Windows Security wrap-up: praise for Vista and a historic first

Windows Security wrap-up: praise for Vista and a historic first

Summary: At last week's Black Hat conference, a security expert who spent time "beating up Vista" talks about Microsoft's approach to security. Microsoft falls off a top 10 list. And you should visit Windows Update now to get a new Critical update for IE.

SHARE:

It’s not often that you hear the words “Windows Vista” and “world-leading” in the same sentence.

So security expert Chris Paget’s ringing testimonial for Windows at last week’s Black Hat conference is newsworthy. CNET’s Seth Rosenblatt covered the talk.

Paget and her team are among the few outsiders allowed to look at Microsoft’s code. She and her team contracted for Microsoft to review the security of Windows Vista before it shipped—“beating up Vista,” she called it. The work was covered by a five-year non-disclosure agreement that just expired, allowing her to finally break her silence.

“Vista was a giant leap in the right direction,” Paget said. And she lavished praise on Microsoft’s security processes:

"'World-leading' is entirely appropriate" when discussing Microsoft's security procedures, she said at the start of her talk. "Microsoft's security process is spectacular."

That opinion is buttressed by a new list of top vulnerabilities that represents a historic first for Microsoft.

As usual, the latest quarterly report on malware from Kaspersky Lab contains a top 10 list of vulnerabilities. But the new list doesn’t include a single Microsoft product:

For the very first time in its history, the top 10 rating of vulnerabilities includes products from just two companies: Adobe and Oracle (Java), with seven of those 10 vulnerabilities being found in Adobe Flash Player alone.

Kaspersky says the change is directly attributable to improvements in recent versions of Windows, especially Windows 7.

Microsoft products have disappeared from this ranking due to improvements in the automatic Windows update mechanism and the growing proportion of users who have Windows 7 installed on their PCs.

Paget’s talk supplies one explanation for the improvements in Windows 7: her group was only allowed to look at new code for Vista. “Recursion looked at code kernel and the user space but was told not to look at legacy code. Microsoft didn't add legacy code vetting until Windows 7.”

This week also included the second Tuesday of August. The Patch Tuesday bounty delivered included a Critical update for Internet Explorer that fixes seven vulnerabilities. Microsoft said it “expects to see reliable exploits developed within the next 30 days,” so you probably want to visit Windows Update and make sure this one has been applied.

Topics: Operating Systems, Microsoft, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

89 comments
Log in or register to join the discussion
  • I am sorry Ed. This is bait. And I'm not falling for it.

    Seriously,<br><br>Microsoft has improved their security track record and they are to be commended for it.<br><br>However, Microsoft has to completely rewrite their operating system if they are going to approach the security integrity of Unix and its variants/derivatives.<br><br>You have rewritten your own ticket (The Ed Bott Report), so why not compare and contrast Windows security features vs the competition? Yes? It would be both constructive and instructive.

    Hey wait. I think I just fell for it. Click. :/
    Dietrich T. Schmitz * Your Linux Advocate!
    • I don't care and neither do my readers

      @Dietrich<br><br>I hate to tell you this, but my readers do not use Linux. (And make no mistake, when you say "Unix and its variants/derivatives," you mean Linux. Especially when your signature identifies you as a "Linux Advocate.")<br><br><br>They care about Windows and OS X. But they do not use Linux and they do not even plan to think about considering possibly switching to Linux.<br><br>When I write about Linux, NO ONE CARES. I have Ubuntu Linux installed in a virtual machine here, but I have no desire to use it when I have both a Windows PC and a Mac at hand.<br><br>There are lots of people who write about Linux security for audiences that care about the subject. They are welcome to tackle this topic. I won't do it. It is a waste of my time and my readers' time.<br><br>This post is about Windows. Period. A discussion of Linux is irrelevant. Once again I ask you to stop hijacking threads to talk about things that MY READERS DO NOT CARE ABOUT.<br><br>I do not know how much more direct I can be.<br><br>Thank you.

