Flawed Survey Suggests XP More Secure Than Vista

SkeeLo writes "One of Vista's big selling points is security, but a report from CRN concludes that Vista offers little in the way of security advancements over Windows XP. Ars Technica analyzed the report and found some methodological problems. 'The report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software — something the reviewer fails to mention. Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.' That's not all: 'It was also disappointing to see CRN completely ignore the issue of buffer overflows, which has been addressed well in Vista by most accounts. This was a major weak spot with XP, and so far, Vista looks strong in this area, strong enough that Vista may never get its own "SQL Slammer." Why CRN didn't address this is a mystery, as it is no minor matter.'"

Re:Anything to slam MS

[Stormx2]

What? I know we get a lot of "RTFA" around here, but read the fucking summary! Shall I condense it down for you further, since I see your time is precious?

Study #1 finds that Microsoft has made no improvements (XP -> Vista)
Study #2 finds Study #1 to be incorrect and badly done. /. reports on study #2.

In essence, the story accepts that XP isn't as secure as it could be, but Vista improves on this significantly. Its one of the most pro-MS stories I've seen on slashdot for a little while now. Of course, I'd never touch Vista personally, but that doesn't mean it isn't an improvement over XP in security.

Re:Isn't greater security a selling point of Vista

[secPM_MS]

Security is a selling point for Vista. For me, it is the most compelling selling point, although I do like search a lot as a feature. Now for my perspective on why Vista is more secure than XP:

A lot of work was done to support running as normal user. This does not get much attention, but it means that I can (and I do) run as a normal user without administrative credentials (it is much harder to do this in XP). If I have to manage the system, I have to use full administrative credentials (read, su root). It also means that malware that might hit me does not have the permissions needed to modify the system. This is even stronger than the UAC protections on administrative users. My wife and kids run as normal users and do not have administrative acess.

A lot of internal work was done to reduce service permissions and internally harden the OS, including the introduction of the integrity level mechanism that is used to support protected mode IE. These changes reduce the scope and impact of local compromises.

Enormous amounts of fuzzing of acessible interfaces and parsers was conducted and many issues were found and fixed.

The security bulletin data since Vista has shipped suggests that there is reduction on the order of 2X or greater in bulletin class vulnerabilities. Indeed, the numbers suggest that Vista is running fewer issues than either OSX or the major Linux distributions.

The user has a great deal of control about their vulnerabilities based upon how they configure and use their system. Microsoft exposes a very rich and neat set of functionality in Vista. If you are trying to reduce your security vulnerabilities, there are a number of things that you can do (at the expense of neatness and functionality):

Run as a normal user, not admin (which is standard UNIX practice)

turn off sidebar (less stuff running means less stuff to compromise)

turn off scripting, activeX, multimedia, etc, in your IE Internet zone

Add sites to your trusted zone (where scripting is allowed) only if you trust the site with your credit card info

If you run a desktop suite, run Office 2007 rather then Office 2003. Note that Office 2007 almost certainly has fewer security vulnerabilities than Open Office.

Be very cautious about what software you install.

Re:Let's see

[wile_e_wonka]

Taking cues from the other posters, I tried "battling" the same searches they did but adding quotation marks around the phrases. (I did them all in "googlefight" because it required less typing)

"study finding xp more secure than vista" -- 0 results
"study finding vista more secure than xp" -- 0 results

"vista more secure than xp" -- 1820 results (note I changed "then" to "than." It's amazing what differences correct spelling can make)
"xp more secure than vista" -- 2 results

Then I wondered how these results jived with a real google search:

"study finding xp more secure than vista" -- 0 results
"study finding vista more secure than xp" -- 0 results

"vista more secure than xp" -- 1690 results
"xp more secure than vista" -- 2 results

But here's what I really found interesting (I searched again using "than" and "then":

"vista more secure than xp" -- 1690 results
"vista more secure then xp" -- 3 results

"xp more secure than vista" -- 2 results
"xp more secure then vista" -- 131 results!

Re:Inflamatory titles, this applied to corps ONLY!

[bluefoxlucid]

NO amount of buffer-overflow susceptibility can EVEN COME CLOSE to outweighing the security implications of having UAC - a restricted-user+sudo working model rather than XP's work-as-root one.

... *sets IP datagram length to 1400* ... *sets TCP datagram length to 63* ... *lets kernel copy remainder of IP packet to 63 byte buffer* ... *obtains kernel level access without even connecting to an open port, before the packet even reaches the installed zonealarm/mcafee/norton firewall or built-in Windows firewall*...

I guess nobody noticed

[Whuffo]

The summary says that Vista has "taken care" of buffer overflow problems. I'd like to submit that one of the key features of XP SP2 was that they'd gone over the code completely and eliminated all unchecked buffers - which (according to MS) eliminated buffer overflow problems.

Microsoft is their own worst enemy; they make wild claims about the functionality of their latest version but that functionality never meets their or their customers expectations. Then some exploit points out that they were being economical with the truth. Much like a recently patched (again) exploit that affected 98, NT, 2000, XP and Vista. Seems somewhat odd that an operating system that has been completely rewritten at great expense and effort should be affected by the SAME bug that has been in their products for years.

I mean, how can a company whose email clients automatically launch attachments say that they take security seriously? Let's not get started on the brain-dead file association open / execution misfeatures in every version up to and including Vista. Here's an interesting exercise to see how bad things can get: rename a safe executable to a filename with a WAV extension. Now double-click it; the executable runs. Combine that with browsers and email clients that automatically play WAV files and you've got a very exploitable platform.

What continues to amaze me is that the file type security is applied based on the file extension - but when you execute a file, the system looks at the file header to determine how to open / execute it. This bit of design stupidity has been the cause of millions of systems being exploited. Just a simple check to see if the file header matches the selected file type would go a long way - but no, this is too difficult. Here, have a UAC nuisance instead...

Re:Anything to slam MS

[Hal_Porter]

Of course the great irony is W98 is more secure than either.

No it's not. I remember in Systems Programming for Windows 95, there was a great quote. They talked about protected mode, descriptor tables and so on. At the end of it, the author said something like

"I bet now you're trying to work out if it's possible to subvert this stuff. Well, it's so easy that there's no point. Windows doesn't protect the descriptor tables from Ring 3 [the least privileged] code so it's easy to create a trap gate or call gate for yourself to get into Ring 0 [the most privileged] where you'll probably crash and burn because you can't handle interrupts correctly. It's a "personal computer" - and you're free to do whatever you want to it, just like you're free to run your car without oil until the engine seizes up"

Which sums up Microsoft's attitude to security right up to the security push for XP that resulted in SP2 being deployed and all those patches getting downloaded unless the user stopped them. On the other hand people used to collect email over a dialup connection then if they used the internet at all and so the "personal computer" rule was kind of true. Before people started sending executables by email, probably the only ones people installed were ones that they got from the admin at work, or very occasionally bought in a shop.

So Win 9x and Dos seemed to be more secure because they weren't under constant attack in the way that a machine connected to DSL most of the time and bombarded with malicious software by email and websites is now. Actually another difference is that Dos and Win95 were mostly configured as client OSs - they aren't listening for (overly) complex protocols over a wider range of ports the way an NT machine does.