Puncturing the myth of the invulnerable OS

Puncturing the myth of the invulnerable OS

Summary: An Australian developer of Windows security software is making headlines with research that claims to Windows Vista's is Windows Vista is "still a long way from immunity to online threats." So, what operating system is invulnerable to malware? When did that become the criterion for success in security? The data is sketchy (to say the least) and the underlying argument is flawed. As long as crooks are trying to scam their way onto your PC, humans will occasionally make bad decisions about which software to install. Do you really want an OS that substitutes its judgment for yours and refuses to install a program you want or need?

SHARE:

I keep trying to come up with explanations for why rational technical publications continue to amplify the nonsensical research coming out of Australian security vendor PC Tools in the past few weeks.

Jedi mind tricks? Post-hypnotic suggestions embedded in web pages served from the Southern Hemisphere? Sunspots? There's certainly no rational explanation for anyone with a lick of security experience to take this stuff seriously.

But here's Information Week, with its scare headline "Windows Vista More Vulnerable To Malware Than Windows 2000." There's a pro forma note in the second graf that PC Tools "has a financial interest in the vulnerability of Microsoft's software," but otherwise it's just a rehash of the press release. InfoWorld picked up the same release and reprinted it practically verbatim. And today my normally super-smart ZDNet colleague Adrian Kingsley-Hughes took the bait on a new PC Tools release, starting his post Does running Vista make you feel safe from malware? with this line:

Another day, another report casts doubt on Vista’s immunity to malware.

That, of course, echoes the title of (and links directly to) the press release from PC Tools. (And with the exception of press releases from companies trying to sell security software, where are those other reports, anyway?) Adrian goes on to catalog the security improvements that distinguish Vista from XP but then says, "despite all this I don’t subscribe to the idea that Vista is somehow invulnerable to malware."

So, what operating system is invulnerable to malware? When did that become the criterion for success in security?

If I send you an e-mail with the file HotBabes.exe attached to it, you have to decide whether to run it or not. If you are deluded enough to double-click that icon, and you are running Windows Vista, several things are going to happen:

  • If you are running under a standard user account set up by your parent or your IT department, you will be unable to install that program until you find adult supervision and convince them to enter the administrator password. Good luck with that.
  • If you are the administrator, you will see a UAC prompt that will provide you with some information placed there by the  creator of the program, which might or might not help you decide whether it's safe to install. If the program is digitally signed, you will be able to get a third-party service to confirm the identity of the person or organization that signed the program.
  • Ultimately, you will decide to click Continue or Cancel. If the file I sent you was a Trojan or virus and you say Continue, you lose.

It's as simple as that. If you're the admin and you tell the OS you want to run an executable program, the OS has to respect your judgment and allow it. It has no way of knowing whether a program is good or evil, well written or buggy, or whether it will cause your system to lock up with a STOP error. As the boss, you get to make the decision.

And that's the way it should be. Do you want an OS that refuses to allow you to install a remote access program so you can do online help or access your home PC from the road? Do you want Microsoft or Apple or your favorite Linux distro to say, "I'm sorry, Dave, I can't allow that," when you install a password cracking tool to recover the information in a lost file? Of course not. But I've seen antivirus programs squawk for years over some of my most useful security tools in these categories, claiming they are threats and offering to neuter them for me. No thanks.

If you want help analyzing the actual contents of a program you're thinking of installing, you need additional software that can crack open the executable and compare its code or behavior to other known species of malware. In other words, you want antivirus software. That's true of every OS platform.

The information that PC Tools provides in its press release is, to put it charitably, sketchy. The release says, for example, that "approximately 121,000 pieces of malware were detected on approximately 58,000 unique Vista machines in the ThreatFire community." (ThreatFire is the name of the anti-malware software PC Tools is pitching.) A footnote points to a Data Summary Sheet, but it, unfortunately, is unlinked and unavailable. (I've asked PC Tools to send me this data sheet.) Without knowing the sample size or how that malware was installed, it's impossible to come to any valid conclusions.

