Flawed Survey Suggests XP More Secure Than Vista

SkeeLo writes "One of Vista's big selling points is security, but a report from CRN concludes that Vista offers little in the way of security advancements over Windows XP. Ars Technica analyzed the report and found some methodological problems. 'The report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software — something the reviewer fails to mention. Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.' That's not all: 'It was also disappointing to see CRN completely ignore the issue of buffer overflows, which has been addressed well in Vista by most accounts. This was a major weak spot with XP, and so far, Vista looks strong in this area, strong enough that Vista may never get its own "SQL Slammer." Why CRN didn't address this is a mystery, as it is no minor matter.'"

Or ... people are still writing virii for WinXP

[WillAffleckUW]

Since most consumers aren't buying WinVista if they can avoid it.

But, if that were true, chip sales by Intel and AMD would be down ... oh, wait, they are.

Re:Or ... people are still writing virii for WinXP

[Stormx2]

I don't mean to nitpick, but have a glance over the Wikipedia page on plural of virus. A good discussion on the matter.

Re:Or ... people are still writing virii for WinXP

[QuantumG]

The virus scene is dead. No-one is writing viruses.

There are people who write worms and bot-net building trojans, but they have nothing to do with the virus scene.

Re:Or ... people are still writing virii for WinXP

[WillAffleckUW]

Sorry, it doesn't work on my Mac mini ...

Now where did I put that sarcasm key ...

Re:Or ... people are still writing virii for WinXP

[WillAffleckUW]

Well, here in Seattle, they're pushing spam and bulldog puppy adoption rings, actually.

Virii and trojans are so last century.

Re:Or ... people are still writing virii for WinXP

[RobertM1968]

Most consumers dont know the technical merits or technical disadvantages to choose between the two and probably dont care. If you had said "most informed and educated IT Professionals" then maybe your statement would have been correct - I emphasize maybe, because though I think it would be the decision *I* would make, I have yet to see enough (accurate) statistics to confirm or agree with even such a statement as that.

Re:Or ... people are still writing virii for WinXP

[WillAffleckUW]

Except, we're on slashdot, therefore I can presume that we are normally referring to such individuals.

Personally, until I see an actual list of the questions, their sequence, the methodology, and the counts (with regional breakdowns, time of day, self-selection criteria versus random phone calls, how they handled people with unlisted cell numbers), any statistical study is meaningless.

Re:Or ... people are still writing virii for WinXP

[westlake]

Since most consumers aren't buying WinVista if they can avoid it.
But, if that were true, chip sales by Intel and AMD would be down ... oh, wait, they are

Gas prices are up, home sales down, the economic outlook is uncertain. U.S. Economic Growth Weakest in Over 4 Years So all discretionary spending is down.

But the Geek is just whistling in the dark when he claims that those that will be entering the market for a new PC won't be looking at Vista.

What draws these customers isn't the warmed-over XP box.

It's the tech they couldn't afford or which didn't exist the last time went shopping. The affordable big screen-wide screen LCD. HD media play. DX-10 at mid-line prices. The hybrid SATA hard drive. Etc. Etc.

Re:Or ... people are still writing virii for WinXP

[RobertM1968]

Except, we're on slashdot, therefore I can presume that we are normally referring to such individuals.

You can presume that, but that is not what you clearly stated:

Since most consumers aren't buying WinVista if they can avoid it.

"Since most of us aren't..." would have allowed you to claim a presumption about /. users that may have been more accurate (which is still debatable as there are people here who seem to love Vista, and there has never been a poll to determine how many here will wait and how many here will not).

Nonetheless, a contradictory presumption of your own clearly worded statement is ridiculous. Most consumers are not /. readers. All /. readers combined equal a small percentage of "most consumers". Thus /. readers are irrelevant to your statement because of how you worded.

You wrote it, not me.

Regardless, on your last statement:

Personally, until I see an actual list of the questions, their sequence, the methodology, and the counts (with regional breakdowns, time of day, self-selection criteria versus random phone calls, how they handled people with unlisted cell numbers), any statistical study is meaningless.

I agree - but then that begs the question of how you determined "Since most consumers aren't buying WinVista if they can avoid it." regardless of how you try to (re)define "most consumers".

The last paragraph of your last post would seem to indicate that you think there is yet no basis to determine how many consumers (/. or otherwise) arent buying Vista... yet you came to a conclusion about a (apparently ever changing in your mind) group of people related to just the claim you say there is no valid or provable information for. You are thus claiming (no matter how you re-qualify your original post) your own statement is meaningless, since any study related to your claim is meaningless (by your own admission).

I am really losing track of what you are trying to say as you keep swicthing donkeys mid-stride.

• most consumers - no, slashdot users (which we can presume accounts for most consumers "Except, we're on slashdot, therefore I can presume that we are normally referring to such individuals."
• "Since most consumers aren't buying WinVista if they can avoid it." - no, wait "Personally, until I see... blah, blah blah ...any statistical study is meaningless." - oh, wait; "I guess that means my ever changing initial premise is just as meaningless"

It seems you are just attempting to incite a flame war here.

Ah well, it is /. - this seems to be the place for it. ;-)

Re:Or ... people are still writing virii for WinXP

[WillAffleckUW]

or ... you think acting like a lawyer wins you benes when it just gathers mala notes. ;-)

Re:Or ... people are still writing virii for WinXP

[WillAffleckUW]

And the chance to install Ubunto on top of Windows Vista!

Let's see

[anss123]

Study finding Vista more secure then XP = X hits.

Study finding XP more secure than Vista = Y hits.

if (x > y)
  post Vista more secure than XP
else
  post Vista less secure than XP

Re:Let's see

[dgatwood]

XP more secure than Vista, apparently.

Google fight

Re:Let's see

[creativeHavoc]

I corrected the grammar in your first "keyword" jumble and battled it out

Google Battle

Study finding Vista more secure than XP 408,000
Study finding XP more secure than Vista 406,000
Total Pages Searched: 814,000

Re:Let's see

[wile_e_wonka]

Taking cues from the other posters, I tried "battling" the same searches they did but adding quotation marks around the phrases. (I did them all in "googlefight" because it required less typing)

"study finding xp more secure than vista" -- 0 results
"study finding vista more secure than xp" -- 0 results

"vista more secure than xp" -- 1820 results (note I changed "then" to "than." It's amazing what differences correct spelling can make)
"xp more secure than vista" -- 2 results

Then I wondered how these results jived with a real google search:

"study finding xp more secure than vista" -- 0 results
"study finding vista more secure than xp" -- 0 results

"vista more secure than xp" -- 1690 results
"xp more secure than vista" -- 2 results

But here's what I really found interesting (I searched again using "than" and "then":

"vista more secure than xp" -- 1690 results
"vista more secure then xp" -- 3 results

"xp more secure than vista" -- 2 results
"xp more secure then vista" -- 131 results!

Re:Let's see

[Penguin+Programmer]

"xp more secure than vista" -- 2 results
"xp more secure then vista" -- 131 results!

The only reasonable conclusion, then, is that only idiots post that XP is more secure than Vista.

Re:Let's see

[dvice_null]

"linux more secure than windows" 9210 results

I think we have a winner.

Re:Let's see

[bytesex]

Oh no you're wrong.

Re:Let's see

[ronocdh]

If you remove the typo from your query, then the results are perfectly matched: 1,140,000 hits both for "XP less secure than Vista" and "Vista less secure than XP."

Anti-Virus

[biocute]

That's life for being MS.

If MS put in a AV software, other AV companies will file for anti-competition lawsuits; If MS didn't, consumers will moan about it too.

Re:Anti-Virus

[flukus]

Because it's an unfair advantage to make an insecure OS and then charge "protection" money!

Re:Anti-Virus

[rizzo420]

they put in their anti-spyware program. i'm wondering if the anti-spyware companies that charge for their products will bitch and moan, even though the best anti-spyware programs are all free (even if they don't do real-time protection).

i still put most of the blame on the user who clicks every popup even if it says "don't click this, your computer will be immediate infected with viruses". i haven't had a virus or spyware infection when running XP, 2000, 98, and for the past several months since i installed vista. i did get a virus in win95, but that was before anti-virus really picked up speed, and it came from an infected floppy that got infected in a computer lab at my college.

Re:Anti-Virus

[Rodness]

When your product REQUIRES antivirus software, your product is not secure by itself.

Of course, if they had engineered in things like privilege separation and all the other "security" features of Unix (any of 'em, take your pick, Mac, Linux, what have you) then they'd enjoy all the "intrinsic" lack of NEED for antivirus that Unix systems enjoy.

Had they actually spent the last 7 years improving the underlying privilege model instead of just building and dropping vampireware like WinFS that never saw the light of day, then maybe claims of Vista being more secure might have some merit.

But I still have to agree that XP is more secure, if only by virtue of having 7 years of battle testing, as opposed to being a great big 800lb unknown that just walked into the room. Security is a PROCESS, not a PRODUCT.

Re:Anti-Virus

[maxume]

Isn't more accurate to say that it is there, but turned off by default?

Re:Anti-Virus

[Vombatus]

Because it's an unfair advantage to make an insecure OS and then charge "protection" money!

No. No! No!!

It is a Genuine advantage

Re:Anti-Virus

[rtb61]

Have you not read the M$ (P)OS warranty/EULA, they wont gaurantee that the OS is even virus free, so the very first thing an anti-virus embedded version of windows would have to do is un-install itself ;). M$ are also silly enough to have the same clause in their anti-virus offering :/.

Re:Anti-Virus

[Tony+Hoyle]

Nobody's bitching - their anti spyware app sucks, hard. I've had to sort out three trojanned vista boxes now (don't know anyone else running it) - all running 'microsoft anti spyware' which declared there was no spyware on the machine, even as porn popups appeared on the desktop..

Re:Anti-Virus

[baadger]

Windows XP may have had 6 years of testing and pawing over by people with various shades of monochrome hats but there is still an appreciable stream of security related bug fixes coming out of Redmond on the 2nd Tuesday of every month.

You're right that security isn't a product, it's a process, but over the last 6 years we would hope MS would have learnt enough about the issues they faced with XP to incorporate solutions into Vista.. What you have to remember is a product can be the end of a very long process, and thats certainly true of Vista.

So if I had to put my money on something, it'd be on the 800lb gorilla.

Re:Anti-Virus

[drsmithy]

Because it's an unfair advantage to make an insecure OS and then charge "protection" money!

Susceptibility to viruses (or lack thereof) has next to nothing to do with OS security.

Re:Anti-Virus

[drsmithy]

When your product REQUIRES antivirus software, your product is not secure by itself.

Windows doesn't. *USERS* do.

Of course, if they had engineered in things like privilege separation and all the other "security" features of Unix (any of 'em, take your pick, Mac, Linux, what have you) then they'd enjoy all the "intrinsic" lack of NEED for antivirus that Unix systems enjoy.

Please tell me which "security features" of traditional UNIX will stop a rootkit being installed if a virus runs with root privileges.

Had they actually spent the last 7 years improving the underlying privilege model [...]

The "underlying privilege model" of NT is vastly superior to that of traditional UNIX.

Re:Anti-Virus

[mattpalmer1086]

Only because we have inherited OS security designs that run all processes with the full rights of the logged in user. From simpler, more trusting days.

There are many things OS security could do to massively reduce susceptibility to viruses, if we could start fresh, anyway.

Re:Anti-Virus

[plague3106]

When your product REQUIRES antivirus software, your product is not secure by itself.

Really? So even the user that runs an executable from an untrusted source which is designed to damage that all files, but can't harm the OS itself is not something worth protecting against? What about that users files? I am sure those have importance, at least to the user, but possibly to an entire department if we're talking about a business setting.

Re:Anti-Virus

[plague3106]

Windows doesn't. *USERS* do.

Thanks for that, it sums everything up nicely.

We have a web master here, used to Linux. But because we are a windows shop, we moved to a Windows hosted server. She also has a personal server which another employee needed access, so that she chould copy files to said server.

Frustrated by Windows permissions (she says they are too complex..), she was about to set the entire C: security permissions to give Everyone FULL CONTROL. I've offered to explain to her file security, but she "never has time."

I can only wonder how many windows boxes are exploited when someone like her is working..

