Microsoft has hyped Vista as its most secure operating system ever. Does this stack up?
Microsoft claims that Vista is the most secure OS (operating system) the company has ever produced. Five years in the making, Vista promised to lock down the desktop. Microsoft said the OS would usher in the era of 'trustworthy computing' – a new age in which Windows PCs are more reliable, user experience is improved and the threat of malware becomes a thing of the past.
Only three months into the consumer release, however, questions are being asked. Antimalware vendors, security experts and even hackers have raised doubts as to the effectiveness of Vista's security measures. One commentator, blogger Joanna Rutkowska, went so far as to suggest that the new security model might be "a big joke".
Microsoft is an easy target, especially when it makes extravagant claims. The truth is that early testing suggests Vista is significantly more secure than previous versions.
But this doesn't necessarily signal an end to Microsoft's security headaches. Some of the pain for IT administrators and home users will subside, but weak spots and their workarounds should be on everyone's mind – as usual.
Administrator no more
One of Windows Vista's most lauded security enhancements is also one of the most criticised. UAC (User Account Control) aims to address a long-standing flaw in the way Windows handles user permissions, but its detractors say it doesn't offer enough protection and that inadequate design undermines its effectiveness.
At issue is the role of the Administrator account. Best practices dictate that a user should be assigned Administrator privileges only when performing tasks that require it, such as installing device drivers or changing the Registry. But part of the legacy of DOS is that older versions of Windows were, in essence, single-user systems. Even on Windows XP, which was Microsoft's first multiuser client OS, users would routinely log in as the Administrator by default – even for mundane tasks.
This practice made PCs easy to manage, but was a security disaster. When a user is logged in as the Administrator, worms and Trojan horses have free rein to run amok. Worse, Microsoft's inattention to user permissions encouraged software vendors to use sloppy, insecure programming practices that compounded the problem. Many Windows applications simply wouldn't work unless they were allowed to run with full Administrator privilege – that is, to run in the least secure way possible.
UAC attempts to correct these bad habits. Under UAC, most applications run at reduced privilege by default. When an application attempts to do something that requires Administrator privilege, UAC prompts the user with a dialog box asking for permission to elevate the application to the increased privilege level.
But UAC is not perfect. On her blog, Rutkowska details several flaws in Vista's UAC implementation that are potentially exploitable. For example, software installers are always allowed to run with full Administrative rights – just as they were in the older Windows operating systems.
And Symantec analyst Ollie Whitehouse says Vista ships with executables that can be used to compromise UAC.
"I still think that Microsoft did a good job with Vista," Rutkowska wrote, yet the significance of these discoveries is clear: don't expect UAC to eliminate overnight the problems associated with the Administrator account.
Programmatic exploits aren't the only way around UAC's protections, either. Confirmation dialogs can be intrusive and somewhat cryptic – users might be tempted to simply disable UAC out of frustration or become so numb to the warning messages that they click ok without thinking. What's more, they can easily be tricked into doing the wrong thing by social engineering or deception.
"Windows Vista provides many features to protect your system, but they require proper use," reads Microsoft's Windows Vista Security Best Practice Guidance for Consumers on the subject of UAC.
"Your system security is only as strong as your actions, so think before you click." UAC puts the responsibility for security in the hands of the individual user – hardly ideal.
Microsoft discourages users from thinking of UAC as an explicit security boundary and it doesn't consider flaws in the UAC implementation to be security flaws.
This story appears in the June 07 issue of PC Advisor, onsale now in all good newsagents