Yankee Group Gives Mixed Review of Vista Security Features
Updated: May 10, 2006
by Alex Woodie
While Windows Vista will significantly improve security in the next Microsoft operating system, it doesn't go far enough in some respects, concluded the Yankee Group in a new report. Yankee deduced Vista will eliminate up to 80 percent of critical Windows vulnerabilities, but won't stop some of the most pervasive threats, and some new features, such as controls for reducing administrative privileges, hold the possibility of annoying users to no end, a la the infamous "Clippy the Paperclip."
In his May report titled "Microsoft's Vista Won't Stop the Windows Security Aftermarket," Yankee Group security analyst Andrew Jaquith gave his take on the security features in Windows Vista, which is currently slated to ship in the first quarter of 2007.
"The new operating system will significantly improve the default security posture of Windows" and the new security features will lead to a "substantial reduction in risk for most users," Jaquith writes. "However, the Windows security problem will continue to be a permanent fact of life and Microsoft won't always be able to provide the mature enterprise management features enterprises want. As a result, third parties will always have a rich and robust aftermarket available to them to serve."
'The Most Annoying Thing Ever Invented'
Jaquith applauded several of the new security features Microsoft is building into Vista, including the new User Account Control (UAC) feature, which will reduce (but not entirely eliminate) the need for users to be logged on as the administrator, which creates the problem of giving programs full privileges to alter system settings. "Implemented correctly, this feature will reduce the impact of rogue programs by limiting their default privileges to system resources," he writes.
However, UAC may not be as useful as it could be. In particular, Jaquith says the "chattiness" factor of UAC (at least in beta releases) could lead users to turn the function off, leaving them just as vulnerable to rouge programs as they were without UAC. Jaquith notes how one Vista tester on his blog called UAC "probably the most annoying thing ever invented…The whole point is to not run as an administrator, but that's exactly what I'm doing to avoid being bothered by it," the blogger said.
Besides UAC, several security improvements caught Jaquith's eye, including running Internet Explorer 7 in protected mode by default, and the new anti-phishing feature in IE 7 that will alert users to potentially fraudulent Web sites with a color-coded scheme. This feature will use a database of illicit Web sites managed by Microsoft.
Support for Network Access Protection (NAP) in Windows Vista should also improve the overall health of all-Windows networks. NAP governs access to servers by analyzing the state of client's security features, including currency of antivirus and security patches, and firewall state. But because this feature will require Windows Server, it won't have much impact until Windows Server "Longhorn" ships, which Microsoft says will be 12 months after Vista ships.
Support for Trusted Platform Module (TPM) hardware via Vista's "BitLocker" feature should also boost security by encrypting the contents of disks, and also by verifying the integrity of executables and DLLs before users log in. Network security should also be bolstered through the new "Windows Services Hardening" feature in Vista, in which the operating system takes more control over how applications can open and close TCP/IP ports.
Vista also will clamp down on applications that attempt to modify the registry by restricting unprivileged programs from writing to the disk. Other improvements will come in the form of Windows Defender, the anti-spyware package that will be bundled closer to the operating system, and outbound screening of packets in the firewall. (The firewall in Windows XP SP2 is for in-bound packets only.)
While Vista will significantly widen Microsoft's level of competition with third-party Windows security tool vendors, it won't take much of a bite out of the $3.6 billion per year market, Yankee's Jaquith says. Antivirus makes up the bulk of this market, with $2.6 billion a year in spending, and Yankee doesn't predict that Microsoft's foray into antivirus, with its Windows Live OneCare (for home users and small offices) and Client Protection (for larger businesses), will have much of an impact on this healthy market.
That's not true in some other areas. Yankee predicts Windows Defender will have a high impact on the $440 million market for anti-spyware software. Similarly, the third-party firewall business will all but shrivel up following the release of Vista, according to Yankee, which pleads with vendors (who are also its clients) to "abandon the desktop firewall market--it's not worth the fight." However, firewalls will continue to be a core part of ISVs' products, for the very fact that firewalls are often included with intrusion detection systems (IPS). Vista's security features won't have a whole lot to compete against IPS systems, Yankee says.
Symantec--the big dog in third-party Windows security tools--isn't phased by Vista's security features one bit. At a Symantec conference on Monday, the company's CEO, John Thompson, threw down the gauntlet at Microsoft. "Our strategy is to out-innovate Microsoft. We know more about security than they ever will," Thompson was quoted as saying.
There is also what Yankee sees as the wild card in the Vista security forecast: the growing complexity of Windows, the inevitable arrival of security vulnerabilities, and the increase in zero-day exploits.
"The Windows vulnerability supply chain has become exceptionally streamlined and efficient in the last 12 to 18 months . . . " Jaquith writes. "Exploit assemblers have become expert at quickly producing mass worms and viruses in a matter of a few days--far faster than Microsoft can reasonably respond. We do not believe these malicious parties will be daunted by Vista's new security measures--if anything, they will redouble their efforts."
Microsoft made a mistake, Jaquith says, in turning down the opportunity to permanently close some of the biggest security vulnerabilities in Windows, namely its ActiveX browser controls ("despite the fact that it has already developed an ideal replacement technology---Microsoft's .NET framework"), but also its 32-bit kernel drivers (which do not require digital signing, although new 64-bit kernel drivers do), and legacy functions such as NetBIOS and the WMF printer-escape function.
In Microsoft's defense, the company faces a tough choice between clamping down on known security vulnerabilities and vectors, and preserving legacy compatibility. In Microsoft's case, it's close to impossible to do both at the same time, because clamping down on security and eliminating backwards compatibility (the source of many security problems) will cause tens of thousands of applications that rely upon these legacy APIs and functions to stop working. If that ever happened, Microsoft might well see a user revolt on its hands. "Better to tack down the edges of security than close the tent entirely," Microsoft seems to say with its actions.
Microsoft will have a hard enough time keeping third-party programs from breaking under Windows Vista--which is a common problem with many operating system upgrades (the security-focused Windows XP SP2 had similar compatibility problems)--that it won't make the problem worse by redoubling security efforts.
Just the same, Microsoft should be doing more to stamp out compatibility concerns with Vista, Jaquith says, in particular with the new UAC feature of Vista. Microsoft's usually polished ISV enablement program has dropped the ball in getting third-parties certified for the new UAC feature, he says. As a result, most wares will need to be run in administrative mode for up to a year before they've eliminated all the bugs--thereby largely eliminating any benefit this features can bring.
A good argument can also be made that Microsoft probably should have taken the opportunity to permanently kill ActiveX--the most glaring security liability in the entire Windows stack--and moved onto a clean slate. After all, Microsoft isn't afraid of taking a "big, bold step," as Microsoft CEO Steve Ballmer said recently. But will the new security features in Windows Vista be big and bold enough to cull the company's ongoing security woes? Only time will tell.