Re:Anti-Virus

[Master+of+Transhuman]

Bill has investments in those porn companies, you see...

Remember the Claria thing - where Microsoft was going to buy them - and suddenly their spyware was downgraded from remove to ignore - or whatever it was?

Microsoft swore up and down that it wasn't true - but it was just too freakin' obvious.

AV is not a lock

[normuser]

Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.

By the time your AV software comes into play your already infected. So AV software is not the lock on your door. Its the rifle in your house.
Still important, But vary different.

Urg

[hyfe]

Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.'

Or rather.. it's a bit like faulting the construction company when the wall in your house fell over because somebody knocked on the door.

Anywho, anti-virus and personal firewalls are ridicilous concepts. You shouldn't have userland applications necessary for keeping other userland applications out of the actual operating system.

Re:Urg

[bigstrat2003]

So we shouldn't have security guards necessary to keep thieves out of buildings?

Re:Urg

[elysiuan]

Keyword in the grandparent post is userland. He's not saying that there should be no security, he's saying that the premise of an application keeping other applications out of the operating system is flawed and should be a feature of the operating system itself.

Re:Urg

[king-manic]

Or rather.. it's a bit like faulting the construction company when the wall in your house fell over because somebody knocked on the door.

Anywho, anti-virus and personal firewalls are ridicilous concepts. You shouldn't have userland applications necessary for keeping other userland applications out of the actual operating system.


Even if Vista was as secure as OS X or a tinfoil hat version of linux you'd still have to contend with insecure applications and stupid users. Apple's install base tends to have more of a clue then Windows users and Linux boys can at the very least ID when their infected or comprimised. Thus there is a natural market for AV on Windows irregardless of how secure it is and there is regulatory concerns about MS inserting an anti-virus program.

Re:Urg

[bigstrat2003]

I'd tend to argue that a security guard (my analogy) is in userland, because they (as a human being) have the same capabilities as any other human being who wishes to break into a building. My point is that people keeping their peers out of places exists, and is accepted, in the real world, so why is it a problem in OS design?

Re:Urg

[QuantumG]

So long as users can create "executables" then viruses will exist. Of course, the problem in Windows is that just about everything is executable. Was a time when if it didn't have .exe on the end then it wasn't an executable.. now you have scripts (which for some inexplicable reason can write to my harddrive) and brain dead things like Microsoft running an exe if you rename it to be a png (did they ever fix that?) and Microsoft hiding the extensions of files so you have no idea whether or not they are executable.

And yes, there are buffer overflows.. which makes just about any "data" possibly "code".

Re:Urg

[Foofoobar]

exactly. These were never necessary before the 'leave everything open' operating system mentallity that microsoft bread. Then taking over all other spaces and having all their applications talk to each other and trust each other without any question was an even bigger mistake. Hence, if it was built by Microsoft and runs on Microsofts and uses Microsoft, then it must be safe... let it through. WRONG!!!

They are JUST NOW realizing that both a) leaving your system wide open is a bad idea and b)having all applications that you build trust each other by default is also a bad idea. A mono-theistic environment is bad from everyone... thats why we need more athiests.

Re:Urg

[MrCrassic]

Apple's install base tends to have more of a clue then Windows users and Linux boys can at the very least ID when their infected or comprimised.

What?

If you are talking about the population that uses Apple Mac products, then I think you are HIGHLY misinformed. The main reason why many of them made the switch is PRECISELY BECAUSE of their inadequate knowledge on how to protect their Windows PC from viruses, spyware, etc. Many experienced power users who run Windows (XP, at least) software have NO protection and can still have great security provided strictly by the OS. Are all of those configured BY DEFAULT? Of course not, which is a major reason for the "need" of AV/spyware products.

And Linux users? Apple users know more than MOST Linux users who are usually MORE proficient in terms of security configurations and the like?

I can almost bet that if a major virus, trojan, or hard-hitting malware were to infect OS X-based operating systems, and if it were as conspicuous as their Windows counterparts, then I assure you that the "base" knowledge (or lack thereof) would manifest itself.

Re:Urg

[Babbster]

Was a time when if it didn't have .exe on the end then it wasn't an executable..

Was that in the long-ago days before the ".com" extension or the ".bat" file...unless you're referring to some halcyon period before MS-DOS?

Re:Urg

[pe1chl]

The problem is easily fixed by:
- having users use a least-privileged account that cannot write into C:\WINDOWS and C:\Program Files
- installing a service like TrustNoExe that disallows running programs that are not stored in those directories

Users can download whatever they want, they just cannot run it, install it, etc. They will have to log in as an Administrator first (or at least provide the password).
In a company environment this works very well. At home it probable does less, because the user and the administrator are the same guy, and so there is less "second evaluation" of the software before installation.

Re:Urg

[jez9999]

Linux boys can at the very least ID when their infected or comprimised.

How, exactly? The key to a well-designed trojan is that the user can't easily tell it's there.

Re:Urg

[Tony+Hoyle]

Following on your analogy, userland firewalls are like posting a separate security guard in each of the rooms of the building, and leaving the main entrance unlocked. The apparent effect in security in the same but walking between separate rooms has just become a major hassle.

Re:Urg

[Tony+Hoyle]

Great - until the apps won't run, which in my experience is most of them. Oh and a least privileged account should *only* be able to write into their own home directory. Listing what they can't do is backwards - assume deny by default and allow a limited set of actions.

MS could have sorted the mess out by locking down vista by default, instead they bottled it and introduced all sorts of shadow directories so the apps still think they have write access to program files and the system registry... and they allowed any app to request administrator rights instead of leaving that to be specifically enabled by the administrator.. so you have all sorts of programs declaring they are 'vista compatible' when all they've done is added a manifest to their old broken code.

Re:Urg

[pe1chl]

Great - until the apps won't run, which in my experience is most of them.

Either you are babbling away or you buy only trash. In my experience, the vast majority of applications today work fine in this environment. Only some crap that was ported over from DOS all the way along Windows 3.11, 95 and then into the NT line, and whose developers never read any guidelines, can be problematic.
You know, the garage-shop software that still stores settings in .ini files, has the "database" in a subdirectory inside C:\Program Files\Appname, etc etc.

When you bought it, let the developer know what you think of them and move your business elsewhere. When that is really not possible you can normally get around it (on Professional, not Home versions) by setting some extra ACLs in the directories. Of course this compromises security.

Oh and a least privileged account should *only* be able to write into their own home directory. Listing what they can't do is backwards

Which is how it works. Apparently you never studied the matter but you still like to comment negatively. Please try it instead of assuming "it is from Microsoft so it has to be bad". You may be surprised about what you can do with ACLs in Windows, it is vastly superior to the file access control in a default Unix/Linux installation.

Re:Urg

[QuantumG]

And when you say "log in as Administrator" you mean switch to another terminal and do it right? You don't mean, "enter the admin password into a box that anyone can fake the style of". Oh, and administrators shouldn't be able to run anything that has been installed right? Cause as soon as you run a program that has been installed as administrator then it's game over. None of this is "easily fixed". That's the problem.

Re:Urg

[Ravnen]

And when you say "log in as Administrator" you mean switch to another terminal and do it right?

I doubt that's what he means, but it isn't entirely different. Windows users don't typically use terminals, and security is managed through 'desktops' and the secure attention sequence (SAS), Ctrl+Alt+Del. There are two ways to use this:

1. Type Ctrl+Alt+Del, which switches to the secure desktop, and then choose 'switch user'. This will switch to the logon desktop, and from there you can log onto a new session as an administrator.

2. Enable the policy requiring the SAS before entering credentials. With this, you can avoid using a different session, but any time the system wants credentials, it will ask you to enter the SAS. This will switch to the secure desktop, where the credentials can be entered. If someone spoofs the UI asking for the SAS, when you actually type it you won't be prompted for credentials, but instead will be presented with the default secure desktop.

Re:Urg

[pe1chl]

My personal experience is only with Windows in a domain. There is no "switch user" in that environment. You need to log off, log on as an administrator, and perform the installs.
The way we have configured things, the workstation administrator has no access to Internet. This increases security because you cannot pickup a trojan because of surfing the Internet in administrator mode.
After installing something you need to logon as a normal user to do any useful work.

Of course you can use "run as..." to install something but this does not always work correctly in 2000/XP (sometimes programs are not installed for all users when it is done this way)

Re:Urg

[Ravnen]

That was true on XP. On Vista, switching sessions is allowed by default on domain machines, which is one of the many reasons I'm glad to have upgraded from XP to Vista. I think there's a policy to turn this off, however, since there are obvious security implications.

is this /.?

[defwu]

Seriously. A pro-MS article? whats next, mr spock with a goatee? Doc

Re:is this /.?

[MrSpock]

Me? Goatee? Highly illogical...

Re:is this /.?

[maxume]

Care. That comment is the kind of thing that can make the universe fold in on itself. The folds are uncomfortable.

Re:is this /.?

[45mm]

I first read that as "goatse".

Pretty crappy door IMO

[Ren.Tamek]

"Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted."

I'm sorry, but if I bought a security door that claimed it would keep out 99% of criminals, I would be a bit pissed off if I got it home and realised that an actual lock for that door was considered an 'optional extra'. The idea of browsing the internet with IE, no anti-virus and the windows firewall for any length of time, even no longer than it takes to download zonealarm and avg, gives me the heebie-jeebies.

Re:Pretty crappy door IMO

[mschuyler]

MS is damned if they do and damned if they don't. If MS put AV in Vista there would be loud cries of "unfair competition, you're taking away our niche!" and we'd be on another round of anti-MS propaganda. If they don't, the cries are "unfair! I wanted to buy a door with a lock and now anyone can get in."

Re:Pretty crappy door IMO

[Ren.Tamek]

Actually, the solution is simple: don't advertise your system as secure out of the box when it isn't. Either make it secure or don't, don't say one thing then do another.

Re:Pretty crappy door IMO

[VertigoAce]

Find me anything from Microsoft that claims Vista (or any other product) is secure. It turns out that making the claim that any piece of software is secure will result in a lawsuit as soon as somebody discovers a single vulnerability. This is why you see phrases like "safer", "more secure", and "helps provide security". These phrases emphasize the degree of security, not some binary concept (if you insist on a binary concept, you may as well assume that no non-trivial software is secure).

Re:Pretty crappy door IMO

[gardyloo]

If MS put AV in Vista there would be loud cries of "unfair competition, you're taking away our niche!" and we'd be on another round of anti-MS propaganda. I've always thought there's a huge disconnect between the way most computer users think, and the way people think who'd bitch about that "unfair competition". The operative word in the quoted statement above is "our". Those people constituting the "our" group are much, much less important than the regular computer users.
      I, being one of those "most computer users", think that however Windows is secured is just fine by me, as long as it doesn't limit _too_ much of the functionality. I don't give a damn if they do it by making a fundamentally more secure OS, or if they include some shizznit AV which puts Panda or (shudder) Norton out of business. I just want my data to be secure and my OS un-bogged-down by nasties.
      I *do* find the concepts of viruses, computer security, and things like heuristic scanning to be tremendously interesting, along with the success of such "free" AV programs as Avast! and AVG, but that interest pales a bit when compared to the interest I'd have in a secure Windows.

        Anyway, *I* won't bash MS for somehow supplying some sort of secure OS, even if lots of people lose AV jobs because of it. As it is, we're paying a sort of tax in the form of AV software to keep these people working anyway.

        Of course, I know it'll be many, many moons (if ever) that MS comes out with a relatively "secure" system, so the point is somewhat moot.

Re:Pretty crappy door IMO

[JoeCommodore]

The problem is Windows still NEEDS to have something that stops viruses. In XP it is a required 3rd party addition; without it the OS is toast in operating as it was intended (to go into a network or on the Internet.)

Microsoft should not have to "include an AV program" or "provide one by default" they should eliminate the need for any such thing entirely.

Of course, I am well aware (as is surely those at MS) that it would break too much compatibility of all those many, many legacy apps that keep the customers dependent on the Windows platform. Break too many and the customer will realize they are starting from scratch anyway and really start some serious comparison shopping.

