May 20th, 2008

Does running Vista make you feel safe from malware?

Posted by Adrian Kingsley-Hughes @ 6:34 am

Categories: Security, Software, Thoughts, Vista

Tags: Microsoft Windows Vista, Malware, UAC, UAC Prompt, Microsoft Windows Vista (Longhorn), Spyware, Adware & Malware, Cyberthreats, Viruses And Worms, Security, Operating Systems

[UPDATE - This is a reposting of a TalkBack comment I made on Ed Bott's post "Puncturing the myth of the invulnerable OS":

Are we disagreeing?

???

I start the post by referring to the PC Tools report (at the time I had the fill press release and the attachment - so I either have to take the data on face value or call it bunk, and since I have no reason to believe that it consists of jsut a bunch of random data pulled out of the air, the report stands), go on to list the improvements Vista has over XP, express doubts over UAC prompts (and hint that they may even be conditioning people to click Allow on stuff they have no idea what it is), and conclude by saying that given the types of user that usually get infected by malware, Mac and Linux offer little in the way of sanctuary because it's user actions that are the main driver of infections nowadays and an OS can't change that.

Sounds like we're saying the same thing to me ...

You point to the fact that neither you nor Dwight Silverman have come across an infected Vista system Want to know something, neither have I, but that doesn't prove anything. Get yourself a Vista VM, browser some of the dodgier corners of the Internet and start taking people up on offers of codecs or smiley downloads or whatever and I guarantee you that you'll get hit. Yes, Vista is much more resistant to drive-by infections (which was the primary vector for infection for XP), but you can't rule out user stupidity (in fact, you can bank on it). And because Vista is a tougher nut to crack, hackers are going to be turning in increasing numbers to social engineering.

If this carried on Ed and I are going to have to sort out our differences with a Bat'Leth tournament. ;-) ] 

Another day, another report casts doubt on Vista’s immunity to malware. Do you feel safer running Vista?

“PC Tools maintain that Vista is not immune from online threats. Further research and analysis has confirmed our contention that additional third-party protection is absolutely necessary for all Windows Vista users” said Simon Clausen, Chief Executive Officer, PC Tools.

Further analysis of the latest raw data confirms that approximately 121,000 pieces of malware were detected on approximately 58,000 unique Vista machines in the ThreatFire community, and that these Vista machines had at least one piece of malware actively running on their system.

Additional investigation of the data also identifies the types of malware detected on Vista based machines -17% of all threats found on Vista machines involved in the research were Trojans, while worms accounted for 5%, spyware for 3% and viruses for 2%.

My feelings about Vista are divided. While I believe that Vista is less prone to certain kinds of attack (such as remote execution of code). The OS also plugged up a number of routes that malware used to get onto a system, for example:

• Internet Explorer is sandboxed, ActiveX controls are opt-in and there’s the phishing filter
• Windows Mail disables ActiveX and blocks executable attachments
• Windows Defender is running out of the box
• Upgraded Windows Firewall

However, despite all this I don’t subscribe to the idea that Vista is somehow invulnerable to malware. In fact, I firmly believe that one aspect of Vista actually puts people at risk - the UAC prompt. I dislike the UAC prompt for three reasons (I’m leaving out the bit where I find it annoying):

1. First, it encourages people to allow everything. Why? Because in the first few days of owning Vista users will be seeing that prompt a lot (especially if they need to install a lot of applications). Remember that Windows is designed for the masses, and these are the people who believe those “come back, we need to clean your registry,” “you are the 1,000,000th visitor to this site” and “click on the monkey to win an iPod” ads. Until we get thought-controlled PCs, clicking is probably the easiest thing for users to do.
2. UAC prompts are only a minor hurdle to malware and are easily overcome with a little social engineering. Take someone who’s gone to a website to find some game or free porn, they’ve already made their mind up that a) that site is trusted b) that they really want that download. UAC is no barrier.
3. Even if you are careful, UAC doesn’t offer enough information to the user to help them come to a reasonable conclusion as to whether it’s safe to proceed or not.
   An example - The other day my wife’s PC kicked up a UAC prompt on bootup:
   
   What’s Joe Average User going to make of that? Not much. To make matters worse I’ve seen the paths to the application concatenated, which makes the information doubly useless. And if it’s a copy/paste/move operation that triggers the UAC prompt, the information displayed is a class ID string which to anyone other than a hardcore geek is useless information.

Is Mac OS or Linux any better? Well, to be honest I’m not sure. If you took the person from the example above who had gone to a website to find some game or free porn, I think that they’d be typing in their admin password of prefixing the command with sudo just to get what they wanted to get to in the first place. The OS can only go so far to protect people from themselves, and this is why desktop antivirus solutions will remain a necessary evil for a long time to come.

Thoughts?