And what does the company define as "malware," anyway? The release says "17% of all threats found on Vista machines involved in the research were Trojans, while worms accounted for 5%, spyware for 3% and viruses for 2%." That pretty much encompasses every category of true malware that I can think of (and it includes all the big threats on this highly regarded list from Kaspersky). So, what makes up the other 73%? Adware? Browser toolbars? Tracking cookies? Without those details, there's no way to know, but how dangerous can a threat be that isn't classed as a virus, worm, Trojan, or spyware program?

Update 20-May, 745PM PDT: A representative of PC Tools replied to my request for additional information with an e-mail message that includes the one-page data sheet and confirms that the remaining 73% of "threats" all fall into the category of adware. Examples include "PuA.Adware.SweetBar, Adware.HotBar, PuA.Adware.StarBar, PuA.Adware.SmartShopper, PuA.Adware.Rotator, and PuA.Adware.ALot."

Meanwhile, I continue to be impressed by the fact that my phone is not ringing with friends, family members, and clients looking to clean up virus or spyware infestations on their Vista-based PCs. I'm not alone, either. My colleague Dwight Silverman (who certainly can't be characterized as a Vista fanatic) wrote in March:

I have yet to see a Windows Vista system infected with spyware or a virus -- nor have I heard from any readers who have experienced this.

That's an echo of what Dwight noted last fall when he and I had a similar conversation:

I get a lot of cries for help from Windows users whose machines have been infected with spyware, but all of them come from XP users. Since Vista's release, I haven't heard from one Vista user with the same problem, and a scan of Jay Lee's HelpLine e-mail (yes, I have access to it) shows a similar pattern.

Is Vista significantly more secure than XP? Unquestionably. Is it invulnerable to malware? Absolutely not. Will Windows or any computer operating system ever be immune to break-ins and scams that involve social engineering? Sadly, as long as dishonest human beings exist, the answer is no.

Topics: Windows, Malware, Microsoft, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

233 comments
Log in or register to join the discussion
  • Well ...

    "Do you want Microsoft or Apple or your favorite Linux distro to say, ?I?m sorry, Dave, I can?t allow that,? ..."

    Vista already does this when the broadcast flag is set, so not allowing any cracking tools shouldn't be too far behind. ;)
    MisterMiester
    • That's not true

      When a broadcast flag was set, Vista said, "I'm sorry, Dave, I can't do that."

      Vista was actually working exactly how it was programmed to work. The broadcast flag was set to "do not record," so Vista listened and didn't record.
      aka_tripleB9
      • And furthermore

        It wasn't Vista doing that, it was the eHomerec service, aka Media Center. And if you want to replace it with a program like Sage TV or Beyond TV or another alternative that doesn't respond to the broadcast flag, you can.
        Ed Bott
        • Short term workaround

          That's only a short term workaround, Ed.

          Your non-broadcast-aware recorder will only work up until
          the time that Microsoft issues a new patch that revokes that
          software's permission to run on Vista.
          grail1
          • Oh, please

            Loosen the tinfoil!
            Ed Bott
    • " Well...

      <<[i]Vista already does this when the broadcast flag is set, so not allowing any cracking tools shouldn't be too far behind.[/i]>>

      You may well be right, but I'm betting that if you are, that feature will forever come with an on/off toggle, with default set to "off" and
      a case-by-case admin override built into the "on" switch. People simply are not going to accept an OS that replaces their best judgment with its own.
      vizenos
  • Invulnerable homo sapiens = user error

    User curiosity, user impetuousness, user impatience, user greed = [b]user error [/b]

    User error = 90% of all computer errors, foibles, glitches and regrets

    Some things never change, and it's been like this from day one. ;)
    klumper
    • OK, that is most of it.

      I agree that the vast majority of security break-downs are caused by the user. But still, even at the code level, if one person can write it, some other can crack it (eventually)
      Sagax-
  • UAC Security Hole

    UAC Security Hole
    One of the best blogs I have read on this subject can also be found on Zdnet and is here:

    http://blogs.zdnet.com/security/?p=29&tag=nl.e589

    The gist of it is that Vista's approach to UAC is an all or nothing proposition. Either you give an application full access to everything or you block it completely. For UAC to work properly, it should not elevate all setup/install programs to admin status; but instead it should act more like linux; which allows you to install programs as a user without affecting system wide parameters.

