[Infowarrior] - Experts: Don't buy Vista for the security

Tue Jan 30 08:57:32 EST 2007

Experts: Don't buy Vista for the security

By Joris Evers
http://news.com.com/Experts+Dont+buy+Vista+for+the+security/2100-1016_3-6154
448.html

Story last modified Tue Jan 30 04:00:04 PST 2007

Windows Vista is a leap forward in terms of security, but few people who
know the operating system say the advances are enough to justify an upgrade.

Microsoft officially launched Vista for consumers Tuesday. The software
giant promotes the new operating system as the most secure version of
Windows yet. It's a drum Microsoft has been beating for some time.

"Safety and security is the overriding feature that most people will want to
have Windows Vista for," Jim Allchin, Microsoft's outgoing Windows chief,
told CNET News.com a year ago. "Even if they are not into home entertainment
or in any of the specialty areas, they are just going to feel safer and more
secure by using it."

Now that Vista is finally here, pundits praise the security work Microsoft
has done. However, most say that is no reason to dump a functioning PC
running Windows XP with Service Pack 2 and shell out $200 to upgrade to
Vista.

"As long as XP users keep their updates current, there's generally no
compelling reason to buy into the hype and purchase Vista right away," said
David Milman, chief executive of Rescuecom, a computer repair and support
company. "We suggest people wait until buying a new machine to get Vista,
for economic and practical reasons."

As in the past, Microsoft faces itself as its toughest competitor. SP2 for
Windows XP, which was released in August 2004, marked a significant and
much-needed boost in PC security. Since then, Microsoft has released
Internet Explorer 7 and the Windows Defender antispyware tool for XP. As a
result, the older Windows version is simply good enough for many users.

"Upgrading to Vista is pretty expensive, not only the new software but often
new hardware as well," said Gartner Analyst John Pescatore. "If you put IE 7
on a Windows XP SP2 PC, along with the usual third-party firewall, antiviral
and antispyware tools, you can have a perfectly secure PC if you keep up
with the patches."

Vista is the first client version of Windows built with security in mind,
according to Microsoft. That means it should have fewer coding errors that
might be exploited in attacks. Vista also includes several techniques and
features designed to make it harder to attack computers running Vista and to
thwart attacks if they do happen.

"Vista is light-years ahead of XP from a built-in security perspective,"
said Pete Lindstrom, a Burton Group analyst. "But the market will decide
whether it is important. Note that there haven't really been significant
problems with the operating system lately, and our memories are short."

If most consumers think like Brian Lambert, a student at Southern Illinois
University, it doesn't bode well for Microsoft. "The added security alone is
not worth the money when comparing Vista with Windows XP SP2," said Lambert,
a member of CNET News.com's Vista Views panel.

Yet, if you are in the market for a new PC because your old computer is
outdated or otherwise failing on you, Vista is your best bet, experts say.
Even if you're considering buying a Mac, said David Litchfield, a noted
security bug hunter.

"If you're looking to buy a new computer, the security features built into
Vista tip the balance in its favor over other options such as Mac OS X,"
Litchfield said. "We've moved beyond the days of lots of bugs and worms.
Recent history shows that Microsoft can get it right, as they did with XP
SP2. With Vista, they will again demonstrate that."

Hacking Vista
Litchfield and other security researchers are impressed with the work
Microsoft has done on Vista, in particular because the operating system has
gone through the company's Security Development Lifecycle, a process
designed to prevent flaws and vet code before it ships. Also, Microsoft
challenged hackers to break Vista before its release.
Key Vista security features

User Account Control: Runs a Vista PC with fewer user privileges, which
dictate how software can interact with the PC. UAC asks for permission to
lift security barriers whenever software requires it.

Protected Mode for IE 7: Prevents silent installation of malicious software
by Web sites by stopping the Web browser from writing data anywhere except
in a temporary folder without first seeking permission. IE 7 is also
available for Windows XP, but the protected mode is not.

Address Space Layout Randomization: Loads key system files in different
memory locations each time the PC starts, making it harder for malicious
code to run.

Windows Defender: Detects and removes spyware. Also available for Windows
XP.

Windows Firewall: Blocks attacks from the Net and includes limited outbound
protection. Also in XP, but improved in Vista.

BitLocker: Encryption for hard drives. Only in Vista Enterprise and Vista
Ultimate.

"To be clear, XP SP2 was a massive leap for Windows security. But XP SP2 was
not the systemic, top-to-bottom, scrub-everything experience that Vista is,"
said Dan Kaminsky, an independent security researcher. "XP SP2 secured the
surface. Vista security goes much deeper. It's a far bigger leap."

Kaminsky was among about two dozen hackers asked by Microsoft to try to hack
Vista. The exercise took about eight months, and Microsoft paid attention to
the feedback, he said. "They did what we asked," Kaminsky said. "The
security community spent years bashing Microsoft, and (Microsoft) deserved
to get bashed. But they listened."

All the praise aside, Vista isn't flawless. In fact, Microsoft has issued
security patches for the operating system even before its final release.

"To think there won't be vulnerabilities and there won't be exploits is
inappropriate," said Michael Cherry, an analyst with Directions on
Microsoft. "At best, we should see the number of them decline and the time
in between them increase."

No software is without flaws, and Microsoft will be the last to deny that.

"While we greatly improved the security of Windows Vista and we believe it
is the best system available, I have always been clear that the system is
neither fool-proof nor unbreakable; no software I have seen from anyone is,"
Allchin wrote on a Microsoft corporate blog last week.

Robert McLaws, a blogger who writes about Microsoft, is gung ho about Vista.
He recommends that everyone buy a copy as soon as possible. "Security is the
No. 1 feature in Vista, and everyone with a computer in the house should go
out and buy it," he said.

Some critics, however, say Microsoft has reserved too many of the security
features for the high-end editions of Vista. The operating system comes in
five different flavors (with a sixth, "Starter" edition designed for
developing markets), but only Windows Vista Ultimate--the most expensive
one--includes the maximum level of protection.

Even more, Vista comes to market in an era where criminals are taking to the
Net and looking for profits by breaking into the PCs of unsuspecting Web
surfers. Vista is their next target.

"I don't want people to expect that their computer is never going to be
compromised because of Vista; that's simply not the case," McLaws said. "The
nature of maliciousness on the Internet is changing rapidly," he said. "It
used to be that nerdy kids were trying to outdo other nerdy kids. Now it is
criminals."