More than five years after the release of Windows XP, Windows Vista has arrived. The party line out of Redmond is that “Windows Vista is Microsoft’s most secure platform to date,” and you won’t find anyone at Microsoft saying otherwise. But saying it’s Microsoft’s most secure operating system isn’t saying that Windows Vista is the most secure operating system on the market today. No one can say that, I suspect, but Microsoft is really sensitive about security, saying that security is one of the main pillars that support a user’s decision to upgrade to Windows Vista. Unfortunately for most home users, the actual security features in Windows Vista Home Basic and Home Premium will amount to little more than a pillar of salt. That’s not to say home users won’t get enhanced security with Windows Vista; they will. It’s just that most of the security enhancements touted in Windows Vista don’t appear in the Home Premium and Basic editions, and what’s there, what’s not already available within windows XP, could have fit into a free Windows XP service pack instead of requiring a $200 upgrade.
The spin
I have several marketing documents from Microsoft, but I’ll refer to one entitled “Windows Vista Quick Reference Guide.” These are talking points for software reviewers regarding security, mobility, networking, deployment, and application compatibility. Under security, the document states that Windows Vista’s development followed the Microsoft’s Security Development Lifecycle. Programmers were required to take security training, strict coding standards were enforced, and throughout the cycle, rigorous testing and review of the operating system code was done. That’s the marketing spin.
Most of the security enhancements touted in Windows Vista don’t appear in the Home Premium and Basic editions, and what’s there, what’s not already available within windows XP, could have fit into a free Windows XP service pack instead of requiring a $200 upgrade.
The reality is a little different. At least one major antivirus vendor, Kaspersky, has said there will be vulnerabilities reported soon within Windows Vista. “We’re not asking whether vulnerabilities will be found, but when,” said Alexander Gostev, principal antivirus researcher for Kaspersky. Indeed, there’s already been one Vista-related vulnerability reported, one that affected earlier versions of Windows, as well. You’d think Microsoft’s Security Development Lifecycle would have caught that.
A shell game
The marketing document goes on to list a dozen bulleted security enhancements within Windows Vista, such as Enhanced Authentication Model, User Account Control (UAC), BitLocker Drive Encryption, Encrypting File System (EFS), Protected Mode for IE 7, Windows Defender, Windows Firewall, Enhanced Firewall Management, Group Policy for Device Lockdown, Address Space Layout Randomization (ASLR), Kernel Patch Protection, and Network Access Protection. That’s 12 enhancements that sound really thorough, if you get them.
However, because there are six different editions of Windows Vista, with varying features in each, only the people who purchase the $400 Ultimate edition or have access to the Enterprise edition (for volume-license customers only) will see all 12 features; for $200, home users will see fewer than half. I spoke with Pete McKiernan, a senior product manager for Windows at Microsoft, who said that BitLocker hard drive encryption wasn’t included in the Home editions because Microsoft feared home users would lock themselves out of their systems. He agreed that another feature, Device Lockdown, required a group policy, and therefore wouldn’t be in the Home edition, nor would Network Access Protection, Enhanced Authentication Model, or Encrypting File System (EFS). That’s 5 out of 12 security enhancements that you won’t find in the Home editions of Windows Vista.
I wouldn’t have minded a Windows XP service pack offering just ASLR. But Microsoft wants me to pay $200 for security features I don’t use or need just to get the one feature I truly do need.
Pete did say that all 64-bit editions of Windows Vista include Kernel Patch Protection, but I told him that most home users are running the 32-bit editions. It remains to be seen whether the 64-bit PatchGuard, also known as Kernel Patch Protection, works as advertised. At last summer’s Black Hat Briefings in Las Vegas, researcher Joanna Rutkowska hacked Windows Vista’s PatchGuard before a live audience that included several Microsoft employees who had also presented at the conference. If we include PatchGuard, that makes half of the security enhancements in Windows Vista that won’t be on your home system.
