[Infowarrior] - How much will Windows security matter?

[Richard Forno]

 How much will Windows security matter?

By BRIAN BERGSTEIN, AP Technology WriterSun Dec 10, 2:33 PM ET

http://news.yahoo.com/s/ap/20061210/ap_on_hi_te/microsoft_security_1&printer
=1

Microsoft Corp. took great pains to improve security in its newly released
computer operating system, Windows Vista, redesigning it to reduce users'
exposure to destructive programs from the Internet. Outside researchers
commend the retooled approach ‹ yet they also say the changes won't make
online life much safer than it is now.

Why not? Partly because of security progress that Microsoft already had made
in its last operating system, Windows XP. Also because a complex product
like Vista is bound to have holes yet to be discovered. And mainly because
of the rapidly changing nature of online threats.

Sure, Microsoft appears to have fixed the glitches that used to make it easy
for viruses, worms and other problems to wreck PCs. But other avenues for
attack are always evolving.

"Microsoft has made the core of the operating system more secure, but
they've really solved, by and large, yesterday's problems," said Oliver
Friedrichs, director of emerging technologies at antivirus vendor Symantec
Corp.

That claim would not please Microsoft, which touts Vista's improved security
as a big reason why companies and consumers will want to upgrade to the new
operating system.

In fact, Microsoft's effort to tighten security in Vista was one reason the
software was delayed past the crucial holiday shopping season. It's now
available for businesses and will be available to consumers Jan. 30.

"It is an incremental improvement ‹ it is a reasonably large increment,"
said Jon Callas, chief technology officer at PGP Corp., a maker of
encryption software. "I don't think it's a game-changer."

Some of Vista's security enhancements require computers with the latest
microprocessors ‹ which are known as 64-bit chips, in reference to how much
data they process at once. That won't improve things on today's standard
32-bit computers, which will stick around for a long time.

However, most of the improvements are available in all editions of Vista,
including a stronger firewall and a built-in program known as Defender that
alerts users if Vista believes spyware is being installed.

"Windows is going to talk to you a lot more and make sure you're a lot more
aware of what you're doing," said Adrien Robinson, a director in Windows'
security technology unit. "It's going to help consumers be more savvy."

One of Vista's biggest changes is more control over computer management.
With previous versions of Windows, users were given by default great control
over the computer's settings ‹ a situation that opened the door to nefarious
manipulation by outsiders. In Vista, users are prompted to supply a password
when they make significant changes ‹ a security feature long available on
Apple Computer Inc.'s Macintosh and computers running the Linux operating
system.

At the same time, the software gives corporate PC administrators new
security powers, such as the ability to turn off the USB ports that
employees might use to remove data or bring in troublesome programs on flash
drives. (Some network administrators had told Microsoft they were so
desperate to stop that practice that they were filling the PC ports with
glue.)

Even with all the changes, Vista does not promise a total cure for security
headaches. Microsoft, after all, is also selling security add-ons, competing
more directly with antivirus companies than in the past.

"Rather than having all the doors unlocked, you now have locks on the doors.
It doesn't mean it's a silver bullet," Robinson said. "If they really wanted
to get in, they could get through. They could throw a rock through the
window. But it's harder. Our goal is to make it harder, to raise the bar."

Still, when Vista for businesses was launched in New York on Nov. 30,
Microsoft CEO Steve Ballmer promised a "dramatic" drop in "the number of
vulnerabilities that ever present themselves."

If so, that would spare Microsoft from a repeat of the embarrassing series
of "critical" security patches it had to release for the previous operating
system.

But it might not mean much against many threats Web surfers face today.

For one thing, the kinds of large-scale, automated worms that Vista
purportedly will hinder have been waning anyway, according to security
analysts. Symantec's Friedrichs said 2006 hasn't seen any worms as prevalent
as the kinds that caused widely publicized PC outages several years ago,
with names like Slammer and Blaster.

That's partly because of enhancements Microsoft already made in Service Pack
2, a huge set of patches for Windows XP that were released in 2004.

"If you're looking at two versions, XP Service Pack 2 versus Vista, I'm
going to say to the average user they're both going to offer them good
security," said Michael Cherry, an analyst at Directions on Microsoft. "Is
Vista better? I don't know if it's that substantially better."

Security experts say malicious hackers have largely moved away from
outage-causing attacks, motivated by publicity or pride, in favor of more
targeted and lucrative thefts of users' data. Those attacks tend to exploit
flaws in Web applications or employ "social engineering" ‹ such as tricking
people with phony e-mails into giving up passwords.

"From that perspective, Vista is a non-event," said John McCormack, a senior
vice president at security vendor Websense Inc.

To its credit, Microsoft is fighting such "phishing" attacks by configuring
its new Internet Explorer 7 Web browser to alert users if they're visiting a
dicey-seeming Web site. Internet Explorer 7 is already available for free
download.

But IE7's phish-catching method alone is limited: It is based on a "black
list" of sites known to be up to no good. Outside security experts say that
will not stop the increasingly savvy attackers who constantly morph their
tactics, sometimes every few hours.

For example, Websense recently tracked a phishing attack that mimicked a
customer service message from Amazon.com. It passed through most spam
filters, and the phony Web site to which it directed victims changed
throughout the day. For at least the first few days, IE7 hadn't caught up to
block it, McCormack said.

Perhaps one indication that security in the Vista era will be better but far
from perfect came in recent research by Sophos PLC.

The security software company determined that three of the 10 most prevalent
malicious worms circulating on the Internet in November were able to run on
Vista.

Impressively, the e-mail program that comes with Vista ‹ Windows Mail,
formerly called Outlook Express ‹ successfully found and blocked the
malware. But Web-based e-mail services let it through, said Sophos security
analyst Ron O'Brien.

For O'Brien, that finding showed that while Microsoft's efforts to upgrade
computer security are praiseworthy, there's only so much the company can do.
Not only are Microsoft's hands tied when it comes to the security of
third-party applications, but the company also is limited in what it can do
with its own software.

For example, McCormack said Microsoft might have done more to prevent
criminals from surreptitiously placing keystroke-monitoring programs on
computers to steal data. But the fix likely would have shut out legitimate
programs as well, such as those that let people operate their PCs remotely.

"You have to find this happy medium between usability and security,"
McCormack said.

Of course, with Vista on a tiny fraction of desktops today, it's way too
early to assess how much hackers can mess with it.

"I don't know how long Microsoft is going to be able to claim the streets
are safe before a criminal decides to challenge that opinion," O'Brien said.
"That's going to just be a matter of time."

___

On the Net:

Microsoft's page on Vista security:

http://www.microsoft.com/security/windowsvista/default.mspx