Windows Vista no more secure than XP: report

Raven 05-31-2007

he strength of Windows Vista's security model is easily the biggest question facing the nascent operating system. While sales will be strong simply on account of the way OEMs have adopted Vista on their midrange and high-end offerings, the place of Vista in the enterprise is not yet clear. Microsoft must demonstrate that its approach to security with Vista is indeed effective; otherwise, IT managers will see little benefit to moving to the new OS anytime soon.

Windows Vista only offers "marginal security advantages over XP" according to tests completed by CRN. "Vista remains riddled with holes, despite its multilayer security architecture and embedded security tools." The report's findings are mixed and at times a little unfair, but it does demonstrate the problems that Microsoft has to face—technical and otherwise.

The report faults Vista for "providing no improvement in virus protection vs. XP," but of course Windows Vista does not ship with antivirus software—something the reviewer fails to mention. Faulting an AV-less Vista for not stopping viruses is a bit like faulting a door without a lock for opening when the handle is twisted. Any business that is deploying Vista (or XP) without an antivirus solution is, of course, out of its mind.

What Vista does have built in is Windows Defender and User Account Control, which should both help stop forms of malware other than viruses. And CRN found that Vista does have an "edge" over XP when detecting spyware and adware. It wasn't perfect though: some malware slipped though. Here, though, we run into the issue of deciding what counts as "stopping" malware. For instance, CRN says that Vista "missed" Trojan-Spy.Win32.Goldun.ms, when in fact UAC warns a user when it is accessed (I can confirm that). CRN faults Windows Defender for not identifying and blocking the Trojan outright (it did block others), while Microsoft will tell you that UAC did its job by throwing up a warning and asking for user intervention.

In testing some remote data exploits, the reviewers were unable to determine if all of the exploits they tested actually target Vista, making their findings rather questionable. IE7 did stop one RDS exploit while missing four others that may have been only targeted at XP. Notably, XP did not stop any of the RDS exploits. Vista is better here, but the jury is out on how well it did or did not do since the reviewers were unable to determine the full threat of the exploits they were using.

Vista and XP both failed miserably at finding scripting exploits in the HTTP stream, and this remains a big problem for both operating systems. Vista failed to flag the exploits as they came down the pipe, though the firewall did detect when the exploits attempted to communicate over the 'net. This is what we've found in our testing as well (the results of which we hope to publish next month).

Hsoolien

Anyone that wants rock solid security agaisnt hacks/viruse etc is going to use a secure *nix variant anyways.

Vista and XP both suffer one major design flaw
The user

Trolas

Update

Dream

This is pretty funny. Everyone going to vista and its less secure then XP. Maybe I should hack into someone's computer running vista and see what I can see.

Raven

You couldn't be more right I don't think. People are so dumb when it comes to computers its halarious. I say dumb becuase they want to use the thing but not learn enough to protect themselves. If you couldn't use a computer unless you had a license like for driving a car do you kow how many dumb ass people wouldn't be online. Myspace would proably be a good site.

Chello

Ain't that the truth. I used to think I knew something about computers but I found out how much shit I was either being told wrong. I can't belive that shit. I musta looked like a fuccin stupid ass broad when I said things about computers. Sin thought me alot. Now instead of breaking a computer when it dies I know I can change something like a power supply and have it working again.

snakeyez85

It would help if Microsoft programmed their applications at least in a way similar to Unix. For example, the Administrator account should be locked by default and the only way a person can makechanges to the system is through "sudo"
In unix we use sudo to execute commands as the root ("Administrator") user and it asks for a password each time.
Even the registry hash is not the most secure, if anyone has been doing any searching, it's fairly easy to boot from an offline medium and connect to the registry hive to decrypt and extract password information from the harddrive. --i have not been successful at viewing, but I can replicate and replace with new passwords

Windows security is definitely an issue, but I think Microsoft should really step up and admit that they are not in the business of enterprise computing, rather they are in the business of personal computing and they need to draw on this concept a little more to build a more secure Personal operating system. ---of course, none of this goes with their business plan, and i'm sure most of you have figured out by now that every security exploit nets Microsoft a certain amount of money.

Nina

I think you can do that with Windows but the problem is that settings when most people make accounts on windows, they start bitching about can't instll things. Then when they can too much shit get messed up. Basically people want a computer but don't want to learn how to use it, if even just basics.