What you get
So what do you get with Home Premium and Home Basic? You get Address Space Layout Randomization (ASLR), which protects against return-to-libc attacks, where an attacker uses exploit code to call a system function. ASLR randomizes the function entry points for common system calls, so on a typical 32-bit Windows Vista machine, an attacker stands a 1-in-256 chance of getting the address right, which should slow down an attacker. And home users will get not one but two firewall consoles within Windows Vista (why Microsoft couldn’t reconcile them, I don’t know), but you still won’t get full outbound protection within the Microsoft Firewall without some serious configuration. The new Windows Firewall with Advanced Security on Local Computer console provides different profiles for Domain Policy (corporate networks), Private Profile (home networks), and Public Profile (Wi-Fi hot spots), but the language offered is all legalese at best: “Inbound connections that do not match a rule are not blocked” (the double negative is Microsoft’s, not mine) and “Outbound connections that do not match a rule are allowed.” Basically, all inbound data from the Internet is allowed (as it should be) except where a rule exists; outbound data from your computer is also allowed (as it should not be) “except where excepted”–one of my all-time favorite Microsoft-issued statements. The difference here is that unless you create specific rules to block outbound data–say, from spyware or rogue apps–you won’t have true two-way firewall protection with the Microsoft Firewall. The reality is that most people will never tweak these settings and therefore won’t be as well protected as they would be with the free edition of ZoneAlarm, a true two-way firewall.
User Account Control (UAC)
Perhaps the most visible security change within Windows Vista is User Account Control (UAC), a dialog box that appears whenever system settings might be changed. I agree with McKiernan that UAC is a step forward in security, but I disagree with its final implementation. If you are a standard user, using a second account on someone else’s computer, you will need at administrator’s password in order to perform certain system functions. An annoyance, but that’s real security.
If you are the only one using your Home edition of Windows Vista, logically, you should be running the administrator account. But as a solo account user (administrator) within Windows Vista, you are actually running as a standard user until UAC flags you, only then do you escalate to administrator privileges. Unfortunately, Microsoft made it so that administrators need only hit Enter to access escalated privileges, no password required. McKiernan says Microsoft did that because it assumes administrators know how to respond to UAC messages, but I pointed out that other operating systems require even solo account users to enter a password before making system changes. And how long will it be until some malware prompts a UAC message, knowing the Windows Vista account user will just bat it away with a click of the Enter key?
The IE 7 features
Perhaps the biggest improvement over Windows XP is that Windows Vista places Internet Explorer 7 ActiveX processes into a sandbox. The sandbox allows the ActiveX component to run while you are using IE 7 and terminates it when you close IE. But you get even better security if you don’t use Internet Explorer and use Firefox 2 or Opera 9 instead. Microsoft could have provided this sandboxing feature for free within Internet Explorer 7 for Windows XP, but the company withheld it, wanting to give Windows Vista users some value for their $200.
And I’ve seen it spun that Windows Vista includes built-in antiphishing protection. But Internet Explorer 7 for Windows XP–and for that matter Firefox 2–also blocks phishing sites. Unfortunately, neither browser performs as well as the stand-alone antiphishing toolbar from Netcraft or the antiphishing technologies from Symantec and McAfee. And Windows Vista ships with Windows Defender, but Windows XP SP2 already has Windows Defender, and I don’t use it. In testing done last spring by CNET Download.com, Windows Defender missed some of the test spyware, finishing well behind other antispyware programs on the market today.
Nothing to see here, move along
Other security enhancements I see on my Windows Vista Home Premium machine are truly minor. One blocks double extensions in e-mail attachments, a common trick used by criminal hackers. But a Sophos study found that this e-mail security exists only if you use the new Windows Mail e-mail client–think Outlook Express with a prettier name. Most people won’t use Windows Mail; they’ll use their Web-based client before adopting Windows Mail.
Out of the 12 security enhancements within Windows Vista, only ASLR is notable; my decision on the value of UAC is mixed; and even within Windows XP SP2, I don’t use IE 7, Windows Defender, or the Windows Firewall, so these are unnecessary. Given that Windows XP SP2 was a beast of a service pack to install, I wouldn’t have minded a Windows XP service pack offering just ASLR. But Microsoft wants me to pay $200 for security features I don’t use or need just to get the one that I truly need. I’m going to wait until Windows Vista Service Pack 1, code-named Fiji, is released, sometime before the end of the year. Maybe then the security enhancements within the Home editions of Windows Vista SP1 will be worth the $200.