It goes without saying that attackers follow security vulnerabilities, as these are a requirement for their success. Over the past several years, these vulnerabilities have increasingly moved up the application stack and away from the core operating system. Threats have moved (and will continue to move) into other areas, such as the Web application layer, where the majority of all new security vulnerabilities reside today. These threats target more available technologies, including email, IM, and the Web, leveraging social engineering and other convincing trickery in order to infect their victims.
That said, the release of an operating system that is expected to be widely adopted—such as Microsoft’s Windows Vista—is bound to have a significant effect on the security landscape.
Last year, the Symantec Internet Security Threat Report Vol. X discussed some of the general security concerns that may be associated with Windows Vista. Over the past six months, Symantec has continued to research potential security issues associated with the new Microsoft operating system. This article will discuss the findings of that research and describe why the implementation of a multi-layered security strategy on top of Windows Vista is critical.
The security issues pertaining to Windows Vista fall into three categories: vulnerabilities, malicious code, and attacks against a specific protocol.
In December 2006, Symantec reported a vulnerability in previous versions of Windows that also affects the version of Windows Vista that was released to consumers in January. No matter how mature development processes such as Microsoft’s Security Development Lifecycle (SDL) are, Vista is a complex system and, as already shown, not immune to flaws and human mistakes.
As the latest edition of the Threat Report observes:
“It appears that Microsoft’s implementation of mitigating technologies such as address space layout randomization (ASLR), GS (a compiler technology), and data execution prevention (DEP) could reduce the successful exploitation of any vulnerabilities that are discovered. Nevertheless, Symantec expects that new threats for Windows Vista will utilize older exploitation techniques that have been previously successful—such as those developed to successfully exploit Windows XP SP2—in order to bypass improvements in Windows Vista. For example, attackers may revert to attacks that utilize email, P2P, and other social engineering techniques.”
In April, Microsoft patched the already exploited Windows animated cursor vulnerability with an out-of-cycle security update. The security bulletin rated the bug as critical—Microsoft's highest threat level in its four-step system—across all supported editions of Windows: 2000, XP SP2, Windows Server 2003, and Vista. The vulnerability marked the first critical Vista bug disclosed and patched since the operating system’s release, and the first flaw in Vista’s own code.
As for existing malicious code, it too may pose a problem for Windows Vista. According to research conducted by Symantec, some malicious code that did not originally target Windows Vista may affect the new operating system after all. This could be problematic because some enterprises may act on the belief that their installations of Windows Vista are immune from older malicious code samples. As a result, they may not deploy appropriate security solutions on new Windows Vista systems, thus leaving them vulnerable to infection by older malicious code samples.
For example, late last year, Symantec Advanced Threat Research conducted an analysis of Windows Vista’s security enhancements provided by the user account control (UAC) and resulting new security barriers. Approximately 2,000 unique instances of malicious code were executed during the life of this project.
On average, about 70% of the malicious code executed under Windows Vista loaded successfully and executed without a crash or runtime error. Out of the 70% that were able to execute, only about 6% of the samples were able to accomplish a full compromise and an even smaller number (4%) were able to survive a reboot. The rest did not execute properly due to incompatibility, unhandled exceptions, or security restrictions.
Orlando Padilla, of Symantec Security Response, drew these conclusions:
“The implementation of malicious code on Windows Vista will change. Malicious code authors will no longer target the system as a whole, but will be forced to target the user environment to accomplish what they want. Needless to say, the possibilities for infection are still endless. We have seen that malicious code can continue to survive on Windows Vista with relatively minor changes. A large portion of our sample set failed, simply because of unhandled conditions with no alternative code paths and an inability to correctly execute within the confines of Windows Vista’s new security environment. With relatively minor changes (which we did not undertake ourselves), these shortcomings can be resolved and a much larger percentage of malicious code will survive on Windows Vista. The possibility of an existing threat successfully executing, infecting, and surviving on Vista is still a concern.”
The third potential Windows Vista security issue identified by Symantec is the Teredo protocol. Teredo was developed by Microsoft to enable the transition between versions of Internet protocol (IP), one of the protocols underlying all Internet-based communications. Teredo is enabled by default in Windows Vista, and computers using Windows Vista can easily be identified through Teredo. Attacks sent over Teredo will often bypass organizations’ network security controls. Many security products don’t support Teredo and thus would not inspect it. This could make Windows Vista susceptible to attacks
As every IT professional knows, attackers follow security vulnerabilities, as these are a requirement for their success. Over the past several years, these vulnerabilities have increasingly moved away from the core operating system. Threats have moved—and will continue to move—into other areas, such as the Web application layer, where 66% of all new security vulnerabilities reside today, according to Symantec’s latest Threat Report. Windows Vista provides no enhanced security in this space, as the majority of vulnerabilities today are seen within PHP, Python, Perl, ASP, and other languages. In addition, new Web 2.0 technologies such as AJAX provide an entirely new layer on which tomorrow’s threats will propagate.
For organizations that are pondering a Vista migration, integration is a critical aspect of any client security solution. Antivirus and antispyware protection, vulnerability-based protection, file-based intrusion prevention, and firewall traffic control components of a security solution all need to be able to communicate with each other and work together to protect the client system. Lack of integration between solutions often requires manual intervention, weakening the ability to adequately combat threats. Only through a coordinated, multi-layered defense can an organization effectively protect itself against the rising barrage of crimeware and threats to Windows Vista.
In addition to providing a coordinated defense, an integrated client security solution can be more easily managed than individual point products. Integration allows for centralized management from a single console rather than multiple consoles. IT administrators only have to learn and use one console instead of four. Additionally, instead of having piecemeal reports that leave gaps in the client security picture, they can run a single report to get either a comprehensive or snapshot view of the entire state of their client security, letting them easily see their weaknesses and strengths. This overall ease of management that an integrated client security solution provides greatly simplifies administration efforts and frees up IT personnel to pursue activities that drive business success and improve the organization’s bottom line.
As with any new operating system, Windows Vista’s release will bring with it previously unforeseen security issues that IT managers will need to grapple with. As the latest Internet Security Threat Report observes, Vista’s “new features and changes to Windows Vista’s code base, in conjunction with increased scrutiny from security researchers and malicious code authors, will result in previously unseen attacks.”
Vista undoubtedly will be a boon for businesses and users alike, but its arrival also means that there will be yet one more operating system that IT managers will need to manage and secure. The new security features included in Vista are a step forward in helping businesses defend against attacks, but they cannot be considered a complete, multi-layered defense.
The advanced state of malware development will continue to require dedicated countermeasures, and organizations will need ways to manage and secure multiple platforms. In short, Vista is an important step forward, but the new operating system is only the first step in ensuring the security of an organization's computing resources.