Re:Pretty crappy door IMO

[nbucking]

First off like an earlier comment said, an AV is not a lock or door, but it is rather like birth control. It is an intrusion detection service (IDS). The proper term is Host based IDS and most anti-virus systems are application based. And, IDS is an optional component for the reason that application based IDS used to be (and still is for the most part) considered a draw on the processor. Now as for microsoft not installing it is because they want to profit from it as they do Microsoft office (not installed automatically). Microsoft expects that their firewall (the actual lock!) should protect you just long enough to give you time to get an IDS of some sort.
Think of it this way, if you buy a house you have a lock right? Yes, but does it have an alarm? NO. In effect, those who make this Application based IDS systems call them Alarms like Zone Alarm for example. As the name applies it is an Alarm. If your IDS is able to delete or quarintine it is like having a bull dog. Some viruses can actually bypass IDS by making themselves look different. Microsoft could use this fact to claim AV is not a viable protection tool. Or they could just say they simply do not have the resources to keep up with current virus definitions. The study probably used a IDS to detect which OS did the best for blocking viruses. IDS is for detection and destruction, not protection. Think of it as birth control. You can use it without a firewall(condom), but one of those little viruses (sperm) may just make it to your directory(egg). =)
Finally,The writer of the article is most likely trying to find an excuse to bash this report for personal(revenge, fanboy,etc.), he works for microsoft, or his company is in bed with microsoft.

Re:Pretty crappy door IMO

[drsmithy]

Of course, I am well aware (as is surely those at MS) that it would break too much compatibility of all those many, many legacy apps that keep the customers dependent on the Windows platform. Break too many and the customer will realize they are starting from scratch anyway and really start some serious comparison shopping.

It's got nothing to do with backwards compatibility and everything to do with the impossibility of what you are proposing (assuming you want to stay within the broad constraint of an unamanged, general-purpose operating system).

Re:Pretty crappy door IMO

[Ravnen]

The problem is Windows still NEEDS to have something that stops viruses.

No it doesn't. I ran XP for years, and never needed AV software. I sometimes ran it, as an added precaution, but it never actually had to do anything.

Microsoft should not have to "include an AV program" or "provide one by default" they should eliminate the need for any such thing entirely.

The major way of infecting PCs is through tricking naive users into running malicious programs. Intercepting this sort of thing, to protect the users from themselves, is what AV software mostly does. In other words, AV software isn't primarily a way of managing flaws in the OS, it's a way of managing mistakes by the user.

Re:Pretty crappy door IMO

[JoeCommodore]

The major way of infecting PCs is through tricking naive users into running malicious programs. Intercepting this sort of thing, to protect the users from themselves, is what AV software mostly does.

All that does is get the user to run a program, in Windows that IS enough to infect the whole computer. In Mac OS or Linux, it is enough only to mess withe the users file space (assuming the mail program is set to readily allow allow user to click and run executable attachments) but not the computer as a whole.

Re:Pretty crappy door IMO

[Ravnen]

Most Windows users run as an administrator, yes, that's bad. Not all of us do, however. I ran as an ordinary user under XP, for example, and continue to do on Vista.

In any case, the issue of running as an administrator is only critical on multi-user machines. Remember, the valuable information is in the user's personal files, not the system files. Since the overwhelming majority of PCs are single-user machines, running as an administrator or not doesn't really matter. On a multi-user machine it does matter, because malware run by an administrator can access the files of the other users too.

If you run a malware application with your user credentials, it has full access to your files. Do you really care whether or not it has access to the OS files too? It doesn't need administrator or superuser privileges to read/modify/delete all your files, to send all of your files to a remote location to be scanned for bank details and such, or to act as a zombie for DDOS and other attacks. In short, anyone who thinks running as an ordinary user protects them from malware is living in blissful ignorance.

The Flaw is the Survey.

[twitter]

Comparing XP to Vista security is kind of like having a SUV milage competition, except SUV's are sometimes useful and that utility is destroyed by poor fuel economy.

Re:AV is not a lock

[DaveWick79]

Right now linux is more like an empty house. No one bothers to break into the house because they know there's not enough in it for them to do so.

Windows is more like the house with a simple lock on the door. Plenty of other ways to get in, but it's up to the homeowner to implement the security.

Isn't greater security a selling point of Vista?

[nucklebone]

I don't understand. What's wrong with the CRN article. So they didn't mention, Vista doesn't come with AV software. Big deal. Wasn't security one of Vistas selling points? Regardless, Vista without AV software and XP without AV software,... I'm failing to see why the CRN article is wrong.

Re:Anything to slam MS

[monopole]

But of course XP is also an MS product.

Missed?

[schlichte]

Maybe I missed it when I RTFA, but it didnt mention which version of XP was used... a look at HPs site shows that the HP Compaq nc6400 did ship with XP Pro (whether that matters much compared to home edition or not)

Also... were these systems ran all the way default, as in, boots up as Administrator with no password? (again, not sure how much that matters in a test like this)

I do agree with the title, flawed survey indeed.

I dont blame Vista or XP so much as I blame IE version X.XX

Id like to see the exact same suite of tests ran against the latest version of Opera, Netscape and Firefox.

Re:Missed?

[dabraun]

Also... were these systems ran all the way default, as in, boots up as Administrator with no password? (again, not sure how much that matters in a test like this)

By default the Administrator account in Vista is disabled and you can not log in as Administrator. You need to go to mmc to change this, it isn't visible in the normal "users" control panel applet (and you shouldn't change this, if for no other reason than because MS did not spend a significant amount time testing Vista running as Admin and there are discrepancies since Admin is a magic account and the only interactive account with no UAC.)

Re:Missed?

[Tony+Hoyle]

News to me.. I've logged into administrator hundreds of times on vista and never changed anything.

Oh and administrator does have UAC. I only wish it didn't.. it's a royal pain in the ass trying to get anything done until I've created a privileged cmd.exe shortcut (itself a pain in the ass as they've blocked the name cmd.exe from elevating, you have to create a renamed copy).

Re:Missed?

[Zarel]

News to me.. I've logged into administrator hundreds of times on vista and never changed anything. He was talking about the true Administrator account, not any account with administrator privileges. The true Administrator account is hidden quite well on Vista; I believe you have to jump through a ton of hoops (including getting rid of every other Administrator account, IIRC) to access it.

Oh and administrator does have UAC. I only wish it didn't.. it's a royal pain in the ass trying to get anything done until I've created a privileged cmd.exe shortcut (itself a pain in the ass as they've blocked the name cmd.exe from elevating, you have to create a renamed copy). Wouldn't it be a lot easier to just disable UAC?

Security == knowledge and other stuff

[kosmosik]

Of course from practical point of view XP right now is more secure. And I don't mean default install. For example take my company and few facts:
- we managed to make the machines behave as we will
- we have invested money into third party security software
- we have invested time (which equals money) into free (as in speech) third party security software
- we have some knowledge and experience into XP security -- after these - what like 7? - years who doesn't?!

Right now we have quite healthly and working infrastructure based on XP and surrounding (like VPNs, IDSs, AVs, proxies, backup, imagining etc.) services. We know how to do it, we have experience.

Now Vista from my standpoint is just big black hole - another system from MS that does not offer me anything significant but opens a can of unknown worms... I don't see any serious businesses building their security infrastructure around brand new shining Vista systems.

Of course in *theory* Vista can be more secure, but from practical standpoint it is new and untested product that has ben rushed to the market.

It really depends on your security definition. Security is not a product - security is a proces in which you have knowledge about what you are doing. In which you have educated users. In which you have policies and audits and so on. Vista isn't anywhere near to be even a stable product from security standpoint.

Re:Security == knowledge and other stuff

[ekhben]

(like VPNs, IDSs, AVs, proxies, backup, imagining etc.)

I like to imagine that my XP install isn't riddled with viruses, too.

Re:Security == knowledge and other stuff

[kosmosik]

Imagining like distributing configured system images to workstations.

No funny points for you. :P

Re:Security == knowledge and other stuff

[ekhben]

I think the word you seek is "imaging."

Re:Security == knowledge and other stuff

[kosmosik]

Sorry I am not a native English speaker. :)

Re:Security == knowledge and other stuff

[ekhben]

No problem, as long as I can have my funny points back! :)

Re:Security == knowledge and other stuff

[trifish]

another system from MS that does not offer me anything significant

You should find some time to read about the rather significant changes to the kernel and user land in Vista. Things like code layout randomization in Vista completely and inherently prevent exploits that are a breeze on XP. Seriously, read something about the changes in Vista vs XP (let alone Win 2000, which is obsolete and insecure crap by now).

Re:AV is not a lock

[Short+Circuit]

Right now linux is more like an empty house. No one bothers to break into the house because they know there's not enough in it for them to do so. Corporate, government and financial databases aren't enough of an incentive? There's millions of dollars worth of information tied up there for anyone who figures out how to get at it.

What about home routers? If you can hack into few million broadband routers, you've got yourself a major botnet with little to no antivirus. Not to mention you're past the primary protection of the average home network. From there, you could spam networked printers with ad printouts and read the contents of any netork shares. Not to mention sniffing and redirecting network traffic...

flaw-reporting report flawed?

[Tom]

Don't look that flawed to me.

XP: No AV included
Vista: No AV included

Report says: "Vista no improvement over XP"

Report is pretty much correct.

Re:AV is not a lock

[Compholio]

Corporate, government and financial databases aren't enough of an incentive? There's millions of dollars worth of information tied up there for anyone who figures out how to get at it.

You forgot all of Google and most of the major domain registrars. Think of Google's entire world-wide cluster as a botnet - now that IS scary.

Re:AV is not a lock

[amitabh_bachhan]

that was not the point. Corporate, government and financial databases are probably going to be better secured than the multitude of everyday users' computers that have XP/Vista on them.

XP vs. Vista is so ... (yawn) ... zzzzz zz z zz

[icepick72]

I'm getting tired of the XP vs. Vista vs. XP vs. Vista vs. ... articles posted here all the time. Microsoft will eventually drop support for XP and will continue to support Vista. Microsoft will continue to focus on Vista. If Vista is now less secure than XP Microsoft will eventually it stronger ... that is until the next Windows OS is released. Dammit we had to listen to XP versus everything-else-before-it. Tiresome, damn tiresome. No worthwhile discussion came from it last decade but you never know ....

Re:XP vs. Vista is so ... (yawn) ... zzzzz zz z zz

[totally_mad]

It is a moot point to say that "Microsoft will eventually drop support for XP". The reality is that we are transitioning between two operating systems presently and so there is a need to make a choice between XP and Vista. So, the question remains, for a "typical" user (whoever that may be), is it safer and better to stick to XP for now, or should they already move on to Vista? Given that Microsoft *will* release a new OS in the future, this debate will be repeated with Vista vs. . Boring or not, it is a useful debate for lot of people.

Re:XP vs. Vista is so ... (yawn) ... zzzzz zz z zz

[texaport]

All you have to know about the difference between XP and Vista is that the business model for the latter will include a subscription-based version eventually. Microsoft has executives and marketing people who go to meetings where over-and-over again they ask, "How else can we provide less product for more money?"

It's not like they are wholesalers who buy 100 units of something for fifty bucks and then turn around and sell 100 units of something for eighty dollars at retail. Perhaps they will someday begin asking, "How can we provide more product for less money" and it will actually be to the benefit of both customers and shareholders (ie., those dozen people who own more than half the stock)

Re:XP vs. Vista is so ... (yawn) ... zzzzz zz z zz

[Superpants]

I'm getting tired of comments of people getting tired of articles. But anyway, there was no XP last decade and any arguments pertaining to different versions of microsoft operating systems do have value, perhaps not to you, but others I'm sure. A layman or an undecided consumer can usually be swayed by such articles and that is the reason why it usually gets posted here, because not everyone here knows everything about all that is pertinent to operating a computer.

Re:XP vs. Vista is so ... (yawn) ... zzzzz zz z zz

[Ravnen]

The reason for moving to a subscription model for Windows wouldn't be to 'provide more product for less money', it would be to allow product pricing and distribution to more closely follow costs and development.

From a technological perspective, Microsoft could easily have offered incremental updates to XP over the years, leading eventually to what Vista is now. Individual features could have been developed and released as completed, rather than grouped together into one massive release.

