Puncturing the myth of the invulnerable OS
Summary: An Australian developer of Windows security software is making headlines with research that claims to Windows Vista's is Windows Vista is "still a long way from immunity to online threats." So, what operating system is invulnerable to malware? When did that become the criterion for success in security? The data is sketchy (to say the least) and the underlying argument is flawed. As long as crooks are trying to scam their way onto your PC, humans will occasionally make bad decisions about which software to install. Do you really want an OS that substitutes its judgment for yours and refuses to install a program you want or need?
I keep trying to come up with explanations for why rational technical publications continue to amplify the nonsensical research coming out of Australian security vendor PC Tools in the past few weeks.
Jedi mind tricks? Post-hypnotic suggestions embedded in web pages served from the Southern Hemisphere? Sunspots? There's certainly no rational explanation for anyone with a lick of security experience to take this stuff seriously.
But here's Information Week, with its scare headline "Windows Vista More Vulnerable To Malware Than Windows 2000." There's a pro forma note in the second graf that PC Tools "has a financial interest in the vulnerability of Microsoft's software," but otherwise it's just a rehash of the press release. InfoWorld picked up the same release and reprinted it practically verbatim. And today my normally super-smart ZDNet colleague Adrian Kingsley-Hughes took the bait on a new PC Tools release, starting his post Does running Vista make you feel safe from malware? with this line:
Another day, another report casts doubt on Vista’s immunity to malware.
That, of course, echoes the title of (and links directly to) the press release from PC Tools. (And with the exception of press releases from companies trying to sell security software, where are those other reports, anyway?) Adrian goes on to catalog the security improvements that distinguish Vista from XP but then says, "despite all this I don’t subscribe to the idea that Vista is somehow invulnerable to malware."
So, what operating system is invulnerable to malware? When did that become the criterion for success in security?
If I send you an e-mail with the file HotBabes.exe attached to it, you have to decide whether to run it or not. If you are deluded enough to double-click that icon, and you are running Windows Vista, several things are going to happen:
- If you are running under a standard user account set up by your parent or your IT department, you will be unable to install that program until you find adult supervision and convince them to enter the administrator password. Good luck with that.
- If you are the administrator, you will see a UAC prompt that will provide you with some information placed there by the creator of the program, which might or might not help you decide whether it's safe to install. If the program is digitally signed, you will be able to get a third-party service to confirm the identity of the person or organization that signed the program.
- Ultimately, you will decide to click Continue or Cancel. If the file I sent you was a Trojan or virus and you say Continue, you lose.
It's as simple as that. If you're the admin and you tell the OS you want to run an executable program, the OS has to respect your judgment and allow it. It has no way of knowing whether a program is good or evil, well written or buggy, or whether it will cause your system to lock up with a STOP error. As the boss, you get to make the decision.
And that's the way it should be. Do you want an OS that refuses to allow you to install a remote access program so you can do online help or access your home PC from the road? Do you want Microsoft or Apple or your favorite Linux distro to say, "I'm sorry, Dave, I can't allow that," when you install a password cracking tool to recover the information in a lost file? Of course not. But I've seen antivirus programs squawk for years over some of my most useful security tools in these categories, claiming they are threats and offering to neuter them for me. No thanks.
If you want help analyzing the actual contents of a program you're thinking of installing, you need additional software that can crack open the executable and compare its code or behavior to other known species of malware. In other words, you want antivirus software. That's true of every OS platform.
The information that PC Tools provides in its press release is, to put it charitably, sketchy. The release says, for example, that "approximately 121,000 pieces of malware were detected on approximately 58,000 unique Vista machines in the ThreatFire community." (ThreatFire is the name of the anti-malware software PC Tools is pitching.) A footnote points to a Data Summary Sheet, but it, unfortunately, is unlinked and unavailable. (I've asked PC Tools to send me this data sheet.) Without knowing the sample size or how that malware was installed, it's impossible to come to any valid conclusions.
And what does the company define as "malware," anyway? The release says "17% of all threats found on Vista machines involved in the research were Trojans, while worms accounted for 5%, spyware for 3% and viruses for 2%." That pretty much encompasses every category of true malware that I can think of (and it includes all the big threats on this highly regarded list from Kaspersky). So, what makes up the other 73%? Adware? Browser toolbars? Tracking cookies? Without those details, there's no way to know, but how dangerous can a threat be that isn't classed as a virus, worm, Trojan, or spyware program?