    I think the above blog (see my link) is touching on a true weakness of Vista in general and UAC in particular. Microsoft attempt to copy the linux model of security is flawed and incomplete. I do not begrudge Microsoft's attempt to copy a superior security model, but they should have done a better job.
    chessmen
    • Give them some credit

      Vista's security has improved over XP, but as you say is not yet perfect. I, too, find UAC to be somewhat annoying, but I also find Ubuntu's prompting for the admin password equally annoying. I also recognize the necessity of both, and would never dream of shutting them off like some suggest, or running in full administrator mode all of the time.

      I have to give Microsoft some credit, though. As I said in another post on this thread, I get called to clean malware from our 2K and XP machines on a regular basis, but have yet to find anything on our Vista machines. Vista is not perfect, but as a support professional I do see considerable improvement. It is easy for us to sit back and say "Why wasn't this perfect when it was released?", yet we know that is never the case. Software evolves over time, with occasional leaps and jumps. Vista has taken a very big step, and now we will watch it evolve into a more refined product with each service pack, just as XP did. In a couple of years Win7 will hit, and, benefiting from Vista's trailblazing, will probably be a more mature product. Everything we do with computers is a work in progress.
      itpro_z
      • Hope Springs Eternal

        I agree that Vista is a disappointment. I am not averse to using Microsoft products (I am typing this on an XP machine right now), but I also hope for better in Windows 7.
        chessmen
        • Did I say that?

          Don't put your words in my mouth. I said that Vista is a considerable improvement over XP. I support both (I, too, am typing this on my XP work system) and Vista so far has required less support than XP. I get calls frequently to clean XP machines that have picked up some sort of malware, but have yet to see one of our Vista machines infected. XP also slows down over time, and requires periodic attention to keep it running well. Once again, I have not found that to be true with Vista. Other than a few users with apps that refuse to upgrade, Vista Business is our standard OS for new installs.

          I, too, am looking forward to Win7 (Vista SP2), as I feel that Vista has laid a decent foundation and with SP2 or Second Edition or whatever they will call it, it will mature into a very nice OS. I also believe that those of us who have already made the transition to Vista will have a much easier time with Win7 when it arrives. For us, Win7 will be a small step. For you, going from XP to Win7 will be a huge step.
          itpro_z
          • How do you know all this?

            [i]I, too, am looking forward to Win7 (Vista SP2), as I feel that Vista has laid a decent foundation and with SP2 or Second Edition or whatever they will call it, it will mature into a very nice OS.[/i]

            How do you know all this? How do you know it's not going to be a more radical step? M$ has been pretty mum as far as details about Windows 7 are concerned.

            [i]I also believe that those of us who have already made the transition to Vista will have a much easier time with Win7 when it arrives. For us, Win7 will be a small step. For you, going from XP to Win7 will be a huge step.[/i]

            You don't know that. None of this has happened yet.

            And another thing, I find using the password in Linux to be be far less obtrusive than my exposure to UAC. I don't get nanny pop screens asking me do I really want to click on this, or do I really want to go to this particular website.

            The only times I'm asked for a password in Linux is when I first log in for a user session or when I download something from the Synaptic package manager, which doesn't happen too often.

            And occasionally I've had to log into the terminal using :~$ su without having to log off and use my root password, but that been rare. I've yet to use sudo to do anything.

            Thank God, there's no need for Ed Bott tweaking UAC manuals for Linux.
            hasta la Vista, bah-bie
        • Think of it as evolution in action....

          <<[i]I agree that Vista is a disappointment. I am not averse to using Microsoft products (I am typing this on an XP machine right now), but I also hope for better in Windows 7.[/i]>>

          So do I; though if linux continues to improve at its current rate, many of us may not be using Windows when Windows 7 ships.

          I'll be one of those who do, though--on my multi-boot system with Kubuntu as default--because the fact is that Windows keeps on getting better and better.