      Oh, and to everyone: PLEASE DON'T FEED THE TROLLS.
      Ed Bott
      • Please reread what I wrote

        Follow-up:<br><br>I did not say Linux users are unwelcome here. Please feel free to visit and read. What I said is that the overwhelming majority of my readers do not care about Linux. They have no plans to switch operating systems nor are they even interested in trying it. That is a fact.<br><br>More importantly, it is not a topic I am able or willing to write about with authority. It takes a tremendous amount of research to write meaningful material. I will not spend that time on an operating system that does not matter to me or to my readers.<br><br>Done.
        Ed Bott
      • I use Windows, Linux, and Mac OS X.

        @Ed Bott But I don't think that's your point. The trolls can't handle it when their religion, whoops, I mean OS, is not the centre of attention. They should grow up.
        happyharry_z
      • We've been saying that to DTS for a while now.

        @happyharry_z: [i]The trolls can't handle it when their religion, whoops, I mean OS, is not the centre of attention. They should grow up.[/i]

        Yet he continues to troll.
        ye
      • To repeat...

        PLEASE DO NOT FEED THE TROLLS.
        Ed Bott
      • Ed you are correct

        @Ed Bott

        Ed as a dedicated Mac user, you are still right. There are always going to be people that refuse delivery of the truth.
        MichaelWells
      • RE: Windows Security wrap-up: praise for Vista and a historic first

        @Ed Bott
        As usual, you missed the point. You brought up the subject of security. And it was stated that yes, Microsoft did improve their security, but it has a long way to go, and linux/Unix was used as an example of an OS with much better security. So good in fact, that the "Pawn to Own" challenges failed to break into the Linux systems, and they no longer try linux.

        You opened that door and now you want to close it after the fact. Yes, you write about Windows, but when you compare Windows with any other product, or introduce a general subject such as OS security, you better be prepared to support your arguments. Otherwise, you are one who comes off as the troll. Sounds like it is your turn to go on a diet.
        linux for me
      • You blew your own argument out of the water...

        @Ed Bott
        You can't argue that your readers don't care about Unix derivatives in one sentence and then in the very next sentence say they care about OS X. Sorry Ed, but that is borderline stupid, hold the "borderline".
        jasonp@...
      • RE: Windows Security wrap-up: praise for Vista and a historic first

        @Ed Bott I hate to tell you Ed - but we [expletive deleted] do use Linux! You can't really blame him too much when you've changed the name of the blog!

        Now I don't JUST use Linux, sure... I use Mac and Windows too. But I'm a reader too, and you'll notice I don't always argue with you (often we agree - it's kinda like the relationship with Dietrich).

        Getting back to the actual article (rather than focusing on some mythical article you've not written [wink]), I think this is EXACTLY right (and I've said so) it is Vista that deserves the real credit and not Windows 7. Windows Vista was "doing the right thing" when it was hard (making that application that skirted around the official API crash - you know, the one you loved, or that your business depended on). Now the applications have either been rewritten or discarded (Alas poor "Inventory Management App" I knew him, Horatio, a fellow of infinite jest, of most excellent fancy. And directly writing to the port without going making the proper calls).

        So sure, it was a total pain when the thing you needed didn't work, UAC was constantly in your face, and that super-fancy GPU's driver was a big ball of suck - but let's hear it for Vista, for blazing a trail, and making Windows 7 look good (given that by the time it shipped we'd given up with those misbehaving applications, and ATI/Nvidia had actually managed to ship drivers that actually worked).

        However, I too want to call for another article (sorry). Can we take a look at security and Flash? It does seem to be the new "bad boy". Specifically, can we compare running Flash as a browser plugin and Chrome's embedded Flash? I strongly suspect Chrome's implementation will be far safer - but I'd like something to back up that hunch.
        Jeremy-UK
      • The fact is...

        @Ed Bott

        If someone posted a reply referring to Linux with a point that had some direct relevance it would be quite understandable why they brought Linux up, but in fact that hardly ever seems to happen, if ever.

        What usually seems to be the theme in the posts people make about Linux in relation to a Windows based article is to iterate in some form that Windows has some serious problems that can only be cured by way of making Windows into something that would be much like, if not exactly like Linux.

        And thats a problem , yes.

        Its a problem because the posters who say things like that are operating under some kind of a weird misconception of what the vast majority of the worlds experience with Windows has been like.