From a marketing perspective, it might make more sense to stick with the 'big release' model, but from a technological perspective it would make much more sense to move to an incremental model. This naturally implies a change in the pricing structure, from a periodic fee for each major upgrade to an ongoing subscription fee. I'd much prefer the latter model myself.

Re:Anything to slam MS

[Stormx2]

What? I know we get a lot of "RTFA" around here, but read the fucking summary! Shall I condense it down for you further, since I see your time is precious?

Study #1 finds that Microsoft has made no improvements (XP -> Vista)
Study #2 finds Study #1 to be incorrect and badly done. /. reports on study #2.

In essence, the story accepts that XP isn't as secure as it could be, but Vista improves on this significantly. Its one of the most pro-MS stories I've seen on slashdot for a little while now. Of course, I'd never touch Vista personally, but that doesn't mean it isn't an improvement over XP in security.

So how do you do that?

[Sycraft-fu]

How does an OS know what apps are good and what apps are bad? That's what a virus scanner is: It's a list of known bad apps. If one wanted a real world analogy it wouldn't be like a locked door or anything, but rather a bouncer with a list of people who need to stay out.

Vista already has privilege escalation if that's what everyone is bitching about. So evil apps that want system access will have to ask for it, just like everything else. However if the user says "Sure, you can have that," what can the OS do about it? Apps don't have an "evil bit" they are just code to be executed.

Same deal with the real world. If you choose to unlock your door and let someone in, it's not the fault of the people who made the lock or the door that you did.

I think the grandparent is just another of many Windows haters that seems to think there's some magic that could be done to keep viruses out that MS just won't do. Well, actually there IS such a technology and that would be the scary version of trusted computing. If hardware enforced protections past what the OS could override, and checked signatures on apps, then only valid, signed apps could run. Provided the signing authority did their job, there'd be no viruses. Of course that would mean giving total control of your computer to a third party, something I think none of us want.

What it comes down to is there is no way for an OS to both give someone control of their system and protect them from themselves. The ability to grant the authority to run code at a privileged level implies the ability to do it for both good and bad code. Thus the necessity of virus scanners. They maintain a known list of bad code, and can warn you if you try to run that. I suppose you could build it in to the OS, but it changes nothing, it is just a virus scanner that's part of the OS now. There's no magic juju, other than taking away the user's administrative rights, that will work.

Just to be clear: By taking away administrative rights I don't mean running as a deprivileged user, Vista does that, I mean NO admin access AT ALL. No escalation, period. That'll do it. Indeed we do that at work as much as we can and on those computers, we have no problems as users simply can't install software. However to do it at home, well you can see how that'd be a problem.

Re:So how do you do that?

[rtb61]

Think of it as a vault with in the house. There is no reason that any user installed application should ever run in the operating system vault. Sure the user might lose their user application and data area but the system will still and and at the very least provide an opportunity for the user to recover their user area.

If M$ had not been so monopolistic and tied everything together to give their applications an OS advantage and to keep competitors from equal install capability or equal access to protocols, or scattered program installs all over the file structure rather than at a single point (can't have users drag and drop a file to copy the program), they would not have created such an enormous problem in the first place.

So can software be installed at a single point and leave the OS and network coms alone, of course it can. Creating a single registry was also mind bogglingly stupid. Many bad decisions along the way have made windows a dead end.

Re:So how do you do that?

[daskinil]

It's become apparent to me that you are a mac user, and in addition have no concept of how your operating system actually installs those programs you click and drag. I would suggest looking into how your OS works a little more. In addition throwing files are over the filesystem, thats hardly the problem as Linux AND mac does that as well. that's why there are all those directories in your root directory.

Re:So how do you do that?

[rtb61]

There are many programs under Linux that you can install in the user own home directory with out ever getting root access. My preference is for all user level programs to function that way, it really simplifies everything, although the program installs themselves are much larger and with multiple users a lot more disk space is used.

With Linux it certainly is possible, with M$ it is impossible. With 'Apple' I would not have a clue, never having owned anything 'Apple' (not even a vinyl disc ;) ), but all my computers are dual boot, even the old one for playing win98 and dos games, Linux of course being the main OS.

Re:So how do you do that?

[daskinil]

I don't see how you believe it is impossible to create an application in a single directory on M*dollar sign?*. Keep all shared libraries in user directory instead of putting them in the proper folder, don't create shortcuts in the start menu section. I keep all your configuration information locally instead of the registry. There's no good reason to do this. As it helps nothing. The point I was trying to make, is all OS's have applications that do this- and they should, different abstractions of a program (shared libraries, user binaries, configurations) can be better organized leveraging a common structure as presented by the OS. Where certain files are on the computer real don't affect flaws in the OS, as someone was saying. Wether these directories need to be user level or admin is another question. Personally I don't mind elevating privileges to install applications in either linux or windows- as its necessary in both.

What? My linux box is 100% secure.

[raehl]

And since it's not plugged into an electrical outlet, it doesn't draw any power either!

NO AV != No protection against viruses

[A+beautiful+mind]

Let's face it. Anti Virus software is the day after pill. I daresay if someone relies on defending against viruses by antivirus software, the security model is already utterly, completely broken. So no, not including an anti virus software doesn't mean an operating system shouldn't employ design and tactics against viruses. Ars Technica is simply wrong.

Re:NO AV != No protection against viruses

[Nebu]

I daresay if someone relies on defending against viruses by antivirus software, the security model is already utterly, completely broken

So how do you defend yourself against viruses? The only ways I can think of off the top of my head are:

• Don't download any software, ever. In fact, don't even connect to the internet at all. Assuming the OS itself didn't come with a virus, this is the only 100% foolproof way to avoid getting a virus.
• Don't download any software, ever. But allow yourself to be connect to the internet. There's a slight chance of getting a virus anyway, if someone guesses your password or otherwises hacks into your system.
• Only run open source software, read all the source code, and compile it yourself (but at some point, you'd need to download a binary, to bootstrap the process, so even this is not 100% foolproof).
• Only run open source software, don't read the source code yourself, but rather trust the "many eyes" that they're doing a good job of reading the code for you, and compile it yourself (same problems as above, with the additional problem of needing extra trust from those "many eyes").
• Only run open source software, and don't compile yourself. Trust that the binaries that you download from sourceforge.net, for example, are virus free.
• Practice skeptical computing, download various software, some of which are open source, some of which are closed source, and run an antivirus scanner.
• (etc... there are more, but again, none of them will 100% guarantee freedom from virus except the first).

Only the first tactic guarantees you a virus-free experience. With everything else, there's a slight chance of getting viruses, which increases as you go down the list. For many people, the minute increase in chance of catching a virus is worth it for the added experienced gained from using a computer. It's similar to how many people eat food which is "bad for them", but tastes good. The alternative, to stick to only "known good" food, is simply too painful for most people.

Re:NO AV != No protection against viruses

[A+beautiful+mind]

I defend against viruses by either downloading software from a gpg signed trusted debian repository, or compiling software from sourcecode.

Thing is, there is no 100% percent way, as you say. Noone wants "100% security" either, because it's impossible to have. But there are good methods to have a reasonable percentage of security and there are methods that don't guarantee a thing and only bring a marginal increase in security against unwanted code. Antivirus software is the latter. There is a huge fucking gap of security and usability between the "sound security practices" and "using a virus scanner" (The third option from the back and the second from the back on your list).

Re:NO AV != No protection against viruses

[Nebu]

There is a huge fucking gap of security and usability between the "sound security practices" and "using a virus scanner" (The third option from the back and the second from the back on your list).

Right. But the list recommends that you do both. And so do I.

Re:NO AV != No protection against viruses

[drsmithy]

So no, not including an anti virus software doesn't mean an operating system shouldn't employ design and tactics against viruses.

What "tactics" would you be thinking of ?

No Locks on the door?

[smartin]

Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.

I think the point is that M$ should have learned their lesson last time, and the time before that, and made vista such that having anti-virus software would be unnecessary. Or in the terms of the analogy, Having forgotten to put a lock on the door of their previous house and repeatedly come home to find their underwear scattered all over the yard, you would have thought they would have made a secure door this time.

Re:No Locks on the door?

[Sinbios]

You make "making AV software unnecessary" sound so easy. If I could make something that will make AV software unnecessary without impacting the user's computing lifestyle (disconnecting from the Internet? Yeah, that'd make AV software pretty much unnecessary), I'd have all of the AV companies' customers and be a multi-billionaire within the year.

You're implying that the OS should be able to somehow "know" whether a piece of software is a virus or not. Fact is, to the OS, viruses look the exact same as a legit piece of software; the only way it could know that it's "bad" software is either a) trust your judgment (hence, UAC and admin privileges, etc.) or b) maintain a list of "bad" software, which is what AV software does. Now, Vista can't do b) cuz then the antitrust lawsuits would be coming down the shitpipe, and it's already doing a), but you can't expect all users to be able to judge if a piece of software is "bad" (sorry, my mom is just not up to the task).

So "making AV software unnecessary" really isn't the piece of cake you make it sound like.

Flawed comment: of flaw-reporting report flawed?

[Smight]

You must have missed the fact that even though niether system had AV on it, niether did Vista. And it's not fair that you should expect a new system to be more secure just because they say they are.

  Obviously, if you want a non-biased test the Vista computer should be in a secured bunker with no internet access within 50 miles and the XP computer should be an unpatched beta version set to search for "WAREZ PLEEZ".

Re:Isn't greater security a selling point of Vista

[yakumo.unr]

Just wondering, how many linux distro's come with A/V? is it standard now?

And how fast would MS find themselves in court again for monopolising everything if they HAD included A/V.

Re:Isn't greater security a selling point of Vista

[secPM_MS]

Security is a selling point for Vista. For me, it is the most compelling selling point, although I do like search a lot as a feature. Now for my perspective on why Vista is more secure than XP:

A lot of work was done to support running as normal user. This does not get much attention, but it means that I can (and I do) run as a normal user without administrative credentials (it is much harder to do this in XP). If I have to manage the system, I have to use full administrative credentials (read, su root). It also means that malware that might hit me does not have the permissions needed to modify the system. This is even stronger than the UAC protections on administrative users. My wife and kids run as normal users and do not have administrative acess.

A lot of internal work was done to reduce service permissions and internally harden the OS, including the introduction of the integrity level mechanism that is used to support protected mode IE. These changes reduce the scope and impact of local compromises.

Enormous amounts of fuzzing of acessible interfaces and parsers was conducted and many issues were found and fixed.

The security bulletin data since Vista has shipped suggests that there is reduction on the order of 2X or greater in bulletin class vulnerabilities. Indeed, the numbers suggest that Vista is running fewer issues than either OSX or the major Linux distributions.

The user has a great deal of control about their vulnerabilities based upon how they configure and use their system. Microsoft exposes a very rich and neat set of functionality in Vista. If you are trying to reduce your security vulnerabilities, there are a number of things that you can do (at the expense of neatness and functionality):

Run as a normal user, not admin (which is standard UNIX practice)

turn off sidebar (less stuff running means less stuff to compromise)

turn off scripting, activeX, multimedia, etc, in your IE Internet zone

Add sites to your trusted zone (where scripting is allowed) only if you trust the site with your credit card info

If you run a desktop suite, run Office 2007 rather then Office 2003. Note that Office 2007 almost certainly has fewer security vulnerabilities than Open Office.

Be very cautious about what software you install.

Re:AV is not a lock

[yakumo.unr]

That's not strictly true any more tbh, with net traffic monitoring systems like imon in nod32. the code, or at least part of it (I'd expect a lot of threats would be detected before the code was completely downloaded) , may have been downloaded but couldn't have been activated at all.

Shrug, I disagree

[trawg]

the report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software I thought the big issue everyone had with Windows products were that they needed AV products in the first place because they were fundamentally insecure?

Shipping Vista with an AV package would have practically been admitting that they can't make secure products and the only thing left to do is have a separate layer in the OS to try to intercept stuff before it caused problems (or clean up after it), rather than blocking the holes in the first place - which is, I believe, part of the point of Vista's entire security model (DON'T RUN THINGS AS ADMINISTRATOR, JERKS).

Re:AV is not a lock

[misleb]

I wouldn't call having a file on your desktop (from email, for example) that could potentially infect your system and infection in and of itself. A good AV package will detect and clean the virus BEFORE it infects your system. That is, before you open/exec the file. Though there are other viruses that infect through the network without any user action required. So in that case your are correct.

