Flawed Survey Suggests XP More Secure Than Vista

SkeeLo writes "One of Vista's big selling points is security, but a report from CRN concludes that Vista offers little in the way of security advancements over Windows XP. Ars Technica analyzed the report and found some methodological problems. 'The report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software — something the reviewer fails to mention. Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.' That's not all: 'It was also disappointing to see CRN completely ignore the issue of buffer overflows, which has been addressed well in Vista by most accounts. This was a major weak spot with XP, and so far, Vista looks strong in this area, strong enough that Vista may never get its own "SQL Slammer." Why CRN didn't address this is a mystery, as it is no minor matter.'"

Re:Anything to slam MS

[Stormx2]

What? I know we get a lot of "RTFA" around here, but read the fucking summary! Shall I condense it down for you further, since I see your time is precious?

Study #1 finds that Microsoft has made no improvements (XP -> Vista)
Study #2 finds Study #1 to be incorrect and badly done. /. reports on study #2.

In essence, the story accepts that XP isn't as secure as it could be, but Vista improves on this significantly. Its one of the most pro-MS stories I've seen on slashdot for a little while now. Of course, I'd never touch Vista personally, but that doesn't mean it isn't an improvement over XP in security.

I guess nobody noticed

[Whuffo]

The summary says that Vista has "taken care" of buffer overflow problems. I'd like to submit that one of the key features of XP SP2 was that they'd gone over the code completely and eliminated all unchecked buffers - which (according to MS) eliminated buffer overflow problems.

Microsoft is their own worst enemy; they make wild claims about the functionality of their latest version but that functionality never meets their or their customers expectations. Then some exploit points out that they were being economical with the truth. Much like a recently patched (again) exploit that affected 98, NT, 2000, XP and Vista. Seems somewhat odd that an operating system that has been completely rewritten at great expense and effort should be affected by the SAME bug that has been in their products for years.

I mean, how can a company whose email clients automatically launch attachments say that they take security seriously? Let's not get started on the brain-dead file association open / execution misfeatures in every version up to and including Vista. Here's an interesting exercise to see how bad things can get: rename a safe executable to a filename with a WAV extension. Now double-click it; the executable runs. Combine that with browsers and email clients that automatically play WAV files and you've got a very exploitable platform.

What continues to amaze me is that the file type security is applied based on the file extension - but when you execute a file, the system looks at the file header to determine how to open / execute it. This bit of design stupidity has been the cause of millions of systems being exploited. Just a simple check to see if the file header matches the selected file type would go a long way - but no, this is too difficult. Here, have a UAC nuisance instead...

Re:Anything to slam MS

[Hal_Porter]

Of course the great irony is W98 is more secure than either.

No it's not. I remember in Systems Programming for Windows 95, there was a great quote. They talked about protected mode, descriptor tables and so on. At the end of it, the author said something like

"I bet now you're trying to work out if it's possible to subvert this stuff. Well, it's so easy that there's no point. Windows doesn't protect the descriptor tables from Ring 3 [the least privileged] code so it's easy to create a trap gate or call gate for yourself to get into Ring 0 [the most privileged] where you'll probably crash and burn because you can't handle interrupts correctly. It's a "personal computer" - and you're free to do whatever you want to it, just like you're free to run your car without oil until the engine seizes up"

Which sums up Microsoft's attitude to security right up to the security push for XP that resulted in SP2 being deployed and all those patches getting downloaded unless the user stopped them. On the other hand people used to collect email over a dialup connection then if they used the internet at all and so the "personal computer" rule was kind of true. Before people started sending executables by email, probably the only ones people installed were ones that they got from the admin at work, or very occasionally bought in a shop.

So Win 9x and Dos seemed to be more secure because they weren't under constant attack in the way that a machine connected to DSL most of the time and bombarded with malicious software by email and websites is now. Actually another difference is that Dos and Win95 were mostly configured as client OSs - they aren't listening for (overly) complex protocols over a wider range of ports the way an NT machine does.