Vista "no security cure-all" - Symantec

A new report from anti-virus company Symantec has challenged the notion that Microsoft's new Vista operating system will banish security problems that plagued its predecessors.

The security company said that Vista's new plumage has been mainly plucked from the open-source community, rather than being new security developments in themselves.

"Most are derived from the groundwork originally laid by open source operating systems such as Linux and OpenBSD, the PaX and Stackguard projects, as well as numerous academic publications," it claims.

And much of the rest was already in place in Windows XP SP2. "The majority of these technologies first appeared in Windows XP SP2. These technologies, which are now integrated in Windows Vista, include driver signing, SafeSEH, DEP [data execution prevention], pointer obfuscation, PatchGuard (Windows XP x64), UAC [user account control], code signing, Windows Defender, and Windows Update."

This has meant that some attacks written for Windows XP SP2 will readily operate unchanged on Vista. "The results showed that 3 per cent of backdoors can successfully execute and survive a system restart on Windows Vista without modification. Other categories include keyloggers, of which 4 per cent can successfully execute and survive a system restart, mass mailers (4 per cent), Trojans (2 per cent), spyware (2 per cent), and adware (2 per cent)."

There are other issues, too. Symantec says that the new features only add to security as they are implemented in third-party applications. But it seems that Microsoft too can fall foul of this, and Symantec's investigation showed that DEP has been deployed in a limited fashion in Vista, restricted to the core operating system.

It also discovered that the randomising of an application's memory footprint was not functioning properly. This randomising should provide a huge amount of protection against attacks, as each instance of a running application differs, making it difficult for generic attacks targeting the same point in memory space to be successful. Symantec says Microsoft will fix the component which is failing to randomise properly in SP1 for Vista.

Symantec also unleashed its security experts on Vista to try and break down the kernel defences driver signing, Code Integrity, and PatchGuard and successfully did so in a one "man week". "A potential victim need make only one mistake to become infected by a threat that does the same. The result: All new security technologies are stripped from Windows Vista in their entirety," it said.

Symantec also believes the new technologies written into Vista are as yet uncharted waters both for vulnerabilities to emerge and attack vectors.

Microsoft has completely rewritten the network stack - a task requiring a great deal of time and code. Symantec believes that this amount of code and the new protocols it has introduced will need some time to bed in. Microsoft was fixing bugs and issues right up to the launch, it claims, and concludes there are likely more to be found in the future.

Vista's Gadgets feature may also be an avenue for attacks, claims the company. While these mini-apps are subject to the same controls as any other software installed on Vista, their ability to communicate via the internet could lead to socially-engineered attacks that result in innocuous looking Gadgets harvesting sensitive information from a user's hard drive.

The company recognised Vista as "a more secure version of Microsoft Windows," to the point at which attackers are more likely to target third-party applications and web services as the easiest route in. It also sees the user as the weakest link, either through a lack of information leading to wrong decisions or as a victim of socially engineered attacks.

Microsoft agreed with much of Symantec's general view, conceding that Vista was never extolled as the Silver Bullet to security problems but insisting Vista remains "the most secure version of Windows to date". It claims Vista's strength is its "defence in depth approach".

"Security is about making choices," said a Microsoft spokesperson. "Make it too restrictive and users will have to interact with the software more to do what they want. Conversely, focus on ease of use by making the default settings less stringent and increase the chance that a system can be attacked. We believe Microsoft has developed the right balance and made the right decisions when evaluating the trade-offs between usability and security. This report does not properly address the fact that many of the Window Vista security technologies have numerous options that allow for a user to make their own judgments as to their need for security balanced against usability," responded Microsoft.

"That said, we are evaluating the information provided by Symantec in these reports that details methods an attacker could potentially use to circumvent security features in Windows Vista, specifically about the "GS Flag" and Address Space Layout Randomization, and will take any action, if needed, to help make these features stronger or more resilient."