I'd say AV software is more like having a bouncer at the door... preferably with a rifle. :-)

-matthew

Re:Anything to slam MS

[Miseph]

I wouldn't even call it pro-MS, I'd call it anti-anti-MS and pro-"not being a douche bag and making incredibly controversial claims based on obviously and likely intentionally flawed studies".

I'm all about bashing MS, but using spurious logic to do so is just detrimental to the entire anti-MS movement.

Vista is a faulty OS?

[feranick]

"Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted." This simply means that Vista is a basically a faulting program!!! Any Linux distro or OSX do not ship with antivirus either. That doesn't make them faulty or unsafe to use it. Vista should be safer "regardless" of the presence of the antivirus, otherwise it simply faulty by design.

Re:Vista is a faulty OS?

[SCPRedMage]

The problem with locks is that no matter how good they are, they can be picked, one way or another. If the bad guys can make a set of lockpicks that work on an almost everyone, there's no point in making tools to break the few locks that their existing tools won't.

Point is, Linux and OS X don't ship with AV software because they simply aren't big enough targets for people to actually care about.

Re:Vista is a faulty OS?

[maxume]

Only in the shadow of a Windows that provides countless (relatively) easy targets. If Windows wasn't quite so easy for people who aren't paying attention to break, exploits would be more evenly distributed.

Re:Vista is a faulty OS?

[decuser]

Moronic... It never ceases to amaze me how gullible M$ users are. Reminds me of the AOL versus broadband fud, "Sure AOL's not quite as fast, but..." How can it be the User's fault if the OS allows programs to run in privileged modes without asking the user?

Sheesh - get a real OS and quit whining.

Re:Vista is a faulty OS?

[SCPRedMage]

Psst... buddy... got a little tip here for you...

VISTA ASKS USERS IF THEY WANT TO ALLOW PROGRAMS TO RUN IN PRIVLEDGED MODE.

And since we're talking about Vista here, no, you don't get to point out the behavior of older versions.

Sheesh - get a grasp on what you're insulting and quit whining.

Re:Vista is a faulty OS?

[SCPRedMage]

If you don't think that the untold numbers of naughty people out there could break Linux were it to actually present a worthwhile target, then you're deluding yourself. Just like AACS was broken, so too can any OS fall to enough INTEREST in breaking it.

As far as EVENLY distributed, depends on how you do your math. If you see three major OSes (Windows, Linux, OS X) and expect each of them to get a third of the attacks, I'm sorry, but that's not human nature. The OS with 95% of the market will be targeted by the majority of exploits, simply because that's were the biggest pay off is going to be.

Re:Vista is a faulty OS?

[maxume]

Actually, what I meant was that Windows has its biggest market share advantage among people who barely know how to use a computer(except maybe over OSX, but given gaming...), so there are many more people sitting in front of Windows computers that will click on anything that happens to pop up, without considering what it will do or maybe even reading it.

Re:Vista is a faulty OS?

[SCPRedMage]

Point taken. Personally, I think MS should have required that the user re-enter their password by default, rather than the hidden option that it is. If you make it a bit harder than just clicking "Allow", then more of the less tech-savvy people will start to pay attention. But then, if they did, they'd have the people who actually USE Windows complaining about the thing being user-unfriendly.

Of course, you can only protect the user from themselves so much. Past that point, there's nothing ANYONE can do to help them. Which is my whole point; how can you blame Microsoft for the users exposing themselves? I mean, there's a trade-off between being secure and being user-friendly. Microsoft has been trying for YEARS to make computers easy to use by an average person. Tell me, is that wrong? Should computers be strictly for the enthusiast willing to get over a steep learning curve, or should they be more accessible?

Flawed counter argument

[Weaselmancer]

'The report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software -- something the reviewer fails to mention. Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.'

Vista is supposed to have these features built-in, as well as a host of other improvements. Such as service hardening, anti-malware (which does claim to kill viruses), network access and more.

Why, you can read the whole list right here.

So I wouldn't say it's like a door without a lock on it. If Vista is flawed, it would be like saying it's a door with a crappy lock on it. Big difference.

AV software is the day after pill

[cdn-programmer]

Noooo.

Since few people update their AV software each day they use their computer and indeed since the best that AV software can do is reactive in nature... AV software is more like the month after pill or even the 9 months after pill.

At best AV software is doomed to failure. This incident illustrates how serious the lack of security in common practice is. Clearly the perpetrators were a novices. Perhaps they were just a couple script kiddies playing around wondering if the lack of security was real.

If an amateur can do this, then consider that organized crime must know tonnes of passwords. A lot of people do online banking and online stock trading. The exposure our financial systems are exposed to is incredible.

Re:I knwow I'm an AC and all...

[grcumb]

The first is well known, Windows is hundreds of times more popular....

You mis-spelled predictable. The issue isn't that more people use Windows; the issue is that the same exploit reliably works on vast numbers of Windows machines. It's not the popularity, it's the monoculture, combined with a broken design that is trivially easy to exploit. Another example of monoculture and utter lack of security combining to create havoc is the Morris Worm of 1988. Happily, *nix systems have moved on since then.

Secondly is a much smarter reason. Who uses these operating systems. Average windows user, knows nothing about PCs, more than willing to go to dodgy websites, doesn't notice when things are strange, hell most of them don't even update windows with the security patches and as a result they are a really nice target. Now linux users, they know what they're doing, they're either programmers/hackers etc. or they are using for very specific tasks- these people know what's going on, update their system and sweep for bugs and notice things.

Sorry to rain on your parade, but that's utter bollocks. I have empirical proof of this, from having installed and run numerous Linux-only computer resource centres for first-time computer users. The users are mostly under- or uneducated youth from a developing country, who love nothing more than to click anything that flashes or shines. The number of people who have used these centres is in the thousands, so it's statistically significant. We've just opened another centre that uses only Mac Minis.

So why, pray tell, is the total number of malware-infected machines a big fat zero? It's not the administration. The staff are taken from among the youth themselves. In most cases, they have no prior experience with IT. They're simply more interested in it. It's not user habits; the youth do wander regularly onto malware-infested sites.

The bottom line is that Windows gets regularly and predictably infested with malware because it's so easy to do, and the 'rewards' are so great.

Inflamatory titles, this applied to corps ONLY!

[MikShapi]

More fanboys.

For whoever doesn't see this screaming at him, here's a breakdown:
In home-user-land, credendials were an option nobody used until Vista. NO amount of buffer-overflow susceptibility can EVEN COME CLOSE to outweighing the security implications of having UAC - a restricted-user+sudo working model rather than XP's work-as-root one. Vista and XP for the home user are incomparable and are in totally different leagues, vista winning by very, very, very long shot.

In corp-land, everybody (who gives a damn about his security) has been using non-administrator-accounts on his workstations (at varying and ever-improving degrees of annoyance) since NT4. For all intents and purposes, XP with domain policies had all the functional benefits of UAC, as did 2000 and NT4. So the battle over which is more secure needs to be resolved on much finer points, such as susceptibility to buffer overflows, code maturity etc. This is what the report in TFA addressed and they may be quite correct on this.

Pushing titles saying "XP less secure than Vista!" without VERY THOROUGHLY POINTING OUT WHEN AND WHERE THIS APPLIES (*WHERE THERE BE NT DOMAINS AND RESTRICTED USER POLICIES*) is a cheap, inflammatory and sensationalist way of getting attention. Most people who have no clue reading this headline will get the VERY WRONG message, become misinformed, spread on more hyperbole about Vista "being less secure than XP" to people who know even less, and the overall effect will be doing WAY more bad than good in the name of either stupidity or anti-MS fanboyism.

Re:Inflamatory titles, this applied to corps ONLY!

[bluefoxlucid]

NO amount of buffer-overflow susceptibility can EVEN COME CLOSE to outweighing the security implications of having UAC - a restricted-user+sudo working model rather than XP's work-as-root one.

... *sets IP datagram length to 1400* ... *sets TCP datagram length to 63* ... *lets kernel copy remainder of IP packet to 63 byte buffer* ... *obtains kernel level access without even connecting to an open port, before the packet even reaches the installed zonealarm/mcafee/norton firewall or built-in Windows firewall*...

Re:Inflamatory titles, this applied to corps ONLY!

[MikShapi]

/Specific/ overflow bugs are a VERY POOR basis for an OS choice decision that will accompany you for the next so-and-so years. Why? because they will be fixed next week.

I'm not saying vista in unexploitable, or that particular exploits do not at all contribute to an OS's security rating. I'm saying a car with a seatbelt is better than a car without a seatbelt, regardless of which has what easily-pathchable (hence, minor) flaws.

I don't think there is *ANY* debate as to whether /WITH/ user-level security model (vista) is better than /WITHOUT(aka work-as-root)/ model (xp).

Do a few expected exploits (yes, expected, every commercial OS with a marketing clock ticking that ever came out had a whole bunch of them, including most if not all commercial variants of UNIX I ever heard of) and some bugs in the system warrant sticking with a vastly inferior security model? Is an imperfect seatbelt worse than no seatbelt at all? IMHO *no*. MS will fix their shit (as has happened before), exploitability will stabilize in an asymptotic to zero manner (as has happened before), and it will end up a hell more secure than XP due to a better model (again, for home/nondomain use).

Also keep in mind UAC is not a silver bullet, much like the fact that having user accounts on my linux boxes does not make them uncompromisable.

By proving you can root one of my boxes you will NOT have proved that user-accounts (rather than giving everyone root) is useless. The user-based security model is a PROVEN AND VERY EFFECTIVE means to statistically REDUCE the chances of sustaining damage from a random threat, not a magic silver bullet some fanboy idiots try to make of it to discredit it.

By the same coin, by infecting a Vista box with /A/ virus, you will not have proved that it is "just as susceptible to viruses as XP". All you will have proved is that it is just as susceptible to A SPECIFIC virus, an that on a particular patch level (next week's patch level will likely obsolete this virus).

Throw the most frequent 5000 in-the-wild viruses at two boxes running vista and XP, it's quite obvious /STATISTICALLY FEWER/ will have affected Vista.
Move 4 years into the future, where new malware will have evolved, and even if we assume that the number of malware threats in a UAC world matches what it was during everyone-is-root era (which I highly doubt), the vast majority will have the LIMITED capability of only being able to infect your userspace, not the entire OS.

Less and less-potent malware, while not being a silver bullet (of which there aren't any anywhere outside people's imagination), is definitely a very big move in a very right direction, and for non-domain use I find it totally as obvious to choose between them as it is between telnet and ssh, regardless of which has one exploit more than the other (assuming of course neither of them has zero exploits, just to make the analogy stick)

Re:Inflamatory titles, this applied to corps ONLY!

[bluefoxlucid]

He made a blanket statement. I blew cold air under it. Yes I know the hypothetical overflow doesn't exist; point is though, UAC or sudo or whatever doesn't magic-bullet your security because, yes, OS services run with high privileges. On Windows crap like IIS has uberuser access (not administrator superuser, but System access!); on Apache, not just things like Web servers and DNS, but also directory servers and core system processes like printing run with restricted privileges. If Windows took a least-privilege approach like everyone else, we could handwave away a large amount of possible hackery on cruddy programs (yes the network stack lies in the kernel and my example falls here) because it would get you local user access just like trojaning the machine.

Re:Inflamatory titles, this applied to corps ONLY!

[drsmithy]

Sorry. Your packet crashed and burned at the perimeter firewall.

Re:Inflamatory titles, this applied to corps ONLY!

[MikShapi]

We're almost in agreement then.

The "least permissions" approach has lots of merit when you're talking about a single-application server (say, apache, bind, what have you), but the sweet spot for a homeuser-targeted box (also, where the vast majority of your users are not techs, Windows is not exactly gentoo), the sweet spot of just how restricted or not restricted you want the defaults to be may lie elsewhere than for your apache servers.

