Puncturing the myth of the invulnerable OS

An Australian developer of Windows security software is making headlines with research that claims to Windows Vista's is Windows Vista is "still a long way from immunity to online threats." So, what operating system is invulnerable to malware? When did that become the criterion for success in security? The data is sketchy (to say the least) and the underlying argument is flawed. As long as crooks are trying to scam their way onto your PC, humans will occasionally make bad decisions about which software to install. Do you really want an OS that substitutes its judgment for yours and refuses to install a program you want or need?

I keep trying to come up with explanations for why rational technical publications continue to amplify the nonsensical research coming out of Australian security vendor PC Tools in the past few weeks.

Jedi mind tricks? Post-hypnotic suggestions embedded in web pages served from the Southern Hemisphere? Sunspots? There's certainly no rational explanation for anyone with a lick of security experience to take this stuff seriously.

But here's Information Week, with its scare headline "Windows Vista More Vulnerable To Malware Than Windows 2000." There's a pro forma note in the second graf that PC Tools "has a financial interest in the vulnerability of Microsoft's software," but otherwise it's just a rehash of the press release. InfoWorld picked up the same release and reprinted it practically verbatim. And today my normally super-smart ZDNet colleague Adrian Kingsley-Hughes took the bait on a new PC Tools release, starting his post Does running Vista make you feel safe from malware? with this line:

Another day, another report casts doubt on Vista’s immunity to malware.

That, of course, echoes the title of (and links directly to) the press release from PC Tools. (And with the exception of press releases from companies trying to sell security software, where are those other reports, anyway?) Adrian goes on to catalog the security improvements that distinguish Vista from XP but then says, "despite all this I don’t subscribe to the idea that Vista is somehow invulnerable to malware."

So, what operating system is invulnerable to malware? When did that become the criterion for success in security?

If I send you an e-mail with the file HotBabes.exe attached to it, you have to decide whether to run it or not. If you are deluded enough to double-click that icon, and you are running Windows Vista, several things are going to happen:

  • If you are running under a standard user account set up by your parent or your IT department, you will be unable to install that program until you find adult supervision and convince them to enter the administrator password. Good luck with that.
  • If you are the administrator, you will see a UAC prompt that will provide you with some information placed there by the  creator of the program, which might or might not help you decide whether it's safe to install. If the program is digitally signed, you will be able to get a third-party service to confirm the identity of the person or organization that signed the program.
  • Ultimately, you will decide to click Continue or Cancel. If the file I sent you was a Trojan or virus and you say Continue, you lose.

It's as simple as that. If you're the admin and you tell the OS you want to run an executable program, the OS has to respect your judgment and allow it. It has no way of knowing whether a program is good or evil, well written or buggy, or whether it will cause your system to lock up with a STOP error. As the boss, you get to make the decision.

And that's the way it should be. Do you want an OS that refuses to allow you to install a remote access program so you can do online help or access your home PC from the road? Do you want Microsoft or Apple or your favorite Linux distro to say, "I'm sorry, Dave, I can't allow that," when you install a password cracking tool to recover the information in a lost file? Of course not. But I've seen antivirus programs squawk for years over some of my most useful security tools in these categories, claiming they are threats and offering to neuter them for me. No thanks.

If you want help analyzing the actual contents of a program you're thinking of installing, you need additional software that can crack open the executable and compare its code or behavior to other known species of malware. In other words, you want antivirus software. That's true of every OS platform.

The information that PC Tools provides in its press release is, to put it charitably, sketchy. The release says, for example, that "approximately 121,000 pieces of malware were detected on approximately 58,000 unique Vista machines in the ThreatFire community." (ThreatFire is the name of the anti-malware software PC Tools is pitching.) A footnote points to a Data Summary Sheet, but it, unfortunately, is unlinked and unavailable. (I've asked PC Tools to send me this data sheet.) Without knowing the sample size or how that malware was installed, it's impossible to come to any valid conclusions.

And what does the company define as "malware," anyway? The release says "17% of all threats found on Vista machines involved in the research were Trojans, while worms accounted for 5%, spyware for 3% and viruses for 2%." That pretty much encompasses every category of true malware that I can think of (and it includes all the big threats on this highly regarded list from Kaspersky). So, what makes up the other 73%? Adware? Browser toolbars? Tracking cookies? Without those details, there's no way to know, but how dangerous can a threat be that isn't classed as a virus, worm, Trojan, or spyware program?

Update 20-May, 745PM PDT: A representative of PC Tools replied to my request for additional information with an e-mail message that includes the one-page data sheet and confirms that the remaining 73% of "threats" all fall into the category of adware. Examples include "PuA.Adware.SweetBar, Adware.HotBar, PuA.Adware.StarBar, PuA.Adware.SmartShopper, PuA.Adware.Rotator, and PuA.Adware.ALot."

Meanwhile, I continue to be impressed by the fact that my phone is not ringing with friends, family members, and clients looking to clean up virus or spyware infestations on their Vista-based PCs. I'm not alone, either. My colleague Dwight Silverman (who certainly can't be characterized as a Vista fanatic) wrote in March:

I have yet to see a Windows Vista system infected with spyware or a virus -- nor have I heard from any readers who have experienced this.

That's an echo of what Dwight noted last fall when he and I had a similar conversation:

I get a lot of cries for help from Windows users whose machines have been infected with spyware, but all of them come from XP users. Since Vista's release, I haven't heard from one Vista user with the same problem, and a scan of Jay Lee's HelpLine e-mail (yes, I have access to it) shows a similar pattern.

Is Vista significantly more secure than XP? Unquestionably. Is it invulnerable to malware? Absolutely not. Will Windows or any computer operating system ever be immune to break-ins and scams that involve social engineering? Sadly, as long as dishonest human beings exist, the answer is no.