News

How Much Will Windows Security Matter?

As Windows Vista becomes more secure against known threats, it's what hackers and cybercriminals devise in the next generation of attacks that keeps Microsoft on its toes.

(New York) Microsoft Corp. took great pains to improve security in its newly released computer operating system, Windows Vista, redesigning it to reduce users' exposure to destructive programs from the Internet. Outside researchers commend the retooled approach -- yet they also say the changes won't make online life much safer than it is now.

Why not? Partly because of security progress that Microsoft already had made in its last operating system, Windows XP. Also because a complex product like Vista is bound to have holes yet to be discovered. And mainly because of the rapidly changing nature of online threats.

Sure, Microsoft appears to have fixed the glitches that used to make it easy for viruses, worms and other problems to wreck PCs. But other avenues for attack are always evolving.

"Microsoft has made the core of the operating system more secure, but they've really solved, by and large, yesterday's problems," said Oliver Friedrichs, director of emerging technologies at antivirus vendor Symantec Corp.

That claim would not please Microsoft, which touts Vista's improved security as a big reason why companies and consumers will want to upgrade to the new operating system.

In fact, Microsoft's effort to tighten security in Vista was one reason the software was delayed past the crucial holiday shopping season. It's now available for businesses and will be available to consumers Jan. 30.

"It is an incremental improvement -- it is a reasonably large increment," said Jon Callas, chief technology officer at PGP Corp., a maker of encryption software. "I don't think it's a game-changer."

Some of Vista's security enhancements require computers with the latest microprocessors -- which are known as 64-bit chips, in reference to how much data they process at once. That won't improve things on today's standard 32-bit computers, which will stick around for a long time.

However, most of the improvements are available in all editions of Vista, including a stronger firewall and a built-in program known as Defender that alerts users if Vista believes spyware is being installed.

"Windows is going to talk to you a lot more and make sure you're a lot more aware of what you're doing," said Adrien Robinson, a director in Windows' security technology unit. "It's going to help consumers be more savvy."

One of Vista's biggest changes is more control over computer management. With previous versions of Windows, users were given by default great control over the computer's settings -- a situation that opened the door to nefarious manipulation by outsiders. In Vista, users are prompted to supply a password when they make significant changes -- a security feature long available on Apple Computer Inc.'s Macintosh and computers running the Linux operating system.

At the same time, the software gives corporate PC administrators new security powers, such as the ability to turn off the USB ports that employees might use to remove data or bring in troublesome programs on flash drives. (Some network administrators had told Microsoft they were so desperate to stop that practice that they were filling the PC ports with glue.)

Even with all the changes, Vista does not promise a total cure for security headaches. Microsoft, after all, is also selling security add-ons, competing more directly with antivirus companies than in the past.

"Rather than having all the doors unlocked, you now have locks on the doors. It doesn't mean it's a silver bullet," Robinson said. "If they really wanted to get in, they could get through. They could throw a rock through the window. But it's harder. Our goal is to make it harder, to raise the bar."

Still, when Vista for businesses was launched in New York on Nov. 30, Microsoft CEO Steve Ballmer promised a "dramatic" drop in "the number of vulnerabilities that ever present themselves."

If so, that would spare Microsoft from a repeat of the embarrassing series of "critical" security patches it had to release for the previous operating system.

But it might not mean much against many threats Web surfers face today.

For one thing, the kinds of large-scale, automated worms that Vista purportedly will hinder have been waning anyway, according to security analysts. Symantec's Friedrichs said 2006 hasn't seen any worms as prevalent as the kinds that caused widely publicized PC outages several years ago, with names like Slammer and Blaster.

That's partly because of enhancements Microsoft already made in Service Pack 2, a huge set of patches for Windows XP that were released in 2004.

"If you're looking at two versions, XP Service Pack 2 versus Vista, I'm going to say to the average user they're both going to offer them good security," said Michael Cherry, an analyst at Directions on Microsoft. "Is Vista better? I don't know if it's that substantially better."

Security experts say malicious hackers have largely moved away from outage-causing attacks, motivated by publicity or pride, in favor of more targeted and lucrative thefts of users' data. Those attacks tend to exploit flaws in Web applications or employ "social engineering" -- such as tricking people with phony e-mails into giving up passwords.

"From that perspective, Vista is a non-event," said John McCormack, a senior vice president at security vendor Websense Inc.

To its credit, Microsoft is fighting such "phishing" attacks by configuring its new Internet Explorer 7 Web browser to alert users if they're visiting a dicey-seeming Web site. Internet Explorer 7 is already available for free download.

But IE7's phish-catching method alone is limited: It is based on a "black list" of sites known to be up to no good. Outside security experts say that will not stop the increasingly savvy attackers who constantly morph their tactics, sometimes every few hours.

For example, Websense recently tracked a phishing attack that mimicked a customer service message from Amazon.com. It passed through most spam filters, and the phony Web site to which it directed victims changed throughout the day. For at least the first few days, IE7 hadn't caught up to block it, McCormack said.

Perhaps one indication that security in the Vista era will be better but far from perfect came in recent research by Sophos PLC.

The security software company determined that three of the 10 most prevalent malicious worms circulating on the Internet in November were able to run on Vista.

Impressively, the e-mail program that comes with Vista -- Windows Mail, formerly called Outlook Express -- successfully found and blocked the malware. But Web-based e-mail services let it through, said Sophos security analyst Ron O'Brien.

For O'Brien, that finding showed that while Microsoft's efforts to upgrade computer security are praiseworthy, there's only so much the company can do. Not only are Microsoft's hands tied when it comes to the security of third-party applications, but the company also is limited in what it can do with its own software.

For example, McCormack said Microsoft might have done more to prevent criminals from surreptitiously placing keystroke-monitoring programs on computers to steal data. But the fix likely would have shut out legitimate programs as well, such as those that let people operate their PCs remotely.

"You have to find this happy medium between usability and security," McCormack said.

Of course, with Vista on a tiny fraction of desktops today, it's way too early to assess how much hackers can mess with it.

"I don't know how long Microsoft is going to be able to claim the streets are safe before a criminal decides to challenge that opinion," O'Brien said. "That's going to just be a matter of time."

Featured