        For the vast majority of the world, Windows has not been the unending series of BSOD's and viruses and frozen screens that many Linux users claim the Windows experience is like. In fact, in recent years I suspect the very few BSOD's that some Windows users might have experienced in the past are probably long gone for good.

        Its clear by the kinds of posts we see from the Linux users perspective that they get no particular enjoyment out of using Windows while again the vast majority of Windows users are typically quite happy With the way Windows looks and performs. Making critical comments of Windows that flies right in the face of what the typical user experience is truthfully like, is a pointless waste of time.

        And finally, the major thing that so many Linux "advocates" cannot seem to get out of their mind is that there is zero reason to consider switching operating systems if you have had a good experience with Windows and you like the way it works and you do not experience all these negative things that some people love to 'claim' happen all the time. No interest in switching. None.

        So indeed if a Linux user has a good relevant point to make that is right on topic and isn't involving nothing more then their strictly personal views on how bad Windows is and why it has got to be more like Linux, then sure, but it doesn't seem too likely.

        I for one have tried Linux a few years ago and thought it was a pretty decent OS, just not for me in the long run. I certainly concede that if Linux works for you, then you should certainly use it, its free and it works fine if its meeting your needs. Its just too bad we can never seem to get one of the Linux users to ever concede that there is nothing wrong with Windows and that if its meeting our needs there is likewise no reason not to use it. That would be truly refreshing because that would be the truth.
        Cayble
  • Very glad

    Now they just need to get Adobe on board and maybe the internets would be safer. Oh, and Java. But good luck with either of those. I'm just glad XP and earlier is slowly fading away, Windows 7/OS X are far better at this point.
    LiquidLearner
  • RE: Windows Security wrap-up: praise for Vista and a historic first

    I go as far as to say that Vista out of the box is more secure then Windows 7, mainly to the fact that Microsoft gave in to complaints and made Uac kess strict. The first thing I do on a Win7 box is jank the slider to max on uac.
    sjaak327
    • RE: Windows Security wrap-up: praise for Vista and a historic first

      @sjaak327

      Same.
      The one and only, Cylon Centurion
    • Not any difference if you use best practise

      @sjaak327

      Best practise is to use limited user accounts for normal use, although that sometimes doesn't work for some LOB apps. UAC is not a security feature - it's an ease-of-use feature. Users want to have full control over their PC, but much to their detriment, they often click on things they shouldn't. UAC was brought in to confirm to admins that they are doing something they want to. It's the users that don't have a clue and mindlessly click on things that are dangerous with admin rights, but that's how most home users want to run, and so UAC was brought in. Microsoft has to rely on users reading what's on the screen to confirm that what they are doing is important. IMO, they need to word it more clearly, as in "The current process has been temporarily halted because it requires changes that can damage your computer", or words to that effect. Alas, some users still just click through it. It not only prompts, but also remember that admins don't actually get full admin access all of the time - it would be dangerous to run with full admin rights during an entire session. When something requires admin access, UAC prompts to raise the privilege level ONLY ON THAT EVENT. Another thing it does is it allows a limited user to initiate an admin privilege escalation, but an admin has to authenticate their credentials for it to proceed. In XP, you have to sign a limited user out and sign in as an admin for the same effect.

      UAC just makes these processes easier.

      There are actually far more important security features in Windows than UAC, but UAC is the most apparent change because of the UI elements.

      I do agree with "zipping up" the UAC slider though. If you agree, make a shirt and wear it proudly: http://msmvps.com/blogs/bradley/archive/2009/05/29/get-your-uac-defense-in-depth-slider-shirts-here.aspx
      Joe_Raby
      • RE: Windows Security wrap-up: praise for Vista and a historic first

        @Joe_Raby

        I agree with most of what you wrote, however I do believe it could be called a security feature, as it strips the admin token (being a member of the administrator group) from the user, which means that without elevation, the administrator runs with mere user rights.

        Also uac handles the ie sandbox, and provides file and registry virtualisation, which first and foremost is a compatiblity feature, but it prevents badly coded apps from accessing ceetain parts of the file system and HKLM, such an event would then of course raise a consent prompt.
        sjaak327
      • You didn't read what I wrote

        @honeymonster

        You clearly didn't read through what I wrote.