Back to the point at hand, nobody (in this thread at least) has any illusions about UAC making a machine utterly bulletproof, and whoever believes that is an idiot. The fact that I give my users non-root accounts on my unix servers doesn't make the unix servers bulletproof. users can still exploit software if I don't keep it up to date. That's just as right for Debian as it is for Vista, MacOS and even, woe and behold, OpenBSD. A person who does not understand that is more fanboy than professional. Nevertheless, if I were to give all my users root accounts instead, I think there isn't a single UNIX admin out there that wouldn't agree with me that this would have been a quick shortcut to royally fucking up my network. Same for Vista. UAC is a CRITICAL improvement for any box that doesn't have security policies otherwise applied to it (domain creds etc).
It's not a silver bullet or any such rubbish. But it greatly raises the amount of effort one must put into getting into your system, and it greatly reduces the amount of damage done once most malware starts targeting your userspace rather than c:\windows.

In short - UberSuperKillerSecuritySilverbullet2000 - NO. Great improvement over anything in the everyone-is-root ballpark - absolutely.

Re:Inflamatory titles, this applied to corps ONLY!

[bluefoxlucid]

Didn't know microsoft was so dumb that they not only ran their services overpowered; but had them designed to work in limited accounts. There should be a hardening tool that adjusts these.

My horse has escaped - Again!

[DeeVeeAnt]

"a bit like faulting a door without a lock for opening when the handle is twisted". They are asking, nay forcing me to buy yet another new stable which has the same open door. I would be wrong to fault them for this?

Re:Anything to slam MS

[papason]

Go ahead and post your facts supporting MS then.

Re:Anything to slam MS

[smallfries]

The bit of the XP vs Vista comparison that I liked the most (in the summary of course, no I haven't RTFA) :

Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.

To be fair, with windows you don't have to twist the lock... a strong fart on the way past would do it.

Re:CRN Report Is Fair

[Nebu]

But common folks, after five(5) years and millions and millions of bucks they sure could have done better than this-- really. Its not Microsoft bashing--- its true and its fair.

How could Microsoft have done better? If Microsoft had bundled antivirus software with the OS, the other antivirus software companies (McAfee, Norton, etc.) would sue Microsoft for anti-competitive practices. If Microsoft doesn't bundle antivirus software with the OS, CRN write a review saying Vista without antivirus software is no better at defending against virus attacks than XP without antivirus. That's about as dumb as saying Vista without a printer is no better at printing out documents than XP without a printer. I mean, come on, Microsoft! You had 5 years, and millions and millions of bucks. Couldn't you figure out a way to print out documents without using a printer?

Okay, here's the deal on CRN.

[Chas]

My company gets delivered (hey, it's free, so they don't argue). As such, I've run across their "reviews" before this. And I believe I can summarize.

They look at things from a distinctly user-centric POV. They're focused on what the apps/solutions/OS they review do for the end user.

As such, they're not a "technical review" in any real way, shape, or form.

The term "fluff piece" comes to mind.

They add just enough to give the business users who read CRN a bare taste of what they're talking about. Any more, and the reader would go glassy-eyed.

So, lots of hype, lots of buzz, a couple explanations of things the user MAY encounter directly in a business environment, and that's about it for CRN.

For you techies out there, think about the general technical "IQ" of the sales guys in your organization (if they have one at all). THIS is who CRN is writing for.

As such, it's easy to see how the non-techie reviewers at CRN could look at a naked Vista install.

Understanding NOTHING of the security process, comparing it to the loaded out XP install on the locked-down machine his IT department provided him would be easy.

Because he hasn't seen the process, going on behind the scenes, that are necessary to secure an XP machine.

Re:AV is not a lock

[Cairnarvon]

Any AV worth its bits will scan downloaded files before they're opened, and any executables before they're run. It's both the lock and the rifle, and the stain remover that gets the blood out of your carpet, though sometimes you'll have to buy a new carpet.
Stretchy analogy is streeeetchy.

Re:CRN Report Is Fair

[Smight]

So you're saying Linux and Mac OSs are doing the impossible?

Someone call the tabloids and we'll be rich!

In other news, it has been discovered...

[SadGeekHermit]

...That submarines with screen windows offer slightly better floatation than submarines with screen doors.

MacroSubs has affirmed that this is incorrect, however, and stated today that the question will be settled once and for all when their new submarine, entirely made out of screening material, captures the imagination of the nation with its launch in 2009.

So-called "alternative" submarine manufacturers continue to insist on using steel for their doors and heavy lexan for their windows. They claim this quaint, antiquated approach lets them offer better floatation, efficiency at depth, and crew survivability, but independent studies have shown that their apparent "floatation edge" is due to the fact that far fewer of these submarines are produced, not any superiority in design. A. Noying, of an independent think-tank funded in part by contributions from MacroSubs, had this to say:

"Look, we all know that as more of these all-steel and plastic subs get produced, you'll start seeing network effects and their buoyancy will be reduced down to normal levels. Currently, with only a few percent of the market, the oceans aren't interested in them as a point of ingress. This will change soon and you'll see some interesting numbers from my lab to back this up."

When asked about the widespread buoyancy failures of MacroSub submarines around the world, Mr. Noying said only "it's hardly MacroSub's fault if submarine captains tend to drive their submarines into reefs and long-forgotten sea monsters. Their duty is only to make subs buoyant, not idiotproof. However, they are working on an interesting feature called USC, or User Submergence Controls, which should make things a little easier. The submarine will basically ask the captain if he's really, really sure he wants to increase depth, once per fathom. If the captain insists on running into that reef after all the help he's been given, perhaps he shouldn't be driving a sub anyway..."

Re:Anything to slam MS

[dotgain]

I've been using it for a few months.

It's almost done logging me in, in fact.

Moot point

[dj245]

The point that Microsoft will drop support is moot. There are a lot of companies that still run NT servers and workstations. I worked for one last summer that used embedded NT workstations as a frontend to access the GE LM6000 turbine PLCs. They also had NT servers and NT desktops for SCADA. My current desktop at a different company is windows 2000. Companies will balance cost, security, and familiarity. Microsofts support cycles often have nothing to do with that.

Re:CRN Report Is Fair

[Nebu]

No, I made no mention of Linux or MacOSX. But if you're curious, I am of the belief that neither Linux nor MacOSX without virus protection are immune to virus. The fact that there exists viruses for Linux and MacOSX seem to support my belief.

Re:AV is not a lock

[Herby+Sagues]

And they DO get hacked. According to most popular defacement sites, most sites hacked are running Linux, not Windows. And the difference is usually bigger than the ratio of installed bases. But as personal machines, they are a vast minority and not worth investing in hacking, XP being a much better target. I think that's what the comment referred to.

Re:CRN Report Is Fair

[Smight]

No operating system is 100 % safe even with anti-virus. My point was that your analogy is saying that even the thought that you could be remotely secure without anti-virus is like trying to print without a printer.

Bad analogies waste time and resources, just like the cold war. The creator of that analogy must be as bad as Stalin.

"Vista remains riddled with holes"

[bl8n8r]

People. Get off the denial job already. Vista is not magically going to become the upgrade you were hoping for; No matter how many studies, weblogs, reviews, taste tests, or procto exams happen, Vista sucks, end of story. Microsoft will come out with service packs this fall, there will be all sorts of heavy breathing once again, but it's going to be the same historical disappointment. Microsoft needs to get their shit together and stop robbing people.

Re:CRN Report Is Fair

[Nebu]

My point was that your analogy is saying that even the thought that you could be remotely secure without anti-virus is like trying to print without a printer.

No, all I said is that complaining that Vista-without-antivirus is no better at defending against virus attacks than XP-without-antivirus is about as dumb as complaining that Vista-without-printer is no better at printing out documents than XP-without-printer.

Note that I specifically chose the wording "defend against virus attacks" as opposed to "remotely secure".

Re:Anything to slam MS

[rs79]

Of course the great irony is W98 is more secure than either.

Whose security?

[Livius]

The "security enhancements" in Vista were to protect Microsoft from piracy, not to protect Vista users. Microsoft still doesn't care about them.

Re:Anything to slam MS

[dwarfsoft]

You must be still clicking endless Cancel or Allows...

Personally, I am waiting until at LEAST SP1 is released before I install it.

Flawed Survey Shows Penguins Eat Own Babies

[ryanisflyboy]

Those dirty little penguins! Who knew?

Other flawed surveys show:
- Bush Is Actually Orangutan In Suit
- RIAA Hates DRM Music, Gives Thousands To College Kids
- Emacs Is Better Than Vim
- IE Is Most Secure Browser Of All Time
- Volcano Likely To Erupt In Redmond

You know what they say: "News for nerds. Stuff that matters."

Dumb statements r us...

[pookemon]

"'The report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software -- something the reviewer fails to mention. Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted.'"

No, it's like comparing an old door without a lock to a new door without a lock and saying that the new door is no more secure than the old door. (Which sounds reasonable to me)

Re:Anything to slam MS

[dotgain]

You're absolutely right, but now it's time for me to be truthful.
My comment was based on my experience earlier this week on Monday, only the second time I've been close enough to be able to identify a Vista install, and the very first time I'd used it. It had just been installed (as well as Office 2007) by one of my colleagues on a brand new HP laptop. No, didn't get asked to Allow or Cancel anything, but what I did experience didn't surprise me in the least.

From the instant I hit Ctrl-Alt-Delete (and this is after waiting for the machine to finish choking itself) it was the same familiar Windows experience - watching the HDD LED as if it's going to give some sort of indication as to when it might be safe to go on to the next step as the machine crawls through the login procedure - totally unresponsive for the majority of the time.

People bag Windows about insecurity, DRM and UAC all the time - they're not the things I have problems with. I play the game, keep machines patched, AV installed if the shareholders demand it, and so on. My only real gripe with Windows it simply that I habitually find small sub-tasks to do like clip my fingernails or organise desk-drawers while waiting for countless delays my Windows box gives me. Screwed if I'm going to spend a month of my life waiting for start menus to render.

Where with a different OS, I'd start the kettle boiling and check my email while that's going on, in Windows I launch outlook and then go and see to the kettle, because I know which will make me wait longer.

Re:AV is not a lock

[Hucko]

really? and the 'popular defacement sites' are :.......? I'd like to see the stats on that please. I still can't find where you may have read that info to come to those conclusions.

I guess nobody noticed

[Whuffo]

The summary says that Vista has "taken care" of buffer overflow problems. I'd like to submit that one of the key features of XP SP2 was that they'd gone over the code completely and eliminated all unchecked buffers - which (according to MS) eliminated buffer overflow problems.

Microsoft is their own worst enemy; they make wild claims about the functionality of their latest version but that functionality never meets their or their customers expectations. Then some exploit points out that they were being economical with the truth. Much like a recently patched (again) exploit that affected 98, NT, 2000, XP and Vista. Seems somewhat odd that an operating system that has been completely rewritten at great expense and effort should be affected by the SAME bug that has been in their products for years.

I mean, how can a company whose email clients automatically launch attachments say that they take security seriously? Let's not get started on the brain-dead file association open / execution misfeatures in every version up to and including Vista. Here's an interesting exercise to see how bad things can get: rename a safe executable to a filename with a WAV extension. Now double-click it; the executable runs. Combine that with browsers and email clients that automatically play WAV files and you've got a very exploitable platform.

What continues to amaze me is that the file type security is applied based on the file extension - but when you execute a file, the system looks at the file header to determine how to open / execute it. This bit of design stupidity has been the cause of millions of systems being exploited. Just a simple check to see if the file header matches the selected file type would go a long way - but no, this is too difficult. Here, have a UAC nuisance instead...

Re:I guess nobody noticed

[sid0]

I don't get you. I just renamed an exe file to wav, and double clicked it, and VLC opened, but didn't play it. What?

Re:I guess nobody noticed

[drsmithy]

Seems somewhat odd that an operating system that has been completely rewritten at great expense and effort should be affected by the SAME bug that has been in their products for years.

Who ever said Vista had been rewritten ?

Not to mention, even if it had, you'd still be wrong. There are examples of independently developed codebases having the same exploit because the developers for both made the same bad assumptions.

I mean, how can a company whose email clients automatically launch attachments say that they take security seriously?

No Microsoft email client has ever done this by design.

Let's not get started on the brain-dead file association open / execution misfeatures in every version up to and including Vista.

You mean the one so braindead that everything else from GNOME to OS X works in essentially the same way ?

Here's an interesting exercise to see how bad things can get: rename a safe executable to a filename with a WAV extension. Now double-click it; the executable runs.

