when Vista for businesses was launched in New York on Nov. 30,
Microsoft CEO Steve Ballmer promised a "dramatic" drop in "the
number of vulnerabilities that ever present themselves."
If so, that would spare Microsoft from a repeat of the embarrassing series
of "critical" security patches it had to release for the previous
operating system.
But it might not mean much against many threats Web surfers face today.
For one thing, the kinds of large-scale, automated worms that Vista purportedly
will hinder have been waning anyway, according to security analysts. Symantec's
Friedrichs said 2006 hasn't seen any worms as prevalent as the kinds that
caused widely publicized PC outages several years ago, with names like
Slammer and Blaster.
That's partly because of enhancements Microsoft already made in Service
Pack 2, a huge set of patches for Windows XP that were released in 2004.
"If you're looking at two versions, XP Service Pack 2 versus Vista,
I'm going to say to the average user they're both going to offer them
good security," said Michael Cherry, an analyst at Directions on
Microsoft. "Is Vista better? I don't know if it's that substantially
better."
Security experts say malicious hackers have largely moved away from outage-causing
attacks, motivated by publicity or pride, in favor of more targeted and
lucrative thefts of users' data. Those attacks tend to exploit flaws in
Web applications or employ "social engineering" -- such as tricking
people with phony e-mails into giving up passwords.
"From that perspective, Vista is a non-event," said John McCormack,
a senior vice president at security vendor Websense Inc.
To its credit, Microsoft is fighting such "phishing" attacks
by configuring its new Internet Explorer 7 Web browser to alert users
if they're visiting a dicey-seeming Web site. Internet Explorer 7 is already
available for free download.
But IE7's phish-catching method alone is limited: It is based on a "black
list" of sites known to be up to no good. Outside security experts
say that will not stop the increasingly savvy attackers who constantly
morph their tactics, sometimes every few hours.
For example, Websense recently tracked a phishing attack that mimicked
a customer service message from Amazon.com. It passed through most spam
filters, and the phony Web site to which it directed victims changed throughout
the day. For at least the first few days, IE7 hadn't caught up to block
it, McCormack said.
Perhaps one indication that security in the Vista era will be better
but far from perfect came in recent research by Sophos PLC.
The security software company determined that three of the 10 most prevalent
malicious worms circulating on the Internet in November were able to run
on Vista.
Impressively, the e-mail program that comes with Vista -- Windows Mail,
formerly called Outlook Express -- successfully found and blocked the
malware. But Web-based e-mail services let it through, said Sophos security
analyst Ron O'Brien.
For O'Brien, that finding showed that while Microsoft's efforts to upgrade
computer security are praiseworthy, there's only so much the company can
do. Not only are Microsoft's hands tied when it comes to the security
of third-party applications, but the company also is limited in what it
can do with its own software.
For example, McCormack said Microsoft might have done more to prevent
criminals from surreptitiously placing keystroke-monitoring programs on
computers to steal data. But the fix likely would have shut out legitimate
programs as well, such as those that let people operate their PCs remotely.
"You have to find this happy medium between usability and security,"
McCormack said.
Of course, with Vista on a tiny fraction of desktops today, it's way
too early to assess how much hackers can mess with it.
"I don't know how long Microsoft is going to be able to claim the
streets are safe before a criminal decides to challenge that opinion,"
O'Brien said. "That's going to just be a matter of time."