Update 20-May, 745PM PDT: A representative of PC Tools replied to my request for additional information with an e-mail message that includes the one-page data sheet and confirms that the remaining 73% of "threats" all fall into the category of adware. Examples include "PuA.Adware.SweetBar, Adware.HotBar, PuA.Adware.StarBar, PuA.Adware.SmartShopper, PuA.Adware.Rotator, and PuA.Adware.ALot."
Meanwhile, I continue to be impressed by the fact that my phone is not ringing with friends, family members, and clients looking to clean up virus or spyware infestations on their Vista-based PCs. I'm not alone, either. My colleague Dwight Silverman (who certainly can't be characterized as a Vista fanatic) wrote in March:
I have yet to see a Windows Vista system infected with spyware or a virus -- nor have I heard from any readers who have experienced this.
That's an echo of what Dwight noted last fall when he and I had a similar conversation:
I get a lot of cries for help from Windows users whose machines have been infected with spyware, but all of them come from XP users. Since Vista's release, I haven't heard from one Vista user with the same problem, and a scan of Jay Lee's HelpLine e-mail (yes, I have access to it) shows a similar pattern.
Is Vista significantly more secure than XP? Unquestionably. Is it invulnerable to malware? Absolutely not. Will Windows or any computer operating system ever be immune to break-ins and scams that involve social engineering? Sadly, as long as dishonest human beings exist, the answer is no.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Well ...
Vista already does this when the broadcast flag is set, so not allowing any cracking tools shouldn't be too far behind. ;)
That's not true
Vista was actually working exactly how it was programmed to work. The broadcast flag was set to "do not record," so Vista listened and didn't record.
And furthermore
Short term workaround
Your non-broadcast-aware recorder will only work up until
the time that Microsoft issues a new patch that revokes that
software's permission to run on Vista.
Oh, please
" Well...
You may well be right, but I'm betting that if you are, that feature will forever come with an on/off toggle, with default set to "off" and
a case-by-case admin override built into the "on" switch. People simply are not going to accept an OS that replaces their best judgment with its own.
Invulnerable homo sapiens = user error
User error = 90% of all computer errors, foibles, glitches and regrets
Some things never change, and it's been like this from day one. ;)
OK, that is most of it.
UAC Security Hole
One of the best blogs I have read on this subject can also be found on Zdnet and is here:
http://blogs.zdnet.com/security/?p=29&tag=nl.e589
The gist of it is that Vista's approach to UAC is an all or nothing proposition. Either you give an application full access to everything or you block it completely. For UAC to work properly, it should not elevate all setup/install programs to admin status; but instead it should act more like linux; which allows you to install programs as a user without affecting system wide parameters.
I think the above blog (see my link) is touching on a true weakness of Vista in general and UAC in particular. Microsoft attempt to copy the linux model of security is flawed and incomplete. I do not begrudge Microsoft's attempt to copy a superior security model, but they should have done a better job.
Give them some credit
I have to give Microsoft some credit, though. As I said in another post on this thread, I get called to clean malware from our 2K and XP machines on a regular basis, but have yet to find anything on our Vista machines. Vista is not perfect, but as a support professional I do see considerable improvement. It is easy for us to sit back and say "Why wasn't this perfect when it was released?", yet we know that is never the case. Software evolves over time, with occasional leaps and jumps. Vista has taken a very big step, and now we will watch it evolve into a more refined product with each service pack, just as XP did. In a couple of years Win7 will hit, and, benefiting from Vista's trailblazing, will probably be a more mature product. Everything we do with computers is a work in progress.
Hope Springs Eternal
Did I say that?
I, too, am looking forward to Win7 (Vista SP2), as I feel that Vista has laid a decent foundation and with SP2 or Second Edition or whatever they will call it, it will mature into a very nice OS. I also believe that those of us who have already made the transition to Vista will have a much easier time with Win7 when it arrives. For us, Win7 will be a small step. For you, going from XP to Win7 will be a huge step.
How do you know all this?
How do you know all this? How do you know it's not going to be a more radical step? M$ has been pretty mum as far as details about Windows 7 are concerned.
