|
Symantec Gives Vista Security a So-So Grade
Published: March 7, 2007
by Alex Woodie
While Microsoft's Windows Vista operating system has made some big strides in the area of security, it doesn't fully protect users from emerging threats on the Web, security software giant Symantec concluded in a new report issued last week.
Symantec outlined its Vista security concerns in three papers released in July and August. While Symantec applauded some of the security work that Microsoft had undertaken in Vista (which was released in November), the security vendor raised legitimate concerns about the new technologies.
First, a quick summary of Symantec's 2006 reports. The first report urged caution over Windows' network stack, which was entirely rewritten with Vista and could give hackers new avenues of attack. The second concerned Vista's new User Account Protect (UAP) feature, which is designed to prevent users from automatically running with full privileges, and new "privilege isolation" techniques debuting with Vista. Lastly, Symantec took issue with steps Microsoft has taken to prevent malware from gaining kernel-level access by using digital certificates. It wouldn't be that hard, Symantec said at the time, for an illegitimate business person to get access to the certificates and sell them to malware writers.
In its report issued last week, titled "Security Implications of Windows Vista," Symantec looked at four main areas of Vista security, including generic exploit mitigation, kernel integrity, system integrity and user-mode defenses, and resistance to malicious code. It also looked at work Microsoft has done to Vista's network stack since last summer's beta releases. The security vendor maintained some of the original criticisms it leveled against the new operating system last summer, but said Microsoft has shown improvements in others.
Generic Exploits
Symantec lauded Microsoft's efforts on the topic of generic exploit mitigation. "The technologies introduced in Windows Vista are very effective at protecting the core Windows operating system as well as Microsoft compiled applications," Symantec says in the report, which is available for download here. "They serve to make the exploitation of traditional vulnerabilities infeasible, including those leveraged by well-known widespread worms observed earlier this decade. As a result, the overall impact of some code-level flaws, even when introduced by a Microsoft software engineer, is greatly diminished."
However, while the operating system has been greatly protected from exploits with Vista, older Microsoft products, as well as products from third-party developers, don't enjoy the same level of protection out-of-the-box. "Older Microsoft or third-party applications and drivers will continue to pose a risk, as they will remain largely unprotected," Symantec writes.
Kernel Integrity
Symantec was very critical of Microsoft on the topic of kernel integrity. While the company applauded the new technologies intended to protect the integrity of the operating system kernel (including driver signing, code integrity, and PatchGuard), Symantec says they don't go far enough, largely because they're only available in 64-bit versions of Windows.
The kernel-level protection technologies will only slow down, but not stop, hackers intent on breaking into the kernel, Symantec says. "Results have shown that all three technologies can be permanently disabled and removed from Windows Vista after approximately one man-week of effort," Symantec says. "A potential victim need make only one mistake to become infected by a threat that does the same. The result: All new security technologies are stripped from Windows Vista in their entirety."
System Integrity and User Mode Defenses
Symantec expressed some satisfaction with the new system integrity and user mode defenses in Windows Vista, most notably UAP. But it also found problems with these technologies, raising the possibility of attacks that take advantage of user fatigue related to the many UAP dialog boxes that Vista presents to users, and the possibility of attackers forging certificate and UAP dialogs themselves, leading to total system compromise.
A final and more worrisome issue is that users may ultimately disable these security functions, Symantec says. "While these types of risks may be easy to manage in the enterprise environment, managing them in a home environment may be nearly impossible," the company concludes.
Resistance to Malware
Symantec found Vista largely resistant to the range of viruses, worms, Trojans, keyloggers, and other assorted malware infesting the Internet today. The company found that only 3 percent of backdoors can successfully execute and survive a system restart on Windows Vista without modification, keyloggers 4 percent, mass mailers 4 percent, and only 2 percent of Trojans, spyware, and adware. It also found Vista was entirely resistant to rootkits, which it said it expected.
These are very low percentages, and make Vista very resistant to today's malware. However, Symantec found that, with only minor code changes to the malware, the percentage of malware that could install itself on Vista and survive a re-boot would "increase dramatically."
And this leads to Symantec's most dire warning to Microsoft: If hackers combined the known work-arounds to the new UAP feature, they could start turning out serious exploits that run at the highest authority level in Vista.
The company also had good and bad things to say about the new network stack. In the final release of Vista, Microsoft fixed three remote denial-of-service vulnerabilities and three historic network attacks that Symantec found in beta versions of Vista, "proving that Microsoft was making ongoing improvements to the Windows Vista network stack up until its final release. [However], it's highly likely that more will be discovered given the significant volume of new code," the company says.
In conclusion, Symantec says Vista's security improvements will continue to push hackers and malware writers away from the operating system and toward third-party applications, which is a trend that emerged with Windows XP Service Pack 2 (SP2). Vista users are still at risk today, only the vulnerabilities are being found in Web application technologies such as PHP, Python, Perl, ASP, and AJAX.
"Both enterprises and consumers will continue to face threats that Windows Vista and its built-in security features cannot protect against," Symantec says. "This is, in part, due to the slow pace at which operating systems can evolve in relation to today's ever-changing threat landscape."
RELATED STORIES
Symantec Critical of Windows Vista Security
Windows Vista: It's All About the Security
 Post this story to del.icio.us
 Post this story to Digg
 Post this story to Slashdot
|