        Go ahead and re-read it. I clearly stated that UAC isn't just a prompt as it is a nice UI to facilitate privilege escalation.

        However, what you state as far as files being "blocked": that was introduced in Windows XP SP2, and ACL has been around for years.

        UAC is NOT a sandbox.

        If you run Windows Vista/7 as you were meant to run: with limited user account access for normal usage, and admin for admin-only usage, the difference to XP is that limited users are prompted for privilege escalation in Vista (with admin credentials), whereas they can't raise it in XP. For admin logins, user credentials are at low by default, UNLESS a process requires privilege escalation - to which it prompts to raise it. XP runs processes under an admin login with higher credentials than Vista normally would, but the difference is in the prompt. FYI: there are still user-level processes in Windows XP, and they can't communicate with system-level processes either.

        UAC doesn't explicitly block anything that a conventional user can't (and most often, doesn't) bypass, therefore I stand by my comment that it isn't a security feature.
        Joe_Raby
      • RE: Windows Security wrap-up: praise for Vista and a historic first

        @Joe_Raby My understanding is that UAC was targeted at 3rd party developers, mostly, to get them to stop writing user space apps that require Administrator privileges and, therefore, allow users to live comfortably in standard user accounts (poorly programmed 3rd party apps are why many Windows XP users run as Admin, aside from being the default account).<br><br>In and of itself, UAC is not a security boundary (see Mark Russinovich's writings on this). However, when UAC is enabled, Internet Explorer protected mode is enabled. Conversely, when UAC is disabled, IE protected mode is disabled. And IE protected mode provides Windows sandboxing via integrity levels, especially low integrity levels. There are two brokers, IEUser.exe (for writing files outside of low integrity level folders) and IEInstal.exe (which enables ActiveX controls to be installed), used to elevate privileges in IE described here:<br><br><a href="http://msdn.microsoft.com/en-us/library/bb250462%28v=vs.85%29.aspx" target="_blank" rel="nofollow"><a href="http://msdn.microsoft.com/en-us/library/bb250462%28v=vs.85%29.aspx" target="_blank" rel="nofollow"><a href="http://msdn.microsoft.com/en-us/library/bb250462%28v=vs.85%29.aspx" target="_blank" rel="nofollow">http://msdn.microsoft.com/en-us/library/bb250462%28v=vs.85%29.aspx</a></a></a><br><br>I have looked for and have been unable to find a way to disable these two IE brokers other than denying their execution with a program like Faronics Anti-Executable. Just to further lock down Windows.<br><br>Compared to *Nix, though, UAC is crude, it's all or nothing. One either has Administrator privileges or one does not. In *Nix, sudo has much finer granularity in that a user can be granted to run a specific executable as the root user, with or without authenticating using their non-root password. To get this level of granularity in Windows (e.g., for those still poorly programmed 3rd party applications requiring Admin privileges) one needs to go to a 3rd party vendor such as BeyondTrust. They offer a group policy object that provides Windows with the granularity of *Nix sudo.
        Rabid Howler Monkey
      • You don't know what UAC is

        @honeymonster

        UAC? You mean that annoying prompt that pops up all the time asking if you really want to do this? ever heard of the boy who cried wolf? well how is a normal user supposed to know what is malware and what isn't when that annoying prompt pops up all the time?
        guzz46
      • sudo is a kludge

        @Rabid Howler Monkey: [i]In *Nix, sudo has much finer granularity in that a user can be granted to run a specific executable as the root user, with or without authenticating using their non-root password.[/i]

        sudo is not the operating system either. It is a set UID program with root as the owner. When run sudo runs with root privileges. If there's a bug in sudo then you've got root privileges. If you run a program, such as vi, which has a shell escape feature (":!bash" for example) you've got a root shell.

        sudo's granularity is a function of sudo and not UNIX. If sudo is broken then you've got a security problem.

        sudo is one of those programs people who do UNIX security have always been told to avoid: set UID. Especially as root.

        RBAC, built in to Solaris, is a much better implementation than sudo.
        ye