No, it doesn't. The shell hands it off to whatever program is registered to handle .wav files, which subsequently tries to open it.

Re:I guess nobody noticed

[Ravnen]

The summary says that Vista has "taken care" of buffer overflow problems.

Presumably they're referring to address-space-layout randomisation. In Vista, the layout of the address space is randomised, at boot time I think, so that even if malware manages to exploit a buffer overflow, it won't know the virtual addresses of any library functions, so can't actually do anything.

I mean, how can a company whose email clients automatically launch attachments say that they take security seriously?

Which client is that? I use Outlook, and it doesn't automatically launch attachments.

Here's an interesting exercise to see how bad things can get: rename a safe executable to a filename with a WAV extension. Now double-click it; the executable runs.

I just tried that, and no, it doesn't run. Windows starts the application associated with .wav files and tries to play it. Naturally it fails to play, since it's not actually a .wav file.

Combine that with browsers and email clients that automatically play WAV files and you've got a very exploitable platform.

However, when you consider that both of your assumptions are actually wrong, maybe you don't have such an exploitable platform after all.

What continues to amaze me is that the file type security is applied based on the file extension - but when you execute a file, the system looks at the file header to determine how to open / execute it.

'File type security'? What is that? The extension is just used to tell the shell which application to launch to handle the file. It's not a security mechanism. You may be thinking of the way CMD, the Windows command line shell, works. It has some very strange logic, but at the same time is only used by advanced users, who ought to understand its quirks.

Now if your complaint was that Windows should not include execute permission by default when a new file is created, I'd agree with that. I don't know why the default when granting read access is to grant both read and execute access. It makes no sense to do this, since read and execute are not the same.

In any case, it's actually very easy to fix this 'default to allow execute' problem, by adding a permissions entry to a user's home directory that denies execute privileges to everyone, and applies only to files. Any file created in that directory, or any subdirectories, will then not be executable, unless the user specifically changes the permissions on that file, or the directory containing it. I suppose Micrsoft haven't done this by default because most users wouldn't understand how to add execute privileges to a file, so would complain.

Re:I guess nobody noticed

[A_Non_Moose]

Microsoft is their own worst enemy; they make wild claims about the functionality of their latest version but that functionality never meets their or their customers expectations. Then some exploit points out that they were being economical with the truth. Much like a recently patched (again) exploit that affected 98, NT, 2000, XP and Vista. Seems somewhat odd that an operating system that has been completely rewritten at great expense and effort should be affected by the SAME bug that has been in their products for years.

Exactly. It's rather insulting that some of these bugs get *re-introduced* with patches and updates.
There was one remote execution/root exploit that got re-into'd 3 times with updates/patches, and a few more
times with newer WMP versions (circa 2000/xp).

Not only are are mistakes being corrected, but repeated again and again. Aren't we learning anything from "our"
own history? (our, as in Microsoft's. Like "the royal 'we'"...meaning you, not me).

I mean, how can a company whose email clients automatically launch attachments say that they take security seriously? Let's not get started on the brain-dead file association open / execution misfeatures in every version up to and including Vista. Here's an interesting exercise to see how bad things can get: rename a safe executable to a filename with a WAV extension. Now double-click it; the executable runs. Combine that with browsers and email clients that automatically play WAV files and you've got a very exploitable platform.

Dangerous and frustrating, like OS9 and early OSX where say and mp3 with extensions would launch Quicktime, but
without, the metadata would launch photoshop/illustrator/program that did not know WTF to do with an MP3.

I can't say for sure with Vista, but if it were true I might actually/eventually get a copy in the future (plus
1 or 2 service packs later, of course):
Launch a program and minimise it. Launch Explorer and drag a file that program understands onto the button
in the start bar and release. Does it open the file, or does it throw up a bitch message?

I'd love to know, because I've done it with various linux WM's, OSX and all take it in stride, but since win95
to XP, it has never worked. Ever. You'd think if there were an error message, eventually someone would fix
it because in 12'ish years, someone would TRY and succeed, not Try and fail because the OS gets in the way.

Interface Design, like security, is a process of learning and adapting.

It has been 12 years and it's time to ask (with no apologies to GWB) "Is our OS makers learning?".

(some are, sorta. the death of brushed metal took too long for my tastes.)

Re:Anything to slam MS

[Hal_Porter]

Of course the great irony is W98 is more secure than either.

No it's not. I remember in Systems Programming for Windows 95, there was a great quote. They talked about protected mode, descriptor tables and so on. At the end of it, the author said something like

"I bet now you're trying to work out if it's possible to subvert this stuff. Well, it's so easy that there's no point. Windows doesn't protect the descriptor tables from Ring 3 [the least privileged] code so it's easy to create a trap gate or call gate for yourself to get into Ring 0 [the most privileged] where you'll probably crash and burn because you can't handle interrupts correctly. It's a "personal computer" - and you're free to do whatever you want to it, just like you're free to run your car without oil until the engine seizes up"

Which sums up Microsoft's attitude to security right up to the security push for XP that resulted in SP2 being deployed and all those patches getting downloaded unless the user stopped them. On the other hand people used to collect email over a dialup connection then if they used the internet at all and so the "personal computer" rule was kind of true. Before people started sending executables by email, probably the only ones people installed were ones that they got from the admin at work, or very occasionally bought in a shop.

So Win 9x and Dos seemed to be more secure because they weren't under constant attack in the way that a machine connected to DSL most of the time and bombarded with malicious software by email and websites is now. Actually another difference is that Dos and Win95 were mostly configured as client OSs - they aren't listening for (overly) complex protocols over a wider range of ports the way an NT machine does.

Also...stop the FUD

[sid0]

Much like a recently patched (again) exploit that affected 98, NT, 2000, XP and Vista. Seems somewhat odd that an operating system that has been completely rewritten at great expense and effort should be affected by the SAME bug that has been in their products for years.

1. The OS was NEVER completely rewritten. Stop spreading FUD. A complete rewrite would mean zero or monimal backwards compatibility -- see OS 9 vs OS X.
2. The exploit was far less severe in Vista with IE protected mode than in Vista with Firefox OR XP and below with both IE and Firefox. Says something, doesn't it?

Re:AV is not a lock

[SanityInAnarchy]

Only problem: AV is based on the assumption that we know what a virus looks like. There are enough false positives that the heuristics can't be working well, and the very existence of a signature means someone must've been infected already.

AV is a bit like the rifle, because it's the last line of defense, and a pretty damned weak one. I'd say anytime your AV hits, if you didn't see it coming with that particular file, you're doing something wrong.

You don't have to have some AV Software on the sys

[th173]

Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted. That is not right. If I build a house with a front door and a reasonable good lock, there iss e difference to a house in the woods with no lock at all. Software architecture can sure make a difference if it is easy for malware to take unwanted advantage. You don't have to have some AV Software on the system installed, if the OS would only allow signed code from trusted sources to execute.

But then again you have other problems. ;)

My 2cents: M$ could have made Vista more secure out-of-the-box without AV-Software.

Ok, major problems with that

[Sycraft-fu]

The first would be how do you design this system that is supposedly so secure that nothing ever needs to run in kernel mode, and yet runs with reasonable performance. Can you show me ANY system like that? At a bare minimum, you have hardware drivers that get installed and there's generally plenty more. Also, even if you lcok down the kernel mode there's still the user mode to think about. There are plenty of cases where you want to put something on the system that everyone can have access to. When we install apps on the Solaris computers at work, they usually need root to do it.

The second is what the hell is with this idea of the user's data being less valuable than the system? Maybe that's true on a multi-user system, but not on a desktop. When someone brings us a crashed laptop, what do you imagine they want recovered? Do you think it is the OS? Hell no, it is the extremely important data (that for some reason they neglected to back up). They can get a system with the software reinstalled, they can't get the data again.

So sorry, you fail to convince. Show me the OS out there that does what you claim, and I'll have a look. However right now I can tell you it isn't Linux, it isn't OS-X, it isn't Solaris, it isn't VMS, it isn't BeOS, it isn't any OS I've ever encountered. Show me the OS that can protect itself against a user with administrative privileges installing bad software. Unless you can do that, it really is disingenuous to demand that Windows should be able to do it.

It isn't that hard to design an OS that keeps unprivileged users form screwing up anything but themselves, but I've never seen or heard of the OS that can keep the administrator/root/the system user/whatever you want to call it from screwing the whole system. The power to access that level is the power to fuck it up. On a Linux distro if you have the power to recompile your kernel, that means you have the power to recompile the kernel from a bad source that builds in a back door. On an OS-X system if you have the power to escalate to run a program that does system maintenance you have the power to escalate to run a program that wipes the whole drive. You cannot have one without the other, at least with current OSes. Code is code to them and when the admin says "run this" they don't have a choice.

Re:Ok, major problems with that

[Tony+Hoyle]

Show me the OS that can protect itself against a user with administrative privileges installing bad software. Unless you can do that, it really is disingenuous to demand that Windows should be able to do it.

Linux (with selinux enabled) can be configured to do that.

You miss the point though. A *user* with administrative privilege. That's the problem with Windows. The only person with admin rights should be the admin. Hopefully someone with enough clue to know what they're installing.

Oh and you need to fire your solaris admin. You don't *need* root to install any app in Unix. You can choose to install systemwide that often needs it (unless you've setup a nonprivileged account for the task).. but how many apps truly need that?

Re:Ok, major problems with that

[drsmithy]

You miss the point though. A *user* with administrative privilege. That's the problem with Windows. The only person with admin rights should be the admin. Hopefully someone with enough clue to know what they're installing.

In most environments, the "user" and the "admin" are the same person.

This is not in any way a "problem" that Windows has any influence over.

Re:Ok, major problems with that

[Sycraft-fu]

Ahh yes, Internet knowitall syndrome. Well if you really think you know more than our Solaris admin, feel free to apply for the job, I'll send you contact info privately. Don't be surprised when you are asked some questions to which you have -NO- idea what the answer is though. Good luck on the no-root thing as well. Hard to install an app for all users (which is what we are doing) without being root. Harder still when you need to modify system services to do so (for the authentication server).

Also no, SELinux doesn't do what you think it does. You can still run evil code as root on a system with SELinux enabled. It's another layer of security yes, but just like running a virus scanner or firewall or hardware overflow protection. It can help, but it isn't a magic bullet. Also, due to its complexity, it is rather a bitch to setup in a truly most-secure mode and the distros that have it on by default like RHEL are pretty permissive. Even if you lock it down, the admin still has the ability to screw up the system.

You also miss the point with regard to Windows. If there is only one use of the system, as there is on home systems, the user MUST be the administrator. Period, end of argument. You can't say they shouldn't have admin, because if they shouldn't who should? Funny enough, in an enterprise you can run Windows with users with no privilege and we do just that at work on all the systems we are allowed to. They don't have virus or spyware problems. Users just can't put software on the system so it is a moot issue. However you can't do that at home. The user will be the administrator, that's just how it is. Same deal as a Linux install. The guy who installs it has root. You can't change that. They are the administrator, that's just how it goes.

You seem to have a flawed understanding of how privileged works in an OS. You can set it up however you like. You can make it real granular like VMS or more simple god/everyone else like UNIX. You could even set up a system where no one account has permission to do everything. You can add all sorts of tricks and traps and checks if you like. However you cannot escape form the fact that if a user has the privilege to do something, they have the privilege to fuck that thing up. Now in the context of a home system, where there's one user and that user owns the computer hardware and software, that user will, by necessity, have privilege to do any and everything. Thus they can fuck up any and everything. There is no defense against this, other than to take away their privilege which for systems like that requires a scary TCPA kind of implementation.

Re:Ok, major problems with that

[dpilot]

SELinux introduces the "role". Sure in most environments you're both "user" and "admin". But when you're acting like a "user" you're generally not doing "admin" things, and vice-versa. In fact, keeping the 2 types of actions well separated is probably a good idea, no matter what the platform. I hear about some dialog that Vista annoys people with, and that's probably not the right model to be using, because of the "auto-OK" effect. The "switch-to-admin role" mechanism IS the responsiblity of Vista. (or Linux, for that matter.)