          I skipped over Win 95 completely, but ever since Win 98, Windows has steadily gotten better, bloated code and all. Win 2k was better than Win 98; Win XP was better than Win 2k, Vista is better than Win XP, and Win 7 will be better than Vista. I'll always have at least the latest incarnation of Windows somewhere on my system, because I'll always need to know Windows in order to provide tech support for it; but also because Windows really does keep getting better.
          vizenos
      • what I hear from you is far more typical

        than what the PC Tools study has to offer. Their study, can be picked apart on so many levels, it has about as much credence as an internet poll.
        marks055
      • That's not what he's suggesting

        The OP wasn't expressing annoyance with the UAC prompt, he was pointing out that under operating systems like Linux and OS X, you have the option to run an application within your user-space, rather than system-wide. On Linux you have ~/bin, and on OS X you have ~/Applications. Some applications still _require_ system access to run, but a far greater number can be run from a sandbox.

        Ultimately, what is burdening Microsoft is an OS design that didn't take any of this in to account way back in the early stages. Windows was designed for desktop computers that were 1/100th as powerful as today's machines. This was a time when software writers simply didn't have the hardware tools to write software that isolates processes in memory or manages multiple user contexts. They were fortunate to run 256 color graphics! One of Microsoft's biggest strengths is also their greatest weakness: backward compatibility. The same age-old mechanisms that let them run old software stand in the way of efficient multi-tier user access.

        Unix, on the other hand, was written for large, multi-user platforms where the protection of the system from the user was built in from day one. Large "mini-computer" installations cost hundreds of thousands of dollars back in their day. Operators needed software that would allow multiple people to use the system, without allowing a program that a single user runs to take down the whole system. Today, we have the benefit of desktop systems that can handle these more complex operating systems. It's just that some software implemented these concepts from day one, while others are struggling to graft them on to old paradigms.
        bradaaa3
        • Backward compatibility

          >One of Microsoft's biggest strengths is also their >greatest weakness: backward compatibility. The same >age-old mechanisms that let them run old software >stand in the way of efficient multi-tier user access.

          The problem is as I see it, we have huge attempts to drag the walrus around and make everything backward compatible, and MS gets lambasted for the Security not being perfect.

          However if we made the security perfect, then MS would be getting lambasted for the lack of backward compatibility.

          If you don't believe me, look at users complaining when MS finally dropped 8 Bit support, and then 16. Face it, if you're using a brand new OS and still using the 20 year old app, you:

          1. Either need a new application.
          2. do not need a modern OS.

          But lets pick what we want Compatibility, or Security once picked we do not want to hear you whine about the other one.
          craig.soderland
          • Couldn't agree more

            I couldn't agree more !

            Windows (I believe) has become the most
            complicated OS, because of backward compatibility issues.
            I think that MS does the best thing:
            Maintains backward compatibility at
            some extent, and evolves Windows (including
            it's security) at the same time.

            I also find stupid the way other OS understand
            security. I heard once a guy saying that an
            other OS is more secure than Windows because,
            in order to run an unknown app, you had to pass
            through a bloody long process.
            Well, my opinion is that a user will run the
            app, if he wants to, whether it is through a
            simple double click or a long process full of suffering... The only difference is how
            comfortable or annoyed the user will feel.

            As for all the complains about Vista being
            not as good as XP, I am pretty sure you that the only thing users didn't like was the essence
            of security (confirmation dialogs that pop up
            and make you angry) and the their "not-so-good" performance.
            If you use a tweaker all of these can
            be "cured" !
            ghost_ghost
          • Why not?

            <<[i]But lets pick what we want Compatibility, or Security once picked we do not want to hear you whine about the other one.[/i]>>

            What you want and what you'll get will probably never be identical. :)

            Most of my clients are just like me: we want it all, and we want it NOW! We want a completely stable OS that runs all the new apps and continues to run our old favorites too, with complete security that still lets us make every stupid decision we want to make and cleans up all the resulting messes without bothering us with the details.

            IMO, we'll never have that, so we'll keep on whingeing and creebing about how disappointed we are that neither Microsoft nor our favorite linux distros give us everything that we want.
            vizenos
        • What your saying about Windows

          was correct for Win 9x since it came from Win 3.1 on top of DOS. However, Vista/XP are iterations of Win NT kernel which was designed from the beginning to be a multi-user system. Win NT 3.1 (If I remember correctly) was released in two versions: workstation and advanced server version. Most businesses used the Win 9x line instead of the NT versions, but that doesn't mean that XP descended from the 9x line.
          alaniane