[i]I also believe that those of us who have already made the transition to Vista will have a much easier time with Win7 when it arrives. For us, Win7 will be a small step. For you, going from XP to Win7 will be a huge step.[/i]
You don't know that. None of this has happened yet.
And another thing, I find using the password in Linux to be be far less obtrusive than my exposure to UAC. I don't get nanny pop screens asking me do I really want to click on this, or do I really want to go to this particular website.
The only times I'm asked for a password in Linux is when I first log in for a user session or when I download something from the Synaptic package manager, which doesn't happen too often.
And occasionally I've had to log into the terminal using :~$ su without having to log off and use my root password, but that been rare. I've yet to use sudo to do anything.
Thank God, there's no need for Ed Bott tweaking UAC manuals for Linux.
Think of it as evolution in action....
So do I; though if linux continues to improve at its current rate, many of us may not be using Windows when Windows 7 ships.
I'll be one of those who do, though--on my multi-boot system with Kubuntu as default--because the fact is that Windows keeps on getting better and better.
I skipped over Win 95 completely, but ever since Win 98, Windows has steadily gotten better, bloated code and all. Win 2k was better than Win 98; Win XP was better than Win 2k, Vista is better than Win XP, and Win 7 will be better than Vista. I'll always have at least the latest incarnation of Windows somewhere on my system, because I'll always need to know Windows in order to provide tech support for it; but also because Windows really does keep getting better.
what I hear from you is far more typical
That's not what he's suggesting
Ultimately, what is burdening Microsoft is an OS design that didn't take any of this in to account way back in the early stages. Windows was designed for desktop computers that were 1/100th as powerful as today's machines. This was a time when software writers simply didn't have the hardware tools to write software that isolates processes in memory or manages multiple user contexts. They were fortunate to run 256 color graphics! One of Microsoft's biggest strengths is also their greatest weakness: backward compatibility. The same age-old mechanisms that let them run old software stand in the way of efficient multi-tier user access.
Unix, on the other hand, was written for large, multi-user platforms where the protection of the system from the user was built in from day one. Large "mini-computer" installations cost hundreds of thousands of dollars back in their day. Operators needed software that would allow multiple people to use the system, without allowing a program that a single user runs to take down the whole system. Today, we have the benefit of desktop systems that can handle these more complex operating systems. It's just that some software implemented these concepts from day one, while others are struggling to graft them on to old paradigms.
Backward compatibility
The problem is as I see it, we have huge attempts to drag the walrus around and make everything backward compatible, and MS gets lambasted for the Security not being perfect.
However if we made the security perfect, then MS would be getting lambasted for the lack of backward compatibility.
If you don't believe me, look at users complaining when MS finally dropped 8 Bit support, and then 16. Face it, if you're using a brand new OS and still using the 20 year old app, you:
1. Either need a new application.
2. do not need a modern OS.
But lets pick what we want Compatibility, or Security once picked we do not want to hear you whine about the other one.
Couldn't agree more
Windows (I believe) has become the most
complicated OS, because of backward compatibility issues.
I think that MS does the best thing:
Maintains backward compatibility at
some extent, and evolves Windows (including
it's security) at the same time.
I also find stupid the way other OS understand
security. I heard once a guy saying that an
other OS is more secure than Windows because,
in order to run an unknown app, you had to pass
through a bloody long process.
Well, my opinion is that a user will run the
app, if he wants to, whether it is through a
simple double click or a long process full of suffering... The only difference is how
comfortable or annoyed the user will feel.
As for all the complains about Vista being
not as good as XP, I am pretty sure you that the only thing users didn't like was the essence
of security (confirmation dialogs that pop up
and make you angry) and the their "not-so-good" performance.
If you use a tweaker all of these can
be "cured" !
Why not?
What you want and what you'll get will probably never be identical. :)
Most of my clients are just like me: we want it all, and we want it NOW! We want a completely stable OS that runs all the new apps and continues to run our old favorites too, with complete security that still lets us make every stupid decision we want to make and cleans up all the resulting messes without bothering us with the details.
IMO, we'll never have that, so we'll keep on whingeing and creebing about how disappointed we are that neither Microsoft nor our favorite linux distros give us everything that we want.
What your saying about Windows