Re:Ok, major problems with that

[drsmithy]

I hear about some dialog that Vista annoys people with, and that's probably not the right model to be using, because of the "auto-OK" effect. The "switch-to-admin role" mechanism IS the responsiblity of Vista. (or Linux, for that matter.)

The fundamental problem has nothing to do with "switching roles", it's that the typically ignorant end user is incapable of identifying if/when they *should* "switch roles".

Putting in more layers of "Do you mean it" dialogs (ultimately all that "roles", etc, does) isn't going to fix that problem (if anything, it will make it worse because the "auto-OK" effect, as you call it). So long as the software computers run can be determined by the typically ignorant end user, the "security problem" isn't going to go away.

Re:Ok, major problems with that

[kurokaze]

Bravo, well said. I wish I had mod points right now.

Re:AV is not a lock

[someone1234]

I thought mail scan and on access file scan are 'before the event' and also part of AV. How could anyone rate the parent as insightful? Oh, sorry, i just noticed i'm on slashdot.

Re:Anything to slam MS

[drsmithy]

Of course the great irony is W98 is more secure than either.

No, it's not.

These days it might be exploited less, but that is a completely different thing to being more secure.

Re:I knwow I'm an AC and all...

[drsmithy]

Sorry to rain on your parade, but that's utter bollocks. I have empirical proof of this, from having installed and run numerous Linux-only computer resource centres for first-time computer users. The users are mostly under- or uneducated youth from a developing country, who love nothing more than to click anything that flashes or shines. The number of people who have used these centres is in the thousands, so it's statistically significant. We've just opened another centre that uses only Mac Minis.

If you think in any way this refutes the argument presented, you are stupid.

So why, pray tell, is the total number of malware-infected machines a big fat zero?

Because it's a managed environment. Managed environments are (relatively speaking) _trivial_ to keep secure.

It's not the administration. The staff are taken from among the youth themselves.

What ? You just said:

I have empirical proof of this, from having installed and run numerous Linux-only computer resource centres for first-time computer users.

Which is it ? In which paragraph above were you lying ?

Re:Anything to slam MS

[Ravnen]

You're confusing Windows 9x, which had no security model at all, with Windows NT, which has always had a security model. Windows 9x was designed to be a 'personal' OS, but NT was designed to be run in corporate and institutional LAN environments, where the user was not necessarily the owner, and not necessarily expected to have full privileges on the machine.

The big difference between earlier versions of NT and XP, which led to Microsoft's security push, was that NT was mostly deployed in the LAN environments for which it was designed, where all the systems were more or less trusted. Windows 2000, and especially XP, gained widespread use in Internet environments, where the other systems on the network are not trusted, which completely changed the security dynamics.

MOD PARENT UP

[asninn]

...vampireware? Wow, that's one I haven't heard before. :)

That being said, moderators, please mod parent up - it's one of the most insightful comments I've seen in this debate so far.

An OS insecure out of the box is incomplete

[kholburn]

Actually there are lots of distributions that are AV-less and are quite secure from viruses and malware. Microsoft itself said that Vista wouldn't be subject to viruses. A distro should be reasonably secure out of the box. If it's necessary to add security software (and usually expensive security software) just to make a distribution secure then it is not fit for the purpose for which it's sold.

Re:An OS insecure out of the box is incomplete

[toadlife]

Actually there are lots of distributions that are AV-less and are quite secure from viruses and malware. Really?! Care to name one?

Microsoft itself said that Vista wouldn't be subject to viruses. No they didn't.

Re:AV-less?

[Ravnen]

Yes, you're missing something. The most important function of AV software is not to fix security holes, it is to protect the user's data from user mistakes, such as running malicious software. Users who only run software from trusted sources, and use a firewall, don't really need AV software.

this news is pure FUD

[thisispurefud]

this news is pure FUD

FUD

[gx5000]

Maybe there should be a time window on how many days we can get
to post about a new OS, c'ause I'm sick of reading about how Vista is great
and an improvement. It ain't, it bytes, it's not what we were promised at purchase time.
Let's all move along now, and let the MS/Industry paid bloggers alone with their macs ok ?

Mod parent down.

[bandannarama]

You didn't RTFA. Ars never claimed your strawman argument that the OS shouldn't defend against viruses.

Examples cited by Ars about how Vista "employs design and tactics against viruses" better than XP:

• "... the issue of buffer overflows, which has been addressed well in Vista by most accounts. This was a major weak spot with XP, and so far, Vista looks strong in this area, strong enough that Vista may never get its own 'SQL Slammer.'"
• "IE7 in protected mode forces such scripts to run at a very restricted user privilege level, unlike XP which will allow those same scripts to run at the same privilege level as a user." XP does not provide the new protected mode environment for IE7.

Ars Technica is right.

The parent is referring to the preview pane flaw

[blueZ3]

The same one used by the Bagle worm (and others) that executed code in an email if the preview pane was open. So your snarky

Which client is that? I use Outlook, and it doesn't automatically launch attachments

while technically accurate is essentially wrong. Code in an email was being automatically executed--whether this was in an "attachment" or not is irrelevant. There's a comment earlier in this discussion that said that no MS email product has ever automatically executed code

by design

-- another interesting parsing of the problem.

Microsoft has a huge user base, millions of lines of code in their OS and applications, and a lot of 3rd pary legacy applications with which they don't want to break compatibility. On top of this, the majority of Windows users are not computer savvy. These restraints, combined with the huge financial incentive for hacking MS products, prevent them from writing software that's completely secure. That's not because they're Microsoft and thus evil (as half the posters here seem to think) or because they just don't care (as the other half assert). It's because they've reached a size and complexity (both in their applications and as a company) where it's no longer possible.

In other words, I don't think any company could do what Microsoft is trying to do, so I'm not surprised (nor angry) when they fail.

Re:Anything to slam MS

[shaitand]

I wouldn't call it pro-ms, I'd call it damage control posted by a MS PR Bot.

Microsoft and a couple other companies have begun to recognize the power of the tech crowd and Slashdot is a major hub of that crowd. Of course I can't prove whether or not this submission was posted (and likely bolstered in the firehose by MS shills. I can establish the power of the tech community. It was the general tech perception that AMD's chips were faster that allowed AMD to penetrate MS marketshare. Then the core 2 duos came out and the general perception was that Intel had finally after half a decade come out on top. Almost immediately thereafter AMD was reporting record losses.

Expect more pro-microsoft and microsoft PR posts.

Re:Umm...

[Endo13]

The /. title is misleading... as usual. Nowhere does the "flawed survey" suggest that XP is more secure than Vista. They use terms like "Vista is only marginally more secure" and "Vista brings little or no security gains over its predecessor". But then, apparently they're not even quite sure themselves because in almost every "test" they discuss in their article, Vista catches at least some things that XP misses.

And their conclusion at the end:

THE BOTTOM LINE

Based on the Test Center's findings, businesses that migrate their Windows PCs from XP to Vista will get a slightly more secure OS. But as the Finjan reports showed, Vista's security remains wafer thin.

Re:Anything to slam MS

[toadlife]

Desktop Gnu/Linux and OS X fanatics would disagree with you.

Re:Anything to slam MS

[Master+of+Transhuman]

"deployed in the LAN environments for which it was designed, where all the systems were more or less trusted"

Which was, of course, one of the more stupid design decisions - because there are NO trusted systems other than ones not connected to a network which are locked in a (relatively) physically secure room.

By the way, are you saying that NT did not have Internet access? WTF?

Re:Anything to slam MS

[Master+of+Transhuman]

"Expect more pro-microsoft and microsoft PR posts"

Is that even possible? As far as I can tell, the MS shills here outnumber the Ubuntu fanboys two to one.

Or maybe just because they're being paid to run their mouths, they just post more?

Re:Anything to slam MS

[Master+of+Transhuman]

This is totally true.

How many times have I tried to kill a process only to have Windows either utterly refuse to do it - because the process is buried in some buggy driver - have to wait a minute and a half only to have Windows ask "Do you really want to kill this process?" Yes, fucking asshole Bill Gates, that's what I just TOLD YOU TO DO! In Linux, you do a "kill -9 - it's fucking OVER for that process.

And the really fun stuff about supporting Windows PCs is how you go in intending to do one thing - and spend the next THREE HOURS doing all the "back story" stuff just to get to the point where you can do what you intended to do - because the machine has been steadily hosing itself since the last time you did a support call.

Had a client yesterday with Windows 2000 losing its printer drivers because the spool service crashed. (And God knows why your printer drivers have to disappear just because the spool service isn't running - who thought that stupidity up at Microsoft?) So I get there, and of course it's a Lexmark POS with their driver hooked to the spool service - or maybe a security update hosed it, since my Google search shows that happens.

So I try cleaning out the drivers from the Registry and the spool directories. So then the spool service and the spooler program somehow got mismatched, so an error message pops up every few seconds.

So while I'm trying to fix this, I see some Windows updates need to be applied. So I start that going, and that fails. I look at the update history, they're all failing with some stupid error code. So I try to rename the catalog directory as per the usual fix - can't do it even as administrator because somehow the system thinks it's still in use.

So I try to go into Safe Mode - machine won't come up at all in Safe Mode. WTF?

So it's "repair install" time. Then, because it's an old Windows 2000 and the repair install dumped the updates (and why is this - a repair install keeps the buggy end user programs, but dumps all its own updates?), I have to download 53 updates (which is still better than Windows XP current 72 updates).

Finally the machine is functional enough that I can do what I intended - install a newer printer driver.

Windows is utter shit.

Anal Self correction

[shaitand]

'allowed AMD to penetrate MS marketshare'

Should obviously be 'allowed AMD to penetrate Intel marketshare'

Re:Anything to slam MS

[Ravnen]

Which was, of course, one of the more stupid design decisions

Every mistake appears 'stupid' in hindsight. Unix suffered from exactly the same thing early on, e.g. sending everything, including passwords, in cleartext over the network. Why did they do this? Because the network was viewed as trusted. Even in the mid-90s, Unix users continued to send their passwords in cleartext over the network -- it wasn't until 1995 that Tatu Ylonen first released ssh, remember. I believe Windows NT at least supported encryption of passwords all along, i.e. from 1993. That isn't to say that either encryption scheme was remotely adequate by modern standards.

If you think everyone designing network operating systems before the Internet era of ubiquitous connections to an untrusted network was 'stupid', I think that says a good deal more about you than it does about them.

It's a bit like office doors in a building owned by an organisation. They might have locks, but the primary security barrier is the entrance to the building itself. Most people in the building more or less expect that others inside it are trusted enough that they don't have to close and lock their doors all the time. If the building were to suddenly become open to the public, the situation would change drastically.

By the way, are you saying that NT did not have Internet access?

No, I'm saying NT was primarily used in corporate/institutional LANs, where every machine was owned and managed by the same organisation, and Internet access was rare or nonexistent. That's how the overwhelming majority of networks were in the late 80s and early 90s, when NT was designed and first deployed. Even when the Internet did catch on, most organisations restricted direct Internet access to a few hardened machines, and required all the others to proxy through them.

Re:The parent is referring to the preview pane fla

[Ravnen]

A bug in rendering code isn't remotely the same thing as automatically executing attachments. There's an enormous difference between an exploitable bug and an utterly stupid design decision, which is what automatically launching an attachment would be. Now, if your argument had been that HTML email is a stupid idea, well, I'd probably agree with you. In fact, I have Outlook set to display all messages as plain text, and don't even use the preview pane. I use the inline preview, which is based on plain text. However, most users like HTML email, even though it's less secure than plain text, so that's what most users get.

At any rate, security vulnerabilities are hardly unique to Microsoft's email clients, so it doesn't really make any sense to point to Microsoft in particular, and ignore all the vulnerabilities that have been found in, for example, Thunderbird. More importantly, the post I was replying to made an argument based on two assumptions, (1) that Microsoft email readers automatically launch attachments, and (2) that file extensions are ignored when opening files on Windows. Both of these assumptions are wrong, so the argument was rubbish, based on either ignorance or a deliberate intention to deceive.

Re:Anything works to slam MS because MS sux

[FractalZone]

I'd say a car that doesn't ship with lcoks *IS* less secure than one that does. The survey seems reasonably valid in suggesting that security is the last reason on Earth a fool might waste money on Vista.