Video Screencast Help
Security Response

Vista: "Secure" but not "Security"

Created: 12 Feb 2007 08:00:00 GMT • Updated: 23 Jan 2014 18:52:41 GMT
Symantec Security Response's picture
0 0 Votes
Login to vote

As I sit here looking for inspiration for my next blogpontification, I realized that I would be remiss if I didn't touch abit on Vista given Microsoft's latest announcement. If you do a searchon Vista in your browser, you’ll see plenty of material out theretouting how “secure” Vista is. But let’s face it, at the most basiclevel, Vista, in and of itself, is just another operating system. So,let’s not confuse an operating system that’s more secure with somethingthat is an actual security solution that provides real protectionagainst the breadth of computer attacks. Perhaps it's just semantics,but it does cause some confusion as illustrated by severalconversations I've been in where people I’ve talked to have made thismistake. So, let's set the record straight.

For the record, and without getting too much into the nitty-grittydetails, Vista is simply an operating system that contains a variety ofnew features that make it less readily hackable and exploitable. That’sit. Although, my guess is that it’s probably only a matter of timebefore someone figures a way to circumvent some of the measuresMicrosoft put in place or find flaws in Vista (heck – even the ChicagoBears made it to the Super Bowl again…and all it took was 22 years!).Even Jim Allchin, former Co-President of Microsoft’s Platforms &Services Division (Allchin retired on January, 30, 2007), was quoted ina recent CNET interviewpublished on January, 27, 2007, to have said of Vista: “At no time am Isaying that this system is unbreakable…” Smart move, Jim – it’s alwaysgood to include some caveats and leave an out, in case some Vistabacktracking is needed.

And now, for the sake of argument, let’s pretend that Vista as anoperating system is completely solid and impenetrable – would this meanthat security is no longer a concern? But surely, it must be if youroperating system can’t be compromised, right? WRONG. To think otherwisewould be giving into a false sense of security (no pun intended, ofcourse).

Computer attacks today are primarily financially motivated, so it’lltake a lot to deter an attacker from getting to his pot of ill-gottengold; as a result, if the operating system is completely secure anddifficult to exploit, then attacks would likely shift towards the nextpath of least resistance – applications that sit on top of Vista. Webapplications are particularly attractive given the ease of exploit andthe amount of flaws that many carry. Symantec's Internet Security Threat Report(ISTR), Volume X, shows that 69 percent of reported vulnerabilities inthe first half of 2006 were Web application-based with 80 percent ofthese being easily exploitable.

Vulnerabilities aside, let’s not also forget about the various typesof socially engineered attacks like phishing attempts that may resultin Grandma Jones and Uncle Billy unknowingly doling out their bankaccount numbers, PINs, and Social Security numbers. Or nasty littlethings like Trojan.Peacommthat spread through emails, which carry fake current events headlinesin an attempt to convince an unsuspecting victim to open the maliciousattachment. As indicated in ISTR X, Symantec is seeing an average of865 unique phishing messages sent per day, an 81 percent increase overthe previous reporting period. Probability dictates that someonesomewhere out there will likely fall victim to one of these sociallyengineered traps floating around, Vista or not.

At the end of the day, it won’t be the secure operating system thatprotects Grandma Jones and Uncle Billy – it’ll be security vendors withenough robust intelligence to keep ahead of the bad guys like Symantecwho’ll swoop in to save the day with comprehensive security solutionslike Norton Internet Security or Symantec